Oracle – Jupiter Broadcasting

Google Announce new Hardware — Google announced the new Pixel 2 and Pixel 2 XL; an interesting new camera called Google Clips; a new Google Home Mini and Max; a Pixelbook, and an updated Google Daydream.
Chrome OS gets a lot more interesting — This component, known as crosvm, runs untrusted operating systems along with virtualized devices. No actual hardware is emulated. This only runs VMs through the Linux’s KVM interface.
Sailfish X becomes a reality — Jolla have released the Sailfish X product page and the Jolla shop (which at the moment is dedicated to the selling of Sailfish X).
First 64-bit RISC-V SOC released — The processor is intended for AI, machine learning, networking, gateways and smart IoT devices.
Oracle advises White House against FOSS — Silicon Valley is comprised of IT vendors most of which fail. The USG is not a technology vendor nor is it a start-up. Under no circumstance should the USG attempt to become a technology vendor
Munich starts move back to Microsoft products —
“The city will use MS Exchange. It will be used for mail and calendar, so Kolab will not be used anymore,” said the source, adding that the switch will take place in November.
Bitcoin Gold — The fork mainly seems to be a reaction to widespread ire directed at one Bitcoin mining giant in particular, China-based Bitmain. Bitmain was an important player in the Bitcoin Cash fork.

The post Linux Action News 22 first appeared on Jupiter Broadcasting.

The Next Generation | TechSNAP 301

chris — Tue, 10 Jan 2017 21:18:56 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Malware authors have found a way to evade URL-blocking systems by swapping bad domain names with unknown ones

Malware is often hosted on pop-up domains (bought specifically for the purpose, and with very odd names). Othertimes, it is resident on compromised hosts (PYS!). As such hosting locations/domains are discovered, they are added to blacklists.
The criminals have yet anotherfound a way to avoid the blacklists – spoofing
Spoofing is not knew: think of it as pretending to be someone else.
What seems to be new is deception in the TCP packets, or more specifcally, the TCP headers.
For some time now URL filtering techniques have provided a fairly reliable way for organizations to block traffic into their network from domains that are known to be malicious. But as with almost every defense mechanism, threat actors appear to have found a way around that as well.
Security researchers from Cyren are warning about a new tactic for fooling Web security and URL–filtering systems. The technique, which Cyren has dubbed “Ghost Host,” is designed to evade host and domain blacklists by swapping bad domain names and inserting random, non-malicious host names in the HTTP host field instead.
The objective is to evade host and domain blacklists by resetting the host name with a benign one, even when the actual connection is to a malicious command and control IP, according to a Cyren blog post today.
“Ghost hosts are unknown or known-benign host names used by malware for evading host and URL blacklists,” says Geffen Tzur, a security researcher at Cyren.
Tzur says there have been no previously reported incidents he knows of where malware actors have attempted to fool detection systems by inserting benign names in the HTTP host field.

Feedback:

@TechSNAP_Dan How’d you first get into BSD?

Round Up:

The post The Next Generation | TechSNAP 301 first appeared on Jupiter Broadcasting.

Microsoft’s Golden Ticket | TechSNAP 280

chris — Thu, 18 Aug 2016 07:40:22 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Security Breach at Oracle’s MICROS point of sales division

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp.
More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.
Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.
Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.
Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.
This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.
This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider, I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.

It is not clear if the breach at Oracle may have resulted in the attackers being able to remotely control MICROS payment terminals.
According to comments on the Krebs articles, the actual credit card processing is usually done on the pinpad unit, and just the results are processed by the cash register running MICROS

After investigative reporter Brian Krebs reported a compromise of Oracle’s MICROS unit earlier this week, it now appears the same allegedly Russian cybercrime gang has hit five others in the last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. Together, they supply as many as, if not more than, 1 million point-of-sale systems globally.

TCP stack bug in Linux 3.6+ means many systems vulnerable

At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.
Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications.
The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that’s intended to prevent certain classes of hacking attacks.

However, in order to prevent a denial of service attack, there is a global rate limit to the number of responses this new code will send. The issue is, an attacker can now exploit this, by eliciting enough responses to research that limit, it means that the server will not send legitimate responses to the user. This then allows the attacker to send a response pretending to be the server, and shutdown the connection between the user and the server.

Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network.
The flawed code was introduced into the Linux operating system kernel starting with version 3.6 in 2012, has added a largely complete set of functions implementing the standard. Linux kernel maintainers released a fix with version 4.7 almost three weeks ago, but the patch has not yet been applied to most mainstream distributions. For the attack to work, only one of the two targeted parties has to be vulnerable, meaning many of the world’s top websites and other services running on Linux remain susceptible.

What makes this attack especially bad is that the attacker does not need to be Man-in-the-Middle, it works as a so called “off-path” attack. The attacker just sits on the sidelines with their regular internet connection, and sends packets to one or both parties, and by guessing the port numbers used on each side (usually by brute force), can inject content into the flow of packets between the two parties.
This is normally prevented by the TCP three-way handshake (which gets a positive acknowledgement from both sides, to prevent someone from being able to spoof their IP), and the sequence numbers prevent an attacker from easily injecting packets in the connection stream.

In this paper, we discover a much more powerful off-path attack that can quickly 1) test whether any two arbitrary hosts on the Internet are communicating using one or more TCP connections (and discover the port numbers associated with such connections); 2) perform TCP sequence number inference which allows the attacker to subsequently, forcibly terminate the connection or inject a malicious payload into the connection. We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server. This can have serious implications on the security and privacy of the Internet at large.
The root cause of the vulnerability is the introduction of the challenge ACK responses and the global rate limit imposed on certain TCP control packets. The feature is outlined in RFC 5961, which is implemented faithfully in Linux kernel version 3.6 from late 2012. At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets.
Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection. To demonstrate the impact, we perform case studies on a wide range of applications.

So the features introduced by the new RFC make it possible for the attacker to figure out the sequence number of the TCP connection to inject traffic into it

Besides injecting malicious JavaScript into a USA Today page, the researchers also show how the vulnerability can be exploited to break secure shell, or SSH, connections and tamper with communications traveling over Tor. In the latter case, attackers can terminate key links in the Tor chain—for instance, those connecting an end user to an entry node, an entry node to a middle relay, or a middle relay to the exit node. The Tor attack could be particularly effective if it knocked out properly functioning exit nodes because the technique would increase the chances that connections would instead use any malicious exit nodes that may exist.

Microsoft bungles SecureBoot key handling, golden keys can unlock any system

Microsoft has accidentally leaked the keys to the kingdom, permitting attackers to unlock devices protected by Secure Boot — and it may not be possible to fully resolve the leak.
If you provision this magic policy, that is, if you install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system. It will boot anything you give it provided it is cryptographically signed, even a self-signed binary – like a shim that loads a Linux kernel.

This signed policy was never meant to leave the lab, but it seems it did

The Register understands that this debug-mode policy was accidentally shipped on retail devices, and discovered by curious minds including Slip and MY123. The policy was effectively inert and deactivated on these products but present nonetheless.
For internal debugging purposes, Microsoft created and signed a special Secure Boot policy that disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one.
This, in turn, allows someone with admin rights or an attacker with physical access to a machine not only to bypass Secure Boot and run any operating system they wish, such as Linux or Android, but also permits the installation and execution of bootkit and rootkits at the deepest level of the device
A backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!
You can see the irony. Also the irony in that MS themselves provided us several nice “golden keys” (as the FBI would say for us to use for that purpose

Between June and July, Microsoft awarded a bug bounty, and pushed a fix — MS16-094. However, this fix was deemed “inadequate,” although it had somewhat mitigated the problem, resulting in a second patch, MS16-100, being issued in August.
This update blacklists a bunch of revoked keys and signatures so they can no longer be used, but Microsoft cannot revoke all old keys, because they are used on things like read-only installation disks

If you’re using a locked-down Secure Boot PC and you have admin rights on the box, and you want to boot something else, all the above is going to be of interest to you. If you’re an IT admin who is relying on Secure Boot to prevent the loading of unsigned binaries and drivers – such as rootkits and bootkits – then all the above is going to worry you.

Additional Coverage: TheRegister
The article at The Register provides links to a number of scripts and tools to be able to unlock the UEFI firmware on Windows RT tablets, and be able to install an alternative OS
Researcher Blog (with demoscene music)
The point raised by the researchers is especially poignant: Having “secure” secret backdoor keys will never work. They will always end up getting leaked, and there is no way to undo that damage when it happens.
Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)

Feedback:

Round Up:

The post Microsoft’s Golden Ticket | TechSNAP 280 first appeared on Jupiter Broadcasting.

Bitmap Pox | TechSNAP 276

chris — Thu, 21 Jul 2016 18:16:56 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

New vulnerability in many websites: HTTPoxy

Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
This allows your application to know what compression algorithms are supported
Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
“httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
“This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
“What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
- Proxy the outgoing HTTP requests made by the web application
Direct the server to open outgoing connections to an address and port of their choosing
Tie up server resources by forcing the vulnerable software to use a malicious proxy
“httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
Timeline:
March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange * IBM WebSphere Portal – provides enterprise web portals
Google Search Appliance – search all content in an enterprise through a single search box
Guidance Encase – forensic investigation software
Microsoft Exchange – enterprise email and productivity software
Novell Groupwise – a collaboration tool for large enterprise
Raytheon SureView – software designed for enterprise visibility and user activity monitoring
Veritas (Symantec) Enterprise Vault – a program for information governance through archiving
Talos has not confirmed that each of the third-party products listed above are affected. We have, however, confirmed that some are running vulnerable OIT-related code. For example, if WebReady Document Viewing is enabled for Microsoft Exchange 2013 (& earlier), an attacker could exploit these vulnerabilities by sending a malicious email attachment to a victim who then opens the email using web preview.
Further, if Data Loss Prevention is enabled, the vulnerability can be triggered simply by sending an email with a malicious attachment outbound from the affected Exchange server. If Avira AntiVir for Exchange (v12.0.2775.0 & earlier) is in place, just sending or receiving a malicious email is sufficient, since this program will scan all inbound and outbound email. Additionally, multiple OIT vulnerabilities could conceivably be exploited in a chained fashion for a more effective approach.
Over, and over again we see problems that arise from software using untrusted data as input without proper and necessary validation of that data, and because not all software developers are experts in the multitude of file formats in existence they are forced to rely on SDKs such as Oracle’s OIT.
However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes.
This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products.
In related news: TALOS also found a similar vulnerability in Apple’s OS X
Additional Coverage
In other news: Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products
Includes 4 Java vulnerabilities with CVSS scores of 9.6 out of 10

Krebs: The value of a hacked company

Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
“Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
“If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
There is a lot of value that an attack can extract from a hacked company:
- Intellectual Property, like trade secrets, plans, or even just a list of customers
- Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
- Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
- HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
- Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
- Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
“This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
“In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
“These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
“It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
“Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”

Feedback:

Mention: Networking for Information Security/Penetration Testing

Round Up:

The post Bitmap Pox | TechSNAP 276 first appeared on Jupiter Broadcasting.

Fair-use Frustrations | CR 208

chris — Mon, 06 Jun 2016 16:08:29 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Mike & Chris have very different opinions on how interview tests should be conducted & this week they try to come to some common ground. Plus the real reasons to develop software on Linux are not the ones often cited, bit more on Google’s fair use & the master plan to get Mike to move to the west coast.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Hoopla

Hiring a programmer? Ditch the coding interview and get back to basics

So before we go any further, let’s establish one very simple truth: coding interviews are worthless.

Why Develop Software On Linux

From my point of view, Linux is indeed a superior platform for developers, and that is becoming increasingly so due to a number of critical factors that have improved in the last ten years. Every year, our toolset srengthens, and does so at an exponential rate in comparison to the relatively stagnant Apple and Microsoft ecosystems.

Flatpak is gaining momentum

The Xdg App project has been renamed to Flatpak to get an easy-to-remember name and reflect that after almost two years of development it’s finally ready for broader adoption.

Google’s fair use victory is good for open source

Hurst is wrong in asserting that Google’s fair use victory means that anyone can freely appropriate whatever they want from open source and other programs. All that the jury verdict means is that Google made fair use of the Java API packages. Anyone else who appropriates elements from another firm’s software would have to defend a legal challenge on much the same grounds that Google did: either by claiming that the elements appropriated were not within the scope of protection that copyright law provides to software developers or that the appropriation of those elements was fair use.

The Google/Oracle decision was bad for copyright and bad for software

Though Android shares important elements with Java, Android is not a Java platform; it does not pass the tests that Sun and Oracle developed, and it is not designed to do so. Google deliberately chose to reject elements of Java’s design that it didn’t like, leaving a hodge-podge that is Java in some places but not-Java in others.

That lack of interest in interoperability means, in my view, that Google’s use of the Java APIs should not qualify as fair use.

Mike Moves to the West?

Software for the marijuana industry set to yield high returns

The post Fair-use Frustrations | CR 208 first appeared on Jupiter Broadcasting.