Show Notes: techsnap.systems/404

The post Prefork Pitfalls | TechSNAP 404 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

SQUIRRELMAIL REMOTE CODE EXECUTION VULNERABILITY

• improperly santized parameters

• Invoking sendmail binary from with PHP

• Dawid Golunski disclosed the vulnerability

• FreeBSD version is newer than articles states is latest release

Anonymous domain purchases

• Anonymity has long been practiced for activism. Many famous authors have published under a pseudonym.

• Domain name is from Laos, but company is based in St Kitts.

• What are the risks with trusting this group?

Net Neutrality Alive and Well in Canada: CRTC Crafts Full Code With Zero Rating Decision

• Very strong decision and very postive for Canadian consumers.

Feedback

• Advice on a virtualization server

• Short oveview of DNS – phone book analogy

Round Up:

• reverse engineer of the Apple File System

• How Swat.io migrated from MySQL to PostgreSQL in 2 yearsPosted

• And this is why you secure ssh on web facing servers…

• Dan’s switch replacement turned into a rewire

• Used this for WIFI until things worked

• Nearly done

• Cable Comb

• The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

The post PHP Steals Your Nuts | TechSNAP 316 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Patch Your Sh** T-Shirt

• TechSNAP is about to reach episode 300 so before Chris and Allan hand over the show to Wes & Dan we have a round of PATCH YOUR SH** swag to get out! Be sure to check out the tote bag and the sticker too!

Exploit in PHPMailer puts almost every PHP CMS at risk

• “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily.”
• “Probably the world’s most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, [..], Joomla! and many more”
• “An independent researcher uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.”
• “To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
• “A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application.”
• When the mailer software calls the system’s sendmail binary to send the email, it can optionally pass additional parameters to sendmail, like -f to override the from address.
• Proper input validation was not performed on this input. Instead of the content being restricted based on what is safe to evaluate in the shell, the input is validated as an email address via RFC 3696, which allows for quoted usernames with spaces.
• So if the attacker fills out the form such that their email address is:
• “attacker\” -oQ/tmp/ -X/var/www/cache/phpcode.php some”@email.com
• this will actually execute:
• Arg no. 0 == [/usr/sbin/sendmail]
  • Arg no. 1 == [-t]
  • Arg no. 2 == [-i]
  • Arg no. 3 == [-fattacker]
  • Arg no. 4 == [-oQ/tmp/]
  • Arg no. 5 == [-X/var/www/cache/phpcode.php]
  • Arg no. 6 == [some”@email.com]
• If the attacker can also provide some PHP code as the body of the message, it will be written to the indicated file, phpcode.php, where it can then be run by the attacker via the web server.
• “The vulnerability was responsibly disclosed to PHPMailer vendor. The vendor released a critical security release of PHPMailer 5.2.18 to fix the issue as notified”
• “UPDATE: The author of this advisory published a bypass of the current solution/fix which makes the PHPMailer vulnerable again in versions <5.2.20”
• There was also a similar vulnerability found in SwiftMailer, another similar application

Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units

• “From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk”
• “The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military”
• “Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them”
• “Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal”
• “This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine”
• “The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia”
• “The original application central to this discussion, Попр-Д30.apk, was initially developed domestically within Ukraine by a member of the 55th Artillery Brigade. Based on the file creation timestamps as well as the app signing process, which occurred on 28 March 2013, CrowdStrike has determined that the app was developed sometime between 20 February and 13 April 2013.”
• Distributed on a forum, and popularized via social media under a name that translates to “Correction-D30”, described as “Modern combat software”
• “As an additional control measure, the program was only activated for
  use after the developer was contacted and issued a code to the individual
  downloading the application”
• “At the time of this writing, it is unclear to what degree and for how long this specific application was utilized by the entirety of the Ukrainian Artillery Forces. Based on open source reporting, social media posts, and video evidence, CrowdStrike assesses that Попр-Д30.apk was potentially used through 2016 by at least one artillery unit operating in eastern Ukraine”
• “The use of the X-Agent implant in the original Попр-Д30.apk application appears to be the first observed case of FANCY BEAR malware developed for the Android mobile platform. On 21 December 2014 the malicious variant of the Android application was first observed in limited public distribution on a Russian language, Ukrainian military forum.”
• “The creation of an application that targets some of the front line forces pivotal in Ukrainian defense on the eastern front would likely be a high priority for Russian adversary malware developers seeking to turn the tide of the conflict in their favor”
• “Although traditional overhead intelligence surveillance and reconnaissance (ISR) assets were likely still needed to finalize tactical movements, the ability of this application to retrieve communications and gross locational data from infected devices, could provide insight for further planning, coordination, and tasking of ISR, artillery assets, and fighting forces.”
• “The X-Agent Android variant does not exhibit a destructive function and does not interfere with the function of the original Попр-Д30.apk application. Therefore, CrowdStrike Intelligence has assessed that the likely role of this malware is strategic in nature. The capability of the malware includes gaining access to contacts, Short Message Service (SMS) text messages, call logs, and internet data, and FANCY BEAR would likely leverage this information for its intelligence and planning value.”
• “CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting”
• The Evidence to Prove the Russian Hack

Bigger than Miria? New leet botnet launches ddos attacks

• “Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet.”
• “In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as “just as powerful as the most dangerous one to date”. The concern for 2017 is that “it’s about to get a lot worse”.”
• “Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.”
• “The attack itself took place on 21 December, but details of what happened are only just starting to come out. It targeted a number of IP addresses, and Imperva speculates that a single customer was not targeted because of an inability to resolve specific IP addresses due to the company’s proxies. One wave of the attack generated 650 Gbps of traffic — or more than 150 million packets per second.”
• “Despite attempting to analyze the attack, Imperva has been unable to determine where it originated from, but the company notes that it used a combination of both small and large payloads to “clog network pipes and bring down network switches”. While the Mirai attacks worked by firing randomly generated strings of characters to generate traffic, in the case of Leet Botnet the malware was accessing local files and using scrambled versions of the compromised content as its payload. Imperva describes the attack as “a mishmash of pulverized system files from thousands upon thousands of compromised devices”. What’s the reason for using this particular method?”
• “Besides painting a cool mental image, this attack method serves a practical purpose. Specifically, it makes for an effective obfuscation technique that can be used to produce an unlimited number of extremely randomized payloads. Using these payloads, an offender can circumvent signature-based security systems that mitigate attacks by identifying similarities in the content of network packets.”
• “While in this instance Imperva was able to mitigate the attack, the company says that Leet Botnet is “a sign of things to come”. Brace yourself for a messy 2017…”
• Technical Details
• “The attack began around 10:55 AM on December 21, targeting several anycasted IPs on the Imperva Incapsula network.”
• “It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies. And so, lacking any better option, the offender turned his attention to the service that stood between him and his target.”
• “The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps)”
• “Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet’s actual geo-location or learn anything about the nature of the attacking devices.”
• So, unlike Mirai, it seems leet depends on reflection and amplification, rather than raw power
• The attack traffic was generated by two different SYN payloads:
• Regular-sized SYN packets, ranging from 44 to 60 bytes in size
• Abnormally large SYN packets, ranging from 799 to 936 bytes in size
• “The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.”
• Additional Coverage

Feedback:

• ZFS pool additions

• I thought it would never happen to me.

• Torikun asks: So ISP’s have slow upload speeds and high download speeds. Is my download speed affected when I max out the upload?

Round Up:

• T-Mobile rolls out battery shutdown update to remaining Galaxy Note 7
• This $300 device lets you steal a Mac’s encryption password in 30 seconds
• Android Ransomware Infects LG Smart TV
• Vulnerability in Ubuntu’s software update mechanism exposes users
• Obama moves to split cyberwarfare command from the NSA
• New malware detects when it is being run in many popular sandboxes, plays dumb to get through
• Other malware tricks user into clicking to activate it, so it doesn’t do anything bad in the sandbox
• Reflections on SystemsWeLove
• How Russia Recruited Elite Hackers for Its Cyberwar
• Canadian ISPs pushing back against new police powers bill C51
• Russian MethBot botnet makes $180 million from advertising networks by running 250,000 fake websites, generating 300 million fake video impressions per day
• Project Zero gets a guest blog post by a non-google researcher who found an exploit for Chrome OS
• ADUPS android spyware infects Barnes and Noble’s new $50 tablet
• Two lawyers charged with “Conspiracy to Commit Mail Fraud And Wire Fraud” after they uploaded videos they owned to pirate sites, then sued those who downloaded them for copyright infringement
• Interactivate timeline of FBI surveillance operations
• surveillance, whistleblowing, and security engineering — The NSA’s Yahoo backdoor
• What happens when a law firm doesn’t take security seriously

The post Fancy Bear Misfire.apk | TechSNAP 299 first appeared on Jupiter Broadcasting.

We’re in the middle of an epic battle for power in cyberspace & Bruce Schneier breaks it down. PHP gets broken, PornHub gets hacked & the disgruntled employee who wiped the router configs on his way out the door.

Plus great emails, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Power in the Age of the Feudal Internet

• “We’re in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations. During its early days, the Internet gave coordination and efficiency to the powerless. It made them powerful, and seem unbeatable. But now the more traditional institutional powers are winning, and winning big. How these two fare long-term, and the fate of the majority of us that don’t fall into either group, is an open question – and one vitally important to the future of the Internet.”
• “In its early days, there was a lot of talk about the “natural laws of the Internet” and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.”
• “On the corporate side, power is consolidating around both vendor-managed user devices and large personal-data aggregators. It’s a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendar, address book, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, the rise of vendor-managed platforms means that we no longer have control of our computing devices. We’re increasingly accessing our data using iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Even Windows 8 and Apple’s Mountain Lion are heading in the direction of less user control.”
• “I have previously called this model of computing feudal. Users pledge allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It’s a metaphor that’s rich in history and in fiction, and a model that’s increasingly permeating computing today.”
• “Feudal security consolidates power in the hands of the few. These companies act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes.”
• “Government power is also increasing on the Internet. Long gone are the days of an Internet without borders, and governments are better able to use the four technologies of social control: surveillance, censorship, propaganda, and use control. There’s a growing “cyber sovereignty” movement that totalitarian governments are embracing to give them more control – a change the US opposes, because it has substantial control under the current system. And the cyberwar arms race is in full swing, further consolidating government power.”
• “What happened? How, in those early Internet years, did we get the future so wrong?”
• “The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That’s the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively. So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents.”
• “There’s another more subtle trend, one I discuss in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, technological advances – firearms, fingerprint identification, lockpicks, the radio – give one side or the other a temporary advantage. But most of the time, a new technology benefits the attackers first.”
• “It’s quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power – whether marginal, dissident, or criminal – as Robin Hood. And you can think of ponderous institutional power – both government and corporate – as the Sheriff of Nottingham.”
• “So who wins? Which type of power dominates in the coming decades? Right now, it looks like institutional power.”
• “This is largely because leveraging power on the Internet requires technical expertise, and most distributed power groups don’t have that expertise. Those with sufficient technical ability will be able to stay ahead of institutional power. Whether it’s setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that are one step ahead of institutional power. This is why cybercrime is still pervasive, even as institutional power increases, and why organizations like Anonymous are still a social and political force. If technology continues to advance – and there’s no reason to believe it won’t – there will always be a security gap in which technically savvy Robin Hoods can operate.”
• “My main concern is for the rest of us: everyone in the middle. These are people who don’t have the technical ability to evade either the large governments and corporations that are controlling our Internet use, or the criminal and hacker groups who prey on us. These are the people who accept the default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. In the feudal world, these are the hapless peasants. And it’s even worse when the feudal lords – or any powers – fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it’s the US vs. the terrorists or China vs. its dissidents. The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And 3D printers mean that the data use restriction debate now involves guns, not movies. It’s the same problem as the “weapons of mass destruction” fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives.”
• “The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional power will get. This means even more repressive security measures, even if the security gap means that such measures are increasingly ineffective. And it will squeeze the peasants in the middle even more.”
• “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we are going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”
• “This won’t be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they’re not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.”
• “Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it — how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it — is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.”
• “I can’t tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.”

How we broke PHP, hacked PornHub, and earned $20,000

• As we covered a few months ago, PornHub has opened up their new bug bounty program via Hackerone.com
• Now, a group of researchers have collected a $20,000 bounty, and are sharing the details of how they did it
• “We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone. We were also awarded with $2,000 by the Internet Bug Bounty committee”
• “We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize function.”
• “After analyzing the platform we quickly detected the usage of unserialize on the website. Multiple paths (everywhere where you could upload hot pictures and so on) were affected”
• “In all cases a parameter named “cookie” got unserialized from POST data and afterwards reflected via Set-Cookie headers”
• So, whatever data you sent to the website while uploading, was serialized and set as a cookie, which would be unserialized and read back in by each subsequent request. This is how websites maintain state across multiple requests.
• When the researchers modified the POST request to include an a serialized PHP Exception, the PornHub website reacted to the exception
• “This might strike as a harmless information disclosure at first sight, but generally it is known that using user input on unserialize is a bad idea”
• “The core unserializer alone is relatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many internal PHP classes have their own unserialize methods. By supporting structures like objects, arrays, integers, strings or even references it is no surprise that PHP’s track record shows a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no known vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already got a lot of attention in the past”
• “Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after so much attention and so many security fixes its vulnerability potential should have been drained out and it should be secure, shouldn’t it?”
• The implemented a fuzzer, and started running it. Eventually they found a bug in PHP 7, but when they tried it against PornHub, it didn’t work. This suggested that PornHub used PHP 5.6. Running the fuzzer against PHP 5.6 generated more than 1 TB of logs, but no vulnerabilities.
• “Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected behavior again.”
• “A tremendous amount of time was necessary to analyze potential issues. After all, we could extract a concise proof of concept of a working memory corruption bug — a so called use-after-free vulnerability! Upon further investigation we discovered that the root cause could be found in PHP’s garbage collection algorithm, a component of PHP that is completely unrelated to unserialize. However, the interaction of both components occurred only after unserialize had finished its job. Consequently, it was not well suited for remote exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a lot of hard work a similar use-after-free vulnerability was found that seemed to be promising for remote exploitation.”
• “Even this promising use-after-free vulnerability was considerably difficult to exploit. In particular, it involved multiple exploitation stages.”
• The article then goes on to explain how they exploited the use-after-free vulnerability in great detail
• Once they had the ability to execute the code they provided, they needed a way to view the output
• “Being able to execute arbitrary PHP code is an important step, but being able to view its output is equally important, unless one wants to deal with side channels to receive responses. So the remaining tricky part was to somehow display the result on Pornhub’s website.”
• “Usually php-cgi forwards the generated content back to the web server so that it’s displayed on the website, but wrecking the control flow that badly creates an abnormal termination of PHP so that its result will never reach the HTTP server. To get around this problem we simply told PHP to use direct unbuffered responses that are usually used for HTTP streaming”
• “Together with our ROP stack which was provided over POST data our payload did the following things:”
  • Created our fake object which was later on passed as a parameter to “setcookie”.
• This caused a call to the provided add_ref function i.e. it allowed us to gain program counter control.
• Our ROP chain then prepared all registers/parameters as discussed.
• Next, we were able to execute arbitrary PHP code by making a call to zend_eval_string.
• Finally, we caused a clean process termination while also fetching the output from the response body.
• “Once running the above code we were in and got a nice view of Pornhub’s ‘/etc/passwd’ file. Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls. However, just using PHP was more convenient at this point. Finally, we dumped a few details about the underlying system and immediately wrote and submitted a report to Pornhub over Hackerone.”
• “We gained remote code execution and would’ve been able to do the following things:”
  • Dump the complete database of pornhub.com including all sensitive user information.
  • Track and observe user behavior on the platform.
• Leak the complete available source code of all sites hosted on the server.
• Escalate further into the network or root the system.
• “It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief. Please finally put a nail into unserialize’s coffin so that the following mantra becomes obsolete.”
• “You should never use user input on unserialize. Assuming that using an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea. Avoid it or use less complex serialization methods like JSON.”

Ex-Citibank employee wipes router configs and downs entire network

• “Lennon Ray Brown, 38, had been working at Citibank’s Irving, Texas, corporate office since 2012, first as a contractor and later as a staff employee, when he was called in by a manager and reprimanded for poor performance.”
• “At that point, the US Department of Justice said, the rogue employee uploaded a series of commands to Citibank’s Global Control Center routers, deleting the config files for nine of the routers and causing traffic to be re-routed through a set of backup routers. Court documents show that while there was not a complete outage, the re-routing led to “congestion” on the network and at the branch offices.”
• “Brown admits that on December 23, 2013, he issued commands to wipe the configuration files on 10 core routers within Citibank’s internal network. The resulting outage hit both network and phone access to 110 branches nationwide – about 90 per cent of all Citibank branch offices.”
• Brown said the following in a text message to a coworker shortly after the incident:
  • “They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”
  • “Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
• Brown admitted the intentional damage charge in February
• Justice Department Announcement
• Brown has been sentenced to 21 months in jail, and a $77,000 fine

Feedback:

• VBulletin Ubuntu Forums Hack

• Kids and Grown Up Networks

• Secure Webmail?

• ZFS snapshot to LUKs External on Linux

Round Up:

• Hijacking Youtube to transmit your Data
• NIST advises against SMS-Based Two-Factor Authentication — PDF
• LastPass: design flaw in communication between privileged and unprivileged components l
• LastPass Security Updates
• GOP delegates suckered into connecting to insecure Wi-Fi hotspots
• Katcr.co: Original KickassTorrents Community Is Back, Without Torrent s
• Tinder safe dating spam uses safety to scam users out of money
• Keys to Chimera crypto ransomware allegedly leaked by rival crime gang
• Pop star asks fans to send their passwords so he can tweet as them. May actually be a violation of the CFAA
• You can’t turn off Cortana in the Windows 10 Anniversary Update
• Vine accidently posts docker image with its source code publicly
• Yahoo ordered to show how it recovered deleted emails
• The sound of dialup, pictured, and explained
• Florida judge: Bitcoins aren’t currency, so state money laws don’t apply

The post Internet Power Struggle | TechSNAP 277 first appeared on Jupiter Broadcasting.

A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New vulnerability in many websites: HTTPoxy

• Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
• CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
• To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
• To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
• So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
• This allows your application to know what compression algorithms are supported
• Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
• “httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
• “This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
• “What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
  • Proxy the outgoing HTTP requests made by the web application
• Direct the server to open outgoing connections to an address and port of their choosing
• Tie up server resources by forcing the vulnerable software to use a malicious proxy
• “httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
• So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
• Timeline:
• March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
• April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
• July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
• November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
• February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
• July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
• So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
• Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
• The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
• Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

• From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
• In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
• The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

• Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange * IBM WebSphere Portal – provides enterprise web portals
• Google Search Appliance – search all content in an enterprise through a single search box
• Guidance Encase – forensic investigation software
• Microsoft Exchange – enterprise email and productivity software
• Novell Groupwise – a collaboration tool for large enterprise
• Raytheon SureView – software designed for enterprise visibility and user activity monitoring

• Veritas (Symantec) Enterprise Vault – a program for information governance through archiving

• Talos has not confirmed that each of the third-party products listed above are affected. We have, however, confirmed that some are running vulnerable OIT-related code. For example, if WebReady Document Viewing is enabled for Microsoft Exchange 2013 (& earlier), an attacker could exploit these vulnerabilities by sending a malicious email attachment to a victim who then opens the email using web preview.

• Further, if Data Loss Prevention is enabled, the vulnerability can be triggered simply by sending an email with a malicious attachment outbound from the affected Exchange server. If Avira AntiVir for Exchange (v12.0.2775.0 & earlier) is in place, just sending or receiving a malicious email is sufficient, since this program will scan all inbound and outbound email. Additionally, multiple OIT vulnerabilities could conceivably be exploited in a chained fashion for a more effective approach.

  • PDF /Size Integer Overflow
  • TIFF ExtraSamples Code Execution
  • TIFF Photometric Interpretation Code Execution
  • GIF ImageWidth Code Execution
  • Gem_Text Code Execution
  • PSI Image File Code Execution
  • Word DggInfo Code Execution
  • Mac Works Database VwStreamSection Code Execution
  • Mac Word ContentAccess libvs_word+63AC Code Execution
  • BMP Heap Buffer Overflow & Code Execution
  • Mac Works VwStreamReadRecord Memory Corruption
  • PDF /Kids Information Leakage
  • PDF NULL Pointer Dereference Denial of Service
  • PDF Recursion Stack Overflow Denial of Service
  • PDF /FlateDecode /Colors Denial of Service
  • PDF /Type /Xref Denial of Service
  • PDF Xref Offset Denial of Service
  • Mac Word ContentAccess libvs_word Denial of Service

• Over, and over again we see problems that arise from software using untrusted data as input without proper and necessary validation of that data, and because not all software developers are experts in the multitude of file formats in existence they are forced to rely on SDKs such as Oracle’s OIT.

• However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes.
• This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products.
• In related news: TALOS also found a similar vulnerability in Apple’s OS X
• Additional Coverage
• In other news: Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products
• Includes 4 Java vulnerabilities with CVSS scores of 9.6 out of 10

Krebs: The value of a hacked company

• Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
• “Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
• “If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
• There is a lot of value that an attack can extract from a hacked company:
  • Intellectual Property, like trade secrets, plans, or even just a list of customers
  • Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
  • Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
  • HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
  • Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
  • Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
• “This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
• “In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
• “These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
• “It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
• “Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”

Feedback:

• ZFS Fillin Up

• InfiniBand

• IPSEC VPN server & OS options

Mention: Networking for Information Security/Penetration Testing

Round Up:

• Feds Seize KickassTorrents Domains, Arrest Alleged Owner
• How to many money by abusing 2 Factor Auth — Have Google, Instagram, etc, call your premium rate (900) number to verify your 1000s of accounts
• Apple Has Its Own Stagefright Vulnerability
• PostgreSQL EnterpriseDB first open source database to pass Defense Information Systems Agency (DISA) testing, and publish a Security Technical Implementation Guide (STIG)
• Skype is Transitioning to a More Modern, Mobile-Friendly Architecture
• Microsoft killing off last bits of p2p in skype, and all old clients, in favour of new cloud-server backed infrastructure
• Seagate launches its new line of 10TB Helium drives: BarraCuda (Desktop HDD), FireCuda (Desktop SSHD), BarraCuda Pro (5 year Warrenty), IronWolf (NAS), and SkyHawk (Surveillance).
• Stack Exchange Outage Postmortem – July 20, 2016
• Engineer gets tired of waiting for Telcos, wires up his whole town
• Microsoft ordered to fix ‘excessively intrusive, insecure’ Windows 10
• France’s National Data Protection Commission (CNIL) has ordered Microsoft to “stop collecting excessive data and tracking browsing by users without consent”
• How (and why) FreeDOS keeps DOS alive
• Verizon to disconnect unlimited data customers who use over 100GB/month
• BT Outage the fault of Data Center and Exchange operator Equanix
• Mitsubishi Outlander Flaw Opens Door to Thieves—Literally – Infosecurity Magazine
• The Ubuntu forums have been hacked, IP address, username, and email address of over two million users have been compromised

The post Bitmap Pox | TechSNAP 276 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Kronda makes wordpress sites, manages a blog & offers educational resources for learning wordpress!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Interview – Kronda – @kronda

• Life as I Know It – This is my story, and I’m sticking to it.
• Kronda (@kronda) | Twitter
• Tech Journey – Life as I Know It
• Blog – Karvel Digital
• Karvel Digital | Websites That Work
• Karvel Digital (@KarvelDigital) | Twitter
• Xander Oz (@stateofthecat) | Twitter

Are you looking for the transcription? Please let us know you use it and we may bring it back!

• WTR Transcription Poll

The post Impress with Wordpress | WTR 57 first appeared on Jupiter Broadcasting.

We discuss Mike’s general thoughts on ReactJS, the NY bill that would provide a tax credit for open source contributions & the interesting details in developer data.

Plus some real talk about your real value, what no indie developer wants to hear about the App Store & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Hoopla

Stack Overflow Developer Survey 2016 Results

This year, over fifty thousand developers shared where they work, what they build, and who they are. You are about to read the results of the most comprehensive developer survey ever conducted.

NY bill would provide tax credit for open source contributors

What no indie developer wants to hear about the App Store

In the age of Toys R Us and endless plastic of Lego and Hasbro, indie toy making has all but disappeared from the mainstream. So have many music and book shops in the face of Amazon and mom-and-pop shops in the shadow of Walmart.

Feedback

• BBQLinux – Send in by millario
• Why the hate on ReactJS, Michael?

The post Rails Crazies React | CR 197 first appeared on Jupiter Broadcasting.

Is the age of Apps finally coming to an end? Data points to yes & we discuss how platforms like Slack might offer more potential.

Then, more web developers are switching to Linux, is this the start of a trend?

Plus what caught our attention in the new iOS release, and interesting projects Google has in store for 2016.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Hoopla:

iOS 9.3 Preview – Apple

This latest iOS release adds numerous innovations to the world’s most advanced mobile operating system. There are improvements to a wide range of apps, along with great new additions to CarPlay. iOS 9.3 may even help you get a good night’s sleep. And you’ll find a preview of new features that will make using iPad in schools easier and better for students and admins.

App Age Over?

Switching to Linux

In 10 years a lot has changed, but the main thing Apple and OS X had going for
it was it’s “it just works” reputation. I feel this has stopped being true.

2016 Google Tracker: Everything Google is working on for the new year | Ars Technica

Android N, a big VR program, Google Glass, and lots more are in store for Alphabet.

Feedback:

• Angular2 & Dart

The post Slacking while Coding | CR 187 first appeared on Jupiter Broadcasting.

We explain the Venom vulnerability, what the impact is & the steps major providers are taking to protect themselves.

Plus strategies to mitigate Cyber Intrusions, a truly genius spammer, great questions, a huge round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

VENOM: Virtualized Environment Neglected Operations Manipulation

• A flaw in the way qemu emulates floppy disks could allow an attacker to break out of a virtual machine and take over the host
• “This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
• This vulnerability affects qemu, KVM, VirtualBox, and some types of Xen, because they all share the same qemu floppy emulation code
• Unaffected hypervisors include: VMWare, Hyper-V, Bochs, and bhyve
• The issue has been assigned the identifier CVE-2015-3456
• “Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, FreeBSD, etc.).”
• “It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.”
• “The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”
• “The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.”
• “After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
• After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.”
• CrowdStrike blog about the disclosure
• “While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”
• “CrowdStrike would also like to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.”
• Xen Advisory
• Amazon Statement
• Digital Ocean statement
• Redhat Advisory
• Working PoC exploit
• This has refocused attention on some older work to exploit qemu/KVM, like this from DEFCON / BlackHat 2011
• Or this paper from a Google researcher from 2007: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
• There is also some backlash against the naming and glamorization of vulnerabilities, as seen with the recent announcement of AnalBleed

Strategies to Mitigate Targeted Cyber Intrusions – From the Australian Signals Directorate

• The Australian equivalent to the NSA has published a study on the top 35 mitigation methods to protect networks for targeted cyber attacks
• They say that 85% of all network intrusions could be prevented if organizations adopted just the top 4 recommendations
• These 4 recommendations are:
  • Use application whitelisting, to prevent malicious software from being able to run
  • Install application updates (especially java, flash, PDF readers, browsers, etc)
  • Install OS updates (quickly!), Do not use Windows XP
  • Do not give administrator privileges to more people than absolutely required
• Video: Catch, Patch, and Match
• Table: The full list of 35 mitigation strategies
• How to employ the top 4 mitigations in a Linux environment
• The ASD even goes so far as to rank each mitigation strategy by its effectiveness, how much users will resist/complain, how much work it will be to setup, and how much work it will be to maintain.
• “Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached. “
• Of these, only the application whitelisting is likely to rise the ire of the average end user
• Additional Coverage – SecureList
• The list of 35 mitigation methods can be roughly divided into 4 categories:
• Administrative — Training, physical security
• Networking — These measures are easier to implement at a network hardware level
• System administration — The OS contains everything needed for implementation
• Specialized security solutions — Specialized security software is applicable
• Kaspersky SecureList has broken its analysis of the ASD publication down into 4 parts in its Security Encyclopedia:
• Part 1. How to mitigate APTs. Applied theory
• Part 2. Top-4 mitigation strategies which address 85% of threats
• Part 3. Strategies outside the Top-4. For real bulletproof defense
• Part 4. Forewarned is Forearmed: the Detection Strategy against Advanced Persistent Threats (APTs)
• Gartner: Best Practices for Mitigating Advanced Persistent Threats

Mumblehard — Muttering spam from your servers

• “Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam”
• The virus consisted of perl code packed into an ELF binary
• During a 7 month monitoring period, Eset researchers saw 8,867 IP addresses connect to one of the command and control servers
• “The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail.”
• “These two main components are written in Perl and they’re obfuscated inside a custom “packer” that’s written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that’s arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.”
• “Malware targeting Linux and BSD servers is becoming more and more complex,” researchers from Eset wrote. “The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”
• The way the malware was architected, it polled a list of Command and Control servers, accepting commands from any of them
• The list included some legitimate sites, to throw researchers off
• “A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.”
• At some point, one of the domains on the command and control list became available, so the researchers registered it and directed all of the infected machines to talk to their own command and control server
• The communications with the C&C servers was cleverly hidden in what look like PHP Session cookies, and in the fake browser user-agent strings
• One of the giveaways is the fact that the base browser user-agent string is for Firefox 7.0.1 on Windows 7
• Part of the version string would be replaced with the command id, http status, and number of bytes downloaded by the infected machine
• “The Eset researchers still aren’t certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.”
• Eset research PDF

Feedback:

• Jupiter Broadcasting Meetup

• zfs send (and receive)

• What really is DevOps?

• Is my FreeNAS open?

• answer to question last week

Round-Up:

• Cybersecurity Firm May Have Hacked Its Own Clients To Extort Them Additional Coverage – CNN Money
• Enterprise SSDs may start to lose data if left powered off for even just a few days
• RHEL 7 will break with its typical long term backporting strategy, and update GTK3/Gnome3 mid-cycle
• Interesting issue with PHP Hash comparisons could result in many vulnerability announcements in the coming weeks. In php: 0e == 0 (or 0e), so hashes could falsely match
• Military Strategy: A West Point Teacher’s Last Letter to His Cadets
• Brian Krebs Discusses Investigative Security Journalism – Indepth interview with Norse “Dark Matters” blog
• Top cyber attack vectors for critical SAP systems
• Proof of concept Linux rootkit uses processor and memory of GPU to hide from operating system
• Beware the ticking Internet of Things security time bomb
• Ad network compromised, spreads “nuclear exploit kit”
• Australia outlaws warrant canaries
• Dropbox updates Terms of Service, users ourside North America will be served from Ireland instead of the USA
• Virus Scanners need to be more than just a GUI with a big “SAFE” label on them
• Intels new Core M 5Y71 keeps pace with its Core i5 cousins
• Adallom is not a Bureaucracy checkbox
• What year is this: Researcher Richard Bejtlich posts an excerpt from a novel about computer security, guess when it was written
• Bug Bounty Program | United Airlines

The post Venomous Floppy Legacy | TechSNAP 214 first appeared on Jupiter Broadcasting.

Why boring technology might be the better choice, Google revokes & China chokes, why you want to create an account at irs.gov before crooks do it for you.

Plus your great IT questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Why you should choose boring technology

• The basic premise is that in building technology, specifically web sites and web services, there is often a bias towards using the latest and greatest technology, rather than the same old boring stuff
• This often turns out to bite you in the end. Look at people who based their site or product on FoundationDB, which was recently bought and shutdown by Apple
• Look at one of the most popular sites on the internet, Facebook, originally written in PHP and MySQL, and still largely remains based on those same old technologies
• “The nice thing about boringness (so constrained) is that the capabilities of these things are well understood. But more importantly, their failure modes are well understood.”
• “Anyone who knows me well will understand that it’s only with a overwhelming sense of malaise that I now invoke the spectre of Don Rumsfeld, but I must.“
• “When choosing technology, you have both known unknowns and unknown unknowns”
• The Socratic paradox
• A known unknown is something like: we don’t know what happens when this database hits 100% CPU.
• An unknown unknown is something like: geez it didn’t even occur to us that writing stats would cause GC pauses.
• “Both sets are typically non-empty, even for tech that’s existed for decades. But for shiny new technology the magnitude of unknown unknowns is significantly larger, and this is important.”
• The advantage to using boring technology is that more people understand how it works, more people understand how it fails, more people have come before you, tried to do something similar to what you are doing
• You won’t find the answer on Stack Overflow if you are the first person to try it
• “One of the most worthwhile exercises I recommend here is to consider how you would solve your immediate problem without adding anything new. First, posing this question should detect the situation where the “problem” is that someone really wants to use the technology. If that is the case, you should immediately abort.”
• People like new toys and new challenges
• Businesses should try to avoid new costs, and new risks
• Adding a new technology is not a bad thing, but first consider if the goal can be accomplished with what you already have

Google revokes CNNIC root certificate trust

• On March 20th Google security engineers noticed a number of unauthorized certificates being used for gmail and other google domains
• The certificates were issued by a subordinate CA, MCS Holdings
• “Established in 2005, MCS (Mideast Communication Systems) offers Value Added Distribution focusing on Networking and Automation businesses.”
• MCS Holdings makes Firewalls and other network appliances
• MCS got its subordinate CA certificate from CNNIC (Chinese Internet Network Information Center)
• “CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.”
• Google added the MCS certificate to its revocation list so it would no longer be trusted
• “CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system”
• Google accepted the explanation as the truth, but is unsatisfied with the situation
• “This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it.”
• CNNIC has specific obligations it must fulfill in order to be a trusted CA
• The CA/Browser Forum sets the policies agreed upon for signing new trusted certificates
• Mozilla has an existing policy that enumerates the possible problems and their immediate and potential consequences
• “Update – April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
• CNNIC has released an official statement calling Google’s actions “unacceptable”
• Mozilla is considering similar actions:
• Reject certificates chaining to CNNIC with a notBefore date after a threshold date
• Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs
• Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list)
• If CNNIC’s re-application is unsuccessful, then their root certificates will be removed
• The Mozilla community feels that CNNIC needs more than a slap on the wrist, to ensure other CAs (and Governments) get the message that this type of behaviour is unacceptable
• Google reiterates the need for the Certificate Transparency project
• “Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.”
• Additional Coverage – Ars Technica

Signup for an account at irs.gov before crooks do it for you

• “If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.”
• “Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.”
• “Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.”
• The fraudster filed the new return using nearly identical data to the correct information that the victim had filed the previous year
• The victim suspects that the fraudster was able to use the irs.gov portal to view his previous returns and extract information from them to file the fraudulent return
• The fraudster files a corrected W-2 to adjust the withholding amount, to get a bigger refund
• The story goes on into details about the case, including the college student that was used as a money mule
• “The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA) — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.”
• In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.
• In Canada, to get access to your CRA Account, a passcode is mailed to you, at the current address the government already has on file for you
• In order to gain access to your account, you also must answer more specific questions than just KBAs, usually including things like “the number from line 350 of your 2013 tax return”

Feedback:

• I heard Allan likes ZFS

• ultimate travel router?

• Linux Server Management

• freenas backup sanity check

Round Up:

• Facebook successfully tests laser internet drones
• “Not Invented Here” is bad, but “Never Invent Here” is worse
• A Few Thoughts on Cryptographic Engineering: Truecrypt report
• Personal details of a number of world leaders were accidently emailed to Asian Cup organizers by Australian immigration department, the leaders were not notified of the disclosure
• New Firefox version says “might as well” to encrypting all Web traffic
• Firefox contains mp3 playback vulnerability, could lead to code execution
• N.J. school district’s ‘bitcoin hostage” problem caused by weak passwords, firewall holes | NJ.com
• Vulnerable hotel Wifi puts guests at risk
• What every stackoverflow question looks like
• Vulnerability in python scripts shipped as part of SELinux allow attackers to execute commands as root

The post Any Cert Will Do | TechSNAP 208 first appeared on Jupiter Broadcasting.

Transitions in life comes in many forms, work, relationships, gadgets. How we deal with the process of transition is key & why we shouldn’t be anxious about a transition, even if it’s a difficult one.

Plus a bit about GitHub’s ongoing DDoS, switching from PHP to Ruby & a new contender for the perfect Linux dev rig.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Feedback

• Listening to Show 146

• New Job New Language

• Devops Html5 Cloud Application

Dev World Hoopla

GitHub suffers ‘largest DDoS’ attack in site’s history

GitHub is suffering a DDoS attack deemed the largest in the website’s history and believed to originate from China.

The coding website is a popular repository for projects from game engines to security applications and web app frameworks, and is used by programmers and tech firms to develop and share tools. Since Thursday, the website has been under fire in a DDoS attack of a scale which has forced GitHub staff to rally and attempt to mitigate access problems.

In a blog post last week, GitHub said the distributed denial of service (DDoS) attack is the largest in github.com’s history. Beginning on March 26, at the time of writing the onslaught is yet to end.

GitHub says the attack “involves a wide combination of attack vectors,” which “includes every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic.”

“Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content,” GitHub says.

The “specific class” of content may be related to China. As reported by the Wall Street Journal, GitHub’s traffic surge is based on visits intended for China’s largest search engine, Baidu. Security experts told the p

Transitions

• The process or a period of changing from one state or condition to another.

• Undergo or cause to undergo a process or period of transition.

• Transition can be a lot of things… You view on a technology, the status of a relationship, or a job.

• We should not resist the process of transition. Without it, we can’t eventually fix whatever needs fixing, move forward, and arrive at our destination.

The post The Sonic Philosophy | CR 147 first appeared on Jupiter Broadcasting.

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

• The way TLS certificates are issued currently is not always foolproof
• In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
• Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
• The problem comes when webmail services, like hotmail, allow these usernames to be registered
• That is exactly what happened with Microsoft’s live.be and live.fi
• A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
• It took Microsoft four to six weeks to solve the problem
• Additional Coverage – Ars Technica
• When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
• “After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

• Authy is a popular reusable 2 factor authentication API
• It allows 3rd party sites to easily implement 2 factor authentication
• Maybe a little too easily
• When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
• The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
• However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
• But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
• Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
• This API call is the one used to actually send the code to the user
• This call sends another token to the user and returns success
• The 3rd party application sees the ‘success’ part, and allows the user access
• It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
• Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

• An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
• A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
• This could allow:
• an attacker to inject malware into your site
• redirect your email, capturing password reset emails from other services
• redirect traffic from your website to their own
• issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
• Some of the social engineering steps:

  • Create a fake Social Media profile in the name of the victim (with the fake picture of them)

  • Create a gmail address in the name of the victim

  • Call and use myriad plausible excuses why you do not have the required information:
  • please provide your pin #? I don’t remember setting up a pin number
  • my assistant registered the domain for me, so I don’t have access to the email address used
  • my assistant used the credit card ending in: 4 made up numbers
  • create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
  • GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
  • Often, you can create a letter on a fake letterhead, and it will be acceptable
• In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
• GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
• GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
• It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
• GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal

Feedback:

• Securing apache server

• How to set up SSH server for anonymous web surfing

• Latest iPod skimming device found at cashpoints

• ZFS vs Hardware RAID

• ZFS Snapshots & MySQL Backups

• Android ZFS Monitor app

• ZFS Monitor – on Google Play

Round Up:

• Cisco will ship equipment to dead drops for its most sensitive clients, to avoid NSA interception and tampering
• “Evolution Market” a digital underground shop selling everything illegal, has shut down, apparently the founders made of with 12 million in bitcoin
• Cisco still in the process of patching FREAK SSL flaw from January
• Facebook Develops ‘Yosemite’ Open Server Chassis with Intel
• HiltonHonors reward program offering 1000 points for changing your password before April 1st
• Safari’s Private Browsing Mode Saves URLs In an Easily Accessible File
• OpenSSL announces patch for multiple vulnerabilities
• GCHQ admits to hacking ISPs and other systems
• Researchers to demo new persistent bios rootkit at CanSecWest.
• Target reaches huge settlement with security breach victims – CBS News
• Convicted tax fraudster fugitive caught by authorities

The post Two Factor Falsification | TechSNAP 206 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We’ll learn some of the backstory and see what they’ve got planned for the future. We’ve also got all this week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Be your own VPN provider with OpenBSD

• We’ve covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past – but what if you don’t trust any VPN company?
• It’s easy for anyone to say “of course we don’t run a modified version of OpenVPN that logs all your traffic… what are you talking about?”
• The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
• With this guide, you’ll be able to cut out the middleman and create your own VPN, using OpenBSD
• It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN

FreeBSD vs Gentoo comparison

• People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
• This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
• The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
• If you’re a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more

Kernel W^X in OpenBSD

• W^X, “Write XOR Execute,” is a security feature of OpenBSD with a rather strange-looking name
• It’s meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
• This helps prevent some types of buffer overflows: code injected into it won’t execute, but will crash the program (quite obviously the lesser of the two evils)
• Through some recent work, OpenBSD’s kernel now has no part of the address space without this feature – whereas it was only enabled in the userland previously
• Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that’s been in the works for a while
• More technical details can be found in some recent CVS commits

Building an IPFW-based router

• We’ve covered building routers with PF many times before, but what about IPFW?
• A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something FreeBSD-based
• In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
• He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
• If you’re an IPFW fan and are thinking about putting together a new router, give this post a read

Interview – Jos Schellevis – project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

• Adrian Chadd, who we’ve had on the show before, has been doing some more ultra-high performance testing
• Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
• According to him, it’s “not very pretty”
• He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
• You can check out his new code on Github right now

Using divert(4) to reduce attacks

• We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
• It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you’re running
• PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won’t work
• The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
• Consider setting this up to reduce the attack spam in your logs if you run public services

ChaCha20 patchset for GELI

• A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
• There are also some benchmarks that look pretty good in terms of performance
• Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
• There’s some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet

PCBSD update system enhancements

• The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
• You can choose what parts of your system you want to let it automatically handle (packages, security updates)
• There’s also a new graphical frontend available for it
• The update system uses ZFS + Boot Environments for safe updating and bypasses some dubious pkgng functionality

Feedback/Questions

• Mat writes in
• Chris writes in
• Andy writes in
• Beau writes in
• Kutay writes in

Mailing List Gold

• Wait, a real one?
• What’s that glowing…

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Common *Sense Approach | BSD Now 72 first appeared on Jupiter Broadcasting.

Recovering developer, beekeeper, scotch drinker & book author… Emma Jane Westby does it all in this exciting 5th episode of Women’s Tech Radio!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Support Jupiter Broadcasting on Patreon

• Emma Jane Westby – @emmajanehw

Recovering developer, beekeeper, scotch drinker & book author.

• Flowdock
• Drupal
• Drupal Easy
• webgrrls
• LinuxChix
• Git for Teams
  
  Emma’s Book: Drupal Users Guide
  Upcoming: Learning Git for Teams

The post Emma Jane Westby | WTR 5 first appeared on Jupiter Broadcasting.

Google is requiring developers to submit their physical address, and the Apple community has outed the manager behind the botched iOS 8.0.1 update. Are we seeing a dangerous threat or just a frantic response?

Plus some great questions, when to lawyer up & much more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• On the Viability of Crowd Funding

• Wrist pain

• PHP at a client

• Google wants to post my home address

• Law and Coding

Dev Hoopla:

Person responsible for iOS 8.0.1 debacle also linked to iOS 6 Maps

A quality assurance manager responsible for this week’s botched iOS 8.0.1 release was also in charge of QA for iOS 6 Maps, sources tell Bloomberg. The man is identified as Josh Williams, who is said to have been removed from the Maps team after the app gave people bad directions and/or mislabeled important scenery. He has however been with Apple since 2000, and has been handling quality issues for iOS since the early days of the iPhone.

It’s reported that Williams has a team of over 100 people around the world, and that the company relies more on human discovery of bugs than automated testing. Partly because of these factors, it’s indicated that no single person can be held responsible for major software trouble. The company in fact has a committee called the Bug Review Board overseen by Kim Vorrath, VP of product management for iOS and OS X. She in turn reports to Craig Federighi, the senior VP for software engineering. To help with testing, the company relies heavily on feedback from third-party developers.

It’s at BRB meetings that Vorrath, Williams, and other people determine which bugs need to be solved immediately and which can be dealt with later. Bugs are labeled P1, P2, or P3; P1 can halt production of a device, while P2 or P3 items can be rolled into development of later updates even before the initial firmware is out.

The post Doxing Developers | CR 121 first appeared on Jupiter Broadcasting.

Android growth is exploding, and showing no signs of slowing down… So why are big players still avoiding the platform? We’ll challenge some common misconceptions on why developers avoid Android.

Plus big Silicon Valley tech companies get busted colluding to keep wages low, the contractor fudge factor, your feedback..

And more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• iOs Dev
• Amazon.com: Programming in Objective-C (6th Edition) (Developer\’s Library)
• Reinventing the framework
• A defense for Contract companies
• Emails From Eric Schmidt And Sergey Brin On Hiring Apple Workers
• DigitalOcean Wins!
• Digital Ocean’s Journey From TechStars Reject To Cloud-Hosting Darling
• The price of innovation

Dev Hoopla:

Why don’t designers take Android seriously?

Hack Programming Language

• Hack Isn’t PHP – Marco.org

PHP has always been poorly designed and poorly stewarded, but it\’s appealing to developers because it\’s easy to learn (and tons of programmers already know it, so it\’s easy to hire for), it\’s everywhere and runs on anything, it\’s very fast, and it\’s very simple to host and maintain server-side. In short, it\’s extremely practical.

Since Facebook is migrating its own code to Hack, pure PHP will become a less-tested second-class citizen on HHVM. This could devalue HHVM to the outside world, throwing away the benefits it’s bringing to PHP programmers everywhere. The closeness of the two languages will probably prevent this from becoming a significant problem, but it’s a problem nonetheless.

The post Paranoid Android Developers | CR 94 first appeared on Jupiter Broadcasting.

We sit down for an interview with Chris Buechler, from the pfSense project, to learn just how easy it can be to deploy a BSD firewall. We\’ll also be showing you a walkthrough of the pfSense interface so you can get an idea of just how convenient and powerful it is. Answers to your questions and the latest headlines, here on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EuroBSDCon and AsiaBSDCon

• This year, EuroBSDCon will be in September in Sofia, Bulgaria
• They\’ve got a call for papers up now, so everyone can submit the talks they want to present
• There will also be a tutorial section of the conference
• AsiaBSDCon will be next month, in March!
• All the info about the registration, tutorials, hotels, timetable and location have been posted
• Check the link for all the details on the talks – if you plan on going to Tokyo next month, hang out with Allan and Kris and lots of BSD developers!

FreeBSD 10 on Ubiquiti EdgeRouter Lite

• The Ubiquiti EdgeRouter Lite is a router that costs less than $100 and has a MIPS CPU
• This article goes through the process of installing and configuring FreeBSD on it to use as a home router
• Lots of good pictures of the hardware and specific details needed to get you set up
• It also includes the scripts to create your own images if you don\’t want to use the ones rolled by someone else
• For such a cheap price, might be a really fun weekend project to replace your shitty consumer router
• Of course if you\’re more of an OpenBSD guy, you can always see our tutorial for that too

Signed pkgsrc package guide

• We got a request on IRC for more pkgsrc stuff on the show, and a listener provided a nice write-up
• It shows you how to set up signed packages with pkgsrc, which works on quite a few OSes (not just NetBSD)
• He goes through the process of signing packages with a public key and how to verify the packages when you install them
• The author also happens to be an EdgeBSD developer

Big batch of OpenBSD hackathon reports

• Five trip reports from the OpenBSD hackathon in New Zealand! In the first one, jmatthew details his work on fiber channel controller drivers, some octeon USB work and ARM fixes for AHCI
• In the second, ketennis gets into his work with running interrupt handlers without holding the kernel lock, some SPARC64 improvements and a few other things
• In the third, jsg updated libdrm and mesa and did various work on xenocara
• In the fourth, dlg came with the intention to improve SMP support, but got distracted and did SCSI stuff instead – but he talks a little bit about the struggle OpenBSD has with SMP and some of the work he\’s done
• In the fifth, claudio talks about some stuff he did for routing tables and misc. other things

This episode was brought to you by

Interview – Chris Buechler – cmb@pfsense.com / @cbuechler

pfSense

Tutorial

pfSense walkthrough

News Roundup

FreeBSD challenge continues

• Our buddy from the Linux foundation continues his switching to BSD journey
• In day 13, he covers some tips for new users, mentions trying things out in a VM first
• In day 14, he starts setting up XFCE and X11, feels like he\’s starting over as a new Linux user learning the ropes again – concludes that ports are the way to go
• In day 15, he finishes up his XFCE configuration and details different versions of ports with different names, as well as learns how to apply his first patch
• In day 16, he dives into the world of FreeBSD jails!

BSD books in 2014

• BSD books are some of the highest quality technical writings available, and MWL has written a good number of them
• In this post, he details some of his plans for 2014
• In includes at least one OpenBSD book, at least one FreeBSD book and…
• Very strong possibility of Absolute FreeBSD 3rd edition (watch our interview with him)
• Check the link for all the details

How to build FreeBSD/EC2 images

• Our friend Colin Percival details how to build EC2 images in a new blog post
• Most people just use the images he makes on their instances, but some people will want to make their own from scratch
• You build a regular disk image and then turn it into an AMI
• It requires a couple ports be installed on your system, but the whole process is pretty straightforward

PCBSD weekly digest

• This time around we discuss how you can become a developer
• Kris also details the length of supported releases
• Expect lots of new features in 10.1

Feedback/Questions

• Sean writes in: https://slexy.org/view/s216xJoCVG
• Jake writes in: https://slexy.org/view/s2gLrR3VVf
• Niclas writes in: https://slexy.org/view/s21gfG3Iho
• Steffan writes in: https://slexy.org/view/s2JNyw5BCn
• Antonio writes in: https://slexy.org/view/s2kg3zoRfm
• Chris writes in: https://slexy.org/view/s2ZwSIfRjm

• Our email backlog is pretty much caught up. Now\’s a great time to send us something – questions, stories, ideas, requests for something you want to see, anything
• All the tutorials are posted in their entirety at bsdnow.tv
• The OpenBSD router tutorial got a couple improvements and fixes
• Just because our tutorial contest is over doesn\’t mean you can\’t submit any, we would love if more listeners wrote up a tutorial on interesting things they\’re doing with BSD
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• The BSD Now shirt design has been finalized, we have the files and are working out the printing details… expect them to be available in early-to-mid March!

The post A Sixth pfSense | BSD 25 first appeared on Jupiter Broadcasting.

A recent snafu has left Mike in a bit of a bind with a client, and technical glitches nearly threatened to toss Chris out on the side of the road.

After digging through a batch of really great emails, the guys air some dirty laundry. This week we crack open a cold one, and chug some haterade.

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• Why I Believe the Java Hate is Strong

• System adminis

• docker life cycle + P.S. Java

• IBM Is Still Strong

• Ben’s Email

Dev World Hoopla

• Mike’s dirty laundry: TestFlight impacting Mike’s projects

• TestFlight » Beta Testing On The Fly

A free testing service for mobile developers, managers and testers.

Book Pick:

[asa]149235080X[/asa]

The post Deploying the Haterade | CR 75 first appeared on Jupiter Broadcasting.

With big Google and Apple events on the horizon we look at how Google’s early investment in relative UI layouts will be paying dividends in Android 4.4 KitKat.

Plus: Your emails, our php follow up, a few near-term predictions, and even an RMS rap.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• Need some advice about a career move.
• Choosing a language based on task
• Betting on Linux | Coder Radio 71
• PHP Sucks (and Rocks)

Dev Hoopla

• Mike’s Moto X Review: Moto X Review | dominickm.com
• Healthcare.gov violates the GPL

Crystal Ball Time

• Nexus 5, 10 2 release date October 24: Android 4.4 KitKat OS to launch at NYC Google event with new devices | Christian News on Christian Today

Google has sent out invitation to its press event to release the Nexus 5 and Nexus 10 2 on October 28, 2013.

• How long will Google keep burning money on Motorola?

losses at Google\’s Motorola Mobility have accelerated despite three rounds of layoffs that slashed around 6,000 workers. The division is now on pace to bleed $1 billion a year out of the search giant\’s bank account. And yet Google\’s stock topped a record high $1,000 a share today as investors showed renewed confidence in the company\’s future.

Tool of the Week

• Brackets – Post show LOL – It\’s an Air app.

Follow the show

• FingertipTech on Twitter

• Email the show

• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Relatively Laid Out | CR 72 first appeared on Jupiter Broadcasting.