Show Notes/Links: https://www.bsdnow.tv/344

The post Grains of Salt | BSD Now 344 first appeared on Jupiter Broadcasting.

A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New vulnerability in many websites: HTTPoxy

• Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
• CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
• To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
• To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
• So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
• This allows your application to know what compression algorithms are supported
• Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
• “httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
• “This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
• “What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
  • Proxy the outgoing HTTP requests made by the web application
• Direct the server to open outgoing connections to an address and port of their choosing
• Tie up server resources by forcing the vulnerable software to use a malicious proxy
• “httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
• So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
• Timeline:
• March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
• April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
• July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
• November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
• February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
• July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
• So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
• Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
• The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
• Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

• From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
• In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
• The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

• Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange * IBM WebSphere Portal – provides enterprise web portals
• Google Search Appliance – search all content in an enterprise through a single search box
• Guidance Encase – forensic investigation software
• Microsoft Exchange – enterprise email and productivity software
• Novell Groupwise – a collaboration tool for large enterprise
• Raytheon SureView – software designed for enterprise visibility and user activity monitoring

• Veritas (Symantec) Enterprise Vault – a program for information governance through archiving

• Talos has not confirmed that each of the third-party products listed above are affected. We have, however, confirmed that some are running vulnerable OIT-related code. For example, if WebReady Document Viewing is enabled for Microsoft Exchange 2013 (& earlier), an attacker could exploit these vulnerabilities by sending a malicious email attachment to a victim who then opens the email using web preview.

• Further, if Data Loss Prevention is enabled, the vulnerability can be triggered simply by sending an email with a malicious attachment outbound from the affected Exchange server. If Avira AntiVir for Exchange (v12.0.2775.0 & earlier) is in place, just sending or receiving a malicious email is sufficient, since this program will scan all inbound and outbound email. Additionally, multiple OIT vulnerabilities could conceivably be exploited in a chained fashion for a more effective approach.

  • PDF /Size Integer Overflow
  • TIFF ExtraSamples Code Execution
  • TIFF Photometric Interpretation Code Execution
  • GIF ImageWidth Code Execution
  • Gem_Text Code Execution
  • PSI Image File Code Execution
  • Word DggInfo Code Execution
  • Mac Works Database VwStreamSection Code Execution
  • Mac Word ContentAccess libvs_word+63AC Code Execution
  • BMP Heap Buffer Overflow & Code Execution
  • Mac Works VwStreamReadRecord Memory Corruption
  • PDF /Kids Information Leakage
  • PDF NULL Pointer Dereference Denial of Service
  • PDF Recursion Stack Overflow Denial of Service
  • PDF /FlateDecode /Colors Denial of Service
  • PDF /Type /Xref Denial of Service
  • PDF Xref Offset Denial of Service
  • Mac Word ContentAccess libvs_word Denial of Service

• Over, and over again we see problems that arise from software using untrusted data as input without proper and necessary validation of that data, and because not all software developers are experts in the multitude of file formats in existence they are forced to rely on SDKs such as Oracle’s OIT.

• However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes.
• This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products.
• In related news: TALOS also found a similar vulnerability in Apple’s OS X
• Additional Coverage
• In other news: Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products
• Includes 4 Java vulnerabilities with CVSS scores of 9.6 out of 10

Krebs: The value of a hacked company

• Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
• “Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
• “If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
• There is a lot of value that an attack can extract from a hacked company:
  • Intellectual Property, like trade secrets, plans, or even just a list of customers
  • Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
  • Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
  • HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
  • Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
  • Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
• “This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
• “In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
• “These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
• “It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
• “Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”

Feedback:

• ZFS Fillin Up

• InfiniBand

• IPSEC VPN server & OS options

Mention: Networking for Information Security/Penetration Testing

Round Up:

• Feds Seize KickassTorrents Domains, Arrest Alleged Owner
• How to many money by abusing 2 Factor Auth — Have Google, Instagram, etc, call your premium rate (900) number to verify your 1000s of accounts
• Apple Has Its Own Stagefright Vulnerability
• PostgreSQL EnterpriseDB first open source database to pass Defense Information Systems Agency (DISA) testing, and publish a Security Technical Implementation Guide (STIG)
• Skype is Transitioning to a More Modern, Mobile-Friendly Architecture
• Microsoft killing off last bits of p2p in skype, and all old clients, in favour of new cloud-server backed infrastructure
• Seagate launches its new line of 10TB Helium drives: BarraCuda (Desktop HDD), FireCuda (Desktop SSHD), BarraCuda Pro (5 year Warrenty), IronWolf (NAS), and SkyHawk (Surveillance).
• Stack Exchange Outage Postmortem – July 20, 2016
• Engineer gets tired of waiting for Telcos, wires up his whole town
• Microsoft ordered to fix ‘excessively intrusive, insecure’ Windows 10
• France’s National Data Protection Commission (CNIL) has ordered Microsoft to “stop collecting excessive data and tracking browsing by users without consent”
• How (and why) FreeDOS keeps DOS alive
• Verizon to disconnect unlimited data customers who use over 100GB/month
• BT Outage the fault of Data Center and Exchange operator Equanix
• Mitsubishi Outlander Flaw Opens Door to Thieves—Literally – Infosecurity Magazine
• The Ubuntu forums have been hacked, IP address, username, and email address of over two million users have been compromised

The post Bitmap Pox | TechSNAP 276 first appeared on Jupiter Broadcasting.

This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We’ve also got answers to your emails and all the latest news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2015 schedule

• The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
• Just a reminder: it’s going to be held on June 12th and 13th at the University of Ottawa in Canada
• This year’s conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
• Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few “birds of a feather” gatherings
• In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
• That’s not the ideal balance we’d hope for, but BSDCan says they’ll try to improve that next year
• Those numbers are based on the speaker’s background, or any past presentations, for the few whose actual topic wasn’t made obvious from the title (so there may be a small margin of error)
• Michael Lucas (who’s on the BSDCan board) wrote up a blog post about the proposals and rejections this year
• If you can’t make it this year, don’t worry, we’ll be sure to announce the recordings when they’re made available
• We also interviewed Dan Langille about the conference and what to expect this year, so check that out too

SSL interception with relayd

• There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
• If you’re running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
• Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
• It starts off with some backstory and some of the things relayd is capable of
• relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
• When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
• The post is very long, with lots of details and some sample config files – the whole nine yards

OPNsense 15.1.6.1 released

• The OPNsense team has released yet another version in rapid succession, but this one has some big changes
• It’s now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
• This version also features a new tool for easily upgrading between versions, simply called “opnsense-update” (similar to freebsd-update)
• It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
• The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
• With the news of m0n0wall shutting down last week, they’ve also released bare minimum hardware specifications required to run OPNsense on embedded devices
• Encouraged by last week’s mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling)

OpenBSD on a Minnowboard Max

• What would our show be without at least one story about someone installing BSD on a weird device
• For once, it’s actually not NetBSD…
• This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
• It’s using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
• The author describes his entirely solid-state setup, noting that there’s virtually no noise, no concern about hard drives dying and very reasonable power usage
• You’ll find instructions on how to get OpenBSD installed and going throughout the rest of the article
• Have a look at the spec sheet if you’re interested, they make for cool little BSD boxes

Netmap for 40gbit NICs in FreeBSD

• Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he’s just committed
• The ixl(4) driver, that’s one for the X1710 40-gigabit card, now has netmap support
• It’s currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
• This should make for some serious packet-pushing power
• If you have any network hardware like this, he would appreciate testing for the new code

Interview – Ken Westerback – directors@openbsdfoundation.org

The OpenBSD foundation‘s activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

• The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
• Ken was also busy, getting a few networking-related things fixed and improved in the base system
• He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
• The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
• There’s apparently plans for “dhclientng” – presumably a big improvement (rewrite?) of dhclient

FreeBSD beginner video series

• A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
• We usually assume that people who watch the show are already familiar with basic concepts, but they’d be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
• So far, he’s covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
• Everyone’s gotta start somewhere and, with a little bit of initial direction, today’s newbies could be tomorrow’s developers
• It should be an ongoing series with more topics to come

NetBSD tests: zero unexpected failures

• The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
• They’ve finally gotten the number of “expected” failures down to zero on a few select architectures
• Results are published on a special release engineering page, so you can have a look if you’re interested
• The rest of the post links to the “top performers” (ones with less than ten failure) in the -current branch

PCBSD switches to IPFW

• The PCBSD crew continues their recent series of switching between major competing features
• This time, they’ve switched the default firewall away from PF to FreeBSD’s native IPFW firewall
• Look forward to Kris wearing a “keep calm and use IPFW” shir- wait

Feedback/Questions

• Sean writes in
• Dan writes in
• Florian writes in
• Sean writes in
• Chris writes in

Mailing List Gold

• VCS flamebait
• Hidden agenda

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Some extra emails would be great, since we’ll be recording two episodes next week
• Be sure to say hi if you’re at AsiaBSDCon in a couple weeks, maybe we could even interview some listeners too
• We talked to the NetBSD foundation back in episode 12 and DragonFlyBSD doesn’t have a foundation, so there won’t be an “official” third part in this series

The post From the Foundation (Part 2) | BSD Now 78 first appeared on Jupiter Broadcasting.

Coming up in this week’s episode, we’ll be talking with one of OpenBSD’s newest developers – Brent Cook – about the portable version of LibreSSL and how it’s developed. We’ve also got some important information about the FreeBSD port of LibreSSL. The latest news and your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD quarterly status report

• FreeBSD has gotten quite a lot done this quarter
• Changes in the way release branches are supported – major releases will get at least five years over their lifespan
• A new automounter is in the works, hoping to replace amd (which has some issues)
• The CAM target layer and RPC stack have gotten some major optimization and speed boosts
• Work on ZFSGuru continues, with a large status report specifically for that
• The report also mentioned some new committers, both source and ports
• It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we’ve already mentioned on the show
• “Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period”

A new OpenBSD HTTPD is born

• Work has begun on a new HTTP daemon in the OpenBSD base system
• A lot of people are asking “why?” since OpenBSD includes a chrooted nginx already – will it be removed? Will they co-exist?
• Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn’t trying to be a full-featured replacement)
• It’s partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
• This has the added benefit of the usual, easy-to-understand syntax and privilege separation
• There’s a very brief man page online already
• It supports vhosts and can serve static files, but is still in very active development – there will probably be even more new features by the time this airs
• Will it be named OpenHTTPD? Or perhaps… LibreHTTPD? (I hope not)

pkgng 1.3 announced

• The newest version of FreeBSD’s second generation package management system has been released, with lots of new features
• It has a new “real” solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
• Lots of the code has been sandboxed for extra security
• You’ll probably notice some new changes to the UI too, making things more user friendly
• A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday

FreeBSD after-install security tasks

• A number of people have written in to ask us “how do I secure my BSD box after I install it?”
• With this blog post, hopefully most of their questions will finally be answered in detail
• It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
• Not only does it just list things to do, but the post also does a good job of explaining why you should do them
• Maybe we’ll see some more posts in this series in the future

Interview – Brent Cook – bcook@openbsd.org / @busterbcook

LibreSSL’s portable version and development

News Roundup

FreeBSD Mastery – Storage Essentials

• MWL‘s new book about the FreeBSD storage subsystems now has an early draft available
• Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
• Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
• You’ll get access to the completed (e)book when it’s done if you buy the early draft
• The suggested price is $8

Why BSD and not Linux?

• Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
• Lots of good responses from users of the various BSDs
• Directly ripping a quote: “Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is “GCC free”. DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity.”
• And “Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS.”
• Some other users share their switching experiences – worth a read

More g2k14 hackathon reports

• Following up from last week’s huge list of hackathon reports, we have a few more
• Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
• Andrew Fresh enjoyed his first hackathon, pushing OpenBSD’s perl patches upstream and got tricked into rewriting the adduser utility in perl
• Ted Unangst did his usual “teduing” (removing of) old code – say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
• Luckily we didn’t have to cover 20 new ones this time!

BSDTalk episode 243

• The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
• The main topic of discussion is mandoc, which some users might not be familiar with
• mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it’s not built by default)
• You may also want to watch Ingo’s BSDCan talk about mandoc
• We’ll catch up to you soon, Will…

Feedback/Questions

• Thomas writes in
• Stephen writes in
• Sha’ul writes in
• Florian writes in
• Bob Beck writes in – and note the “Caution” section that was added to libressl.org

• All the tutorials are posted in their entirety at bsdnow.tv
• Just can’t get enough LibreSSL? Brent also did a text-only interview for Undeadly, which we also have a link to there
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Want to come on for an interview or have a tutorial you’d like to see? Let us know
• If you’re a big PCBSD fan, or have been curious about what it has to offer over regular FreeBSD, you’ll like next week’s episode
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Liberating SSL | BSD Now 48 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.