Show Notes/Links: https://www.bsdnow.tv/330

The post Happy Holidays, All(an) | BSD Now 330 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/410

The post Epyc Encryption | TechSNAP 410 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/405

The post Update Uncertainty | TechSNAP 405 first appeared on Jupiter Broadcasting.

##Headlines
###scp client multiple vulnerabilities

• Overview
• SCP clients from multiple vendors are susceptible to a malicious scp server performing
  unauthorized changes to target directory and/or client output manipulation.
• Description
• Many scp clients fail to verify if the objects returned by the scp server match those
  it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate
  flaw in the client allows the target directory attributes to be changed arbitrarily.
  Finally, two vulnerabilities in clients may allow server to spoof the client output.
• Impact
• Malicious scp server can write arbitrary files to scp target directory, change the
  target directory permissions and to spoof the client output.
• Details

The discovered vulnerabilities, described in more detail below, enables the attack
described here in brief.

• 1. The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases file to victim’s home directory when the victim performs scp operation from the server. The transfer of extra files is hidden by sending ANSI control sequences via stderr. For example:

user@local:~$ scp user@remote:readme.txt .
readme.txt 100% 494 1.6KB/s 00:00
user@local:~$

• 2. Once the victim launches a new shell, the malicious commands in .bash_aliases get executed.
• *) Man-in-the-Middle attack does require the victim to accept the wrong host fingerprint.

###FreeBSD 12.0 vs. DragonFlyBSD 5.4 vs. TrueOS 18.12 vs. Linux On A Tyan EPYC Server

Last month when running FreeBSD 12.0 benchmarks on a 2P EPYC server I wasn’t able to run any side-by-side benchmarks with the new DragonFlyBSD 5.4 as this BSD was crashing during the boot process on that board. But fortunately on another AMD EPYC server available, the EPYC 1P TYAN Transport SX TN70A-B8026, DragonFlyBSD 5.4.1 runs fine. So for this first round of BSD benchmarking in 2019 are tests of FreeBSD 11.2, FreeBSD 12.0, DragonFlyBSD 5.4.1, the new TrueOS 18.12, and a few Linux distributions (CentOS 7, Ubuntu 18.04.1 LTS, and Clear Linux) on this EPYC 7601 server in a variety of workloads.

DragonFlyBSD 5.4.1 ran fine on this Tyan server and could boot fine unlike the issue encountered on the Dell PowerEdge R7425 for this particular BSD. But on the Tyan server, DragonFlyBSD 5.2.2 wouldn’t boot so only this latest DragonFlyBSD release series was used as part of the comparison.

• A summary of the operating systems tested for this EPYC 7601 OS benchmark comparison included:

• DragonFlyBSD 5.4.1 – The latest release of Matthew Dillon’s operating system while using the HAMMER2 file-system and GCC 8.1 compiler that is now the default system compiler for this BSD.

• FreeBSD 11.2 – The previous stable release of FreeBSD. Installed with a ZFS file-system.

• FreeBSD 12.0 – The latest stable release of FreeBSD and installed with its ZFS option.

• TrueOS 18.12 – The latest release of the iX systems’ FreeBSD derivative. TrueOS 18.12 is based on FreeBSD 13.0-CURRENT and uses ZFS by default and was using the Clang 7.0.1 compiler compared to Clang 6.0.1 on FreeBSD 12.0.

• CentOS Linux 7 – The latest EL7 operating system performance.

• Ubuntu 18.04.1 LTS – The latest Ubuntu Long Term Support release.

• Clear Linux 27120 – The latest rolling release as of testing out of Intel’s Open-Source Technology Center. Clear Linux often reflects as close to the gold standard for performance as possible with its insanely tuned software stack for offering optimal performance on x86_64 performance for generally showing best what the hardware is capable of.

Throughout all of this testing, the Tyan 2U server was kept to its same configuration of an AMD EPYC 7601 (32 cores / 64 threads) at stock speeds, 8 x 16GB DDR4-2666 ECC memory, and 280GB Intel Optane 900p SSD benchmarks.

##News Roundup
###National Inventors Hall of Fame honors creators of Unix

Dennis Ritchie (Posthumous) and Ken Thompson: UNIX Operating System
Thompson and Ritchie’s creation of the UNIX operating system and the C programming language were pivotal developments in the progress of computer science. Today, 50 years after its beginnings, UNIX and UNIX-like systems continue to run machinery from supercomputers to smartphones. The UNIX operating system remains the basis of much of the world’s computing infrastructure, and C language – written to simplify the development of UNIX – is one of the most widely used languages today.

###Die IPV4, Die

Imagine, it is 2019. Easy, ha? Imagine, it is 2019 and you want to turn off IPv4. Like, off off. Really off. Not disabling IPv6, but disabling IPv4.

• Two steps back

You might be coming here wondering, why would anybody want to do what we are asking to be done. Well, it is dead simple: We are running data centers (like Data Center Light) with a lot of IPv6 only equipment. There simply is no need for IPv4. So why would we want to have it enabled?
Also, here at ungleich, we defined 2019 as the year to move away from IPv4.

• The challenge

Do you like puzzles? Competitions? Challenges? Hacking? Well. If ANY of this is of your interest, here is a real challenge for you:
We offer a 100 CHF (roughly 100 USD) for anyone who can give us a detailed description of how to turn IPv4 completely off in an operating system and allowing it to communicate with IPv6 only. This should obviously include a tiny proof that your operating system is really unable to use IPv4 at all. Just flushing IPv4 addresses and keeping the IPv4 stack loaded, does not count.

###GhostBSD 18.12 released

GhostBSD 18.12 is an updated iso of GhostBSD 18.10 with some little changes to the live DVD/USB and with updated packages.

• What has changed since 18.10
• removed default call of kernel modules for AMD and Intel
• replaced octopkg by software-station
• added back gop hacks to the live system
• added ghostbsd-drivers and ghostbsd-utils
• we updated the packages to the latest build

###And Now for a laugh : #unixinpictures

##Beastie Bits

• We are now closer to the Y2038 bug than the Y2K bug
• OpenBSD Enterprise use
• AT&T Unix Books
• Process title and missing memory space
• The History of a Security Hole
• unbound-adblock: The ultimate network adblocker!
• FreeBSD’s name/value pairs library
• Pid Rollover
• Booting OpenBSD kernels in EFI mode with QEMU
• OpenBSD CVS commit: Make mincore lie
• BSDCan 2019 CfP ending January 19 – Submit!
• OpenZFS User Conference – April 18-19
• FreeBSD Journal is a free publication now

##Feedback/Questions

• Chris – Boot environments and SSDs
• Jonathan – Bytes issued during a zpool scrub
• Bostjan – ZFS Record Size and my mistakes

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post EPYC Server Battle | BSD Now 281 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

• This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
• CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
• The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
  • CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
  • A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
  • CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
• During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
• When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
• Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

• “Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
• But, there are some shortcomings to that type of password manager
• How do I synchronize this file on all my devices?
• How do I access a password on my parents’ computer without installing my password manager?
• How do I access a password on my phone, without any installed app?
• To solve this, LessPass does it differently
• “The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
• “No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
• There are some issues though.
  • Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
  • Some sites obviously do not hash passwords correctly, and do not allow some characters
  • What if you want to, or need to, change your password?
• LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
• To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
• Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
• So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
• There are obviously some privacy concerns, and security concerns here.
• How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
• Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
• “You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
• The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
• This leaves a few problems:
  • You can never change your master password, as it will effectively change all of your passwords
  • It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
  • The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
  • LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
• There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

• It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
• Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
• Colin’s day job is running Tarsnap – backups for the truly paranoid.
• To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
• “While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
  • the vulnerability can be exploited remotely, over the internet;
• the attack cannot be blocked by firewalls;
  • the attack can be carried out without any account credentials on the system being attacked;
  • the attack yields money (as opposed to say, credit card details which need to be separately monetized);
  • once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
  • the attack can be performed without writing a single line of code.
• “Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
• “The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
• “Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
• “For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
• The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
  • Pay for something using bitcoin.
  • Wait until the price of bitcoin drops.
  • Send more bitcoins to the address used for the initial payment.
  • Ask for a refund of the excess bitcoin.
• “Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
• “Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
• “Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
• “As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
• “And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
• A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

• ipV6 vs Mirai

• Freenas replication

• Freenas 10 question

• Backup & LUKS

• Chromecast across subnets

• A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

• Windows Atom Tables popped by security researchers
• The Million-Key Question—Investigating the Origins of RSA Public Keys
• Microsoft stops selling Windows 7 and Windows 8.1 to computer makers i
• Researchers make high performance battery from junkyard scraps
• Why Windows hack is being blamed on Russia-linked group
• “Decimeter-Level Localization with a Single WiFi Access Point” — Locating a device to within 4 inches using only 1 WiFi access point
• Stealth Cell Tower
• Kaspersky quarterly DDoS report: 70-80% of botnets consist of Linux devices, most attacks last under 4 hours.
• Level 3 drops its packets for hours, causing Internet traffic jam
• Microsoft Reimagines Open Source Cloud Hardware
• Pagliano Emails Detail Attempts to Hack Clinton Unsecure Email Server 10 Times in Two Days in November 2010 – U.S. Secret Service Informed of Hacking Attempts – Judicial Watch
• Teenager accidentally DDoSes 911 system

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

Project Zero lays into Symantec’s enterprise products, the botnet you’ll never find & the poor security of HTML5 video ads.

Plus your questions, our answers & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google’s Project Zero lays into Symantec’s Enterprise Endpoint Security products

• “Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.”
• “Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.”
• “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
• “As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:”
• Norton Security, Norton 360, and other legacy Norton products (All Platforms)
• Symantec Endpoint Protection (All Versions, All Platforms)
• Symantec Email Security (All Platforms)
• Symantec Protection Engine (All Platforms)
• Symantec Protection for SharePoint Servers
• And so on.
• “Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.”
• “Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.”
• Packers can be designed to obfuscate the executable, and make it harder for virus scanners to match against their signature database, or heuristically detect bad code
• “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
• “The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities, we’ve written about examples in Comodo, ESET, Kaspersky, Fireeye and many more.”
• “Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!”
• “Reviewing Symantec’s unpacker, we noticed a trivial buffer overflow when a section’s SizeOfRawData field is greater than SizeOfImage. When this happens, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer.”
• “This was enough for me to make a testcase in NASM that reliably triggered Symantec’s ASPack unpacker. Once I verified this work with a debugger, building a PE header that mismatched SizeOfImage and SizeOfRawData would reliably trigger the vulnerability.”
• “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
• “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
• There is also a buffer overflow in the Power Point decomposer (used to check for macros etc)
• There is another vulnerability in “Advanced Heuristic Protection” or “Bloodhound Heuristics” mode
• “As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.”
• “Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here.”
• “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”
• “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
• There is “behind” and then there is 7 years, which is pretty much “definitely didn’t bother to look at all”
• “As well as the vulnerabilities we described in detail here, we also found a collection of other stack buffer overflows, memory corruption and more.”
• Additional Coverage: Fortune.com
• Additional Coverage: Ars Technica

Botnet made up to CCTV Cameras and DVRs conducts DDoS attacks

• As we reported in TechSNAP #259 a security research found that 70 different CCTV-DVR vendors are just reselling devices from the same Chinese manufacturer, with the same firmware
• This firmware has a number of critical security flaws that the vendor was notified about, but refused to fix
• Original coverage from March
• Now criminals have exploited one or more of these known vulnerabilities to turn these devices into a large botnet
• Unlike a typical botnet made up of personal computers that are turned on and off at random, and where a user might notice sluggish performance, infected embedded devices tend to be always on, and performance issues are rarely noticed
• A botnet of over 25,000 of these CCTV systems is being used to conduct layer7 DDoS attacks against various businesses
• One of the victims, a Jewelry store, moved their site behind a WAF (Web Application Firewall), to protect it from the attack
• Unlike most attackers, instead of admitting defeat and moving on, the attacker stepped up the attack, and prolonged it for multiple days
• Most botnets lose strength the longer the attack is sustained, because infected machines are shutdown, isolated, reported, or disconnected.
• The fact that this botnet is made up of embedded CCTV devices gives it more staying power, and it is not likely to be considered the source of the problem if abuse reports do come in.

Security of HTML5 Video Ads

• For a long time many have railed against Flash, and accused it of being the root of all evil when it comes to Malvertising
• “For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year.”
• This study provides a comparison between Flash and HTM5 based advertisements
• Flash ads tend to be smaller. HTML5 ads also on average 100kb larger, using more bandwidth, which on mobile can be a big deal
• Flash ads may be more work to create, since they are not responsive, and a different file must be created for each different ad size
• HTML5 ads do not require a plugin to run, but older browsers do not support them. This is becoming less of an issue the number of aged devices dwindles
• Flash ads tend to provide better picture quality, due to sub-pixel support
• HTML5 provides better mobile support, where Flash on mobile is rare
• There is currently a larger community of Flash developers, but this is changing
• HTML5 is not controlled by a single entity like Adobe
• Flash provides better optimization
• HTML5 provides better usability and semantic support
• This study finds that killing off Adobe Flash will not solve the security problems, HTML5 has plenty of its own security issues
• “Even if Flash is prohibited, malvertising can still be inserted in the first two stages of video ad delivery.”
• “The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.”
• A typical flash malvertising campaign, the ad calls the flash externalCall interface, and runs some malicious javascript, creating a popup, that if you user accepts, may infect their computer
• In an HTML5 based attack, the malvertising campaign payload is not in the actual advertisement, but in the VAST/VPAID metadata, as the tracking url. This silently navigates the user to an Angler exploit kit, where they are infected with no required user interaction
• “the second scenario shows how the ad unit itself is not the only piece of the malvertising pie”
• “The main root of the video ad malvertising problem is, unfortunately, fundamental. VAST/VPAID standards, developed in 2012, provide extensive abilities so that ad industry players can create a rich ad experience.”
• “Since these standards allow advertisers to receive data about the user, they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code.”
• “Now that we have debunked the idea that malvertising would be eliminated if the industry prohibited the use of Flash in their ads, let’s discuss solutions.”
• Even if malicious ads could be eliminated by better screening, malactors can compromise the ad network, and inject the malicious ads there
• In the end, maybe we need to stop allowing advertisements to have the ability to execute code
• Does anyone remember when advertisements were just animated .gif files?

Feedback:

• Jason

• Rob

• Ray –

• TheCloudisaLie

Round Up:

• Google’s giant new trans-Pacific internet cable goes online Thursday
• Vacationing Security Researcher finds skimmer in the wild
• Resold hard drives on eBay, Craigslist are often still ripe with leftover data
• Google CEO Sundar Pichais has Quota account hacked by “OurMine”
• FBI’s use of Tor exploit is like peering through “broken blinds”
• NASCAR team pays ransomware fee of $500 to recover 2 million dollar design files
• Chrome DRM bug makes it easy to download streaming video
• Java, PHP, NodeJS, and Ruby exposed to Swagger vulnerability
• Bits, Please!: QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
• Video: Lecture 13 – How to Build an Insecure System out of Perfectly Good Cryptography
• DoJ report: less than a quarter of one percent of wiretaps encounter any crypto
• Exfiltrate data from an air-gapped computer by modulating the fan speed — Fansmitter
• Microsoft to make saying no to Windows 10 update easier
• IRS kills off doomed PIN authentication method early. Authentication with your last years adjusted gross income to remain standard
• Javascript 7th edition released
• StartEncrypt had design, get a certificate for dropbox or github by faking API calls

The post Make Ads GIF Again | TechSNAP 273 first appeared on Jupiter Broadcasting.

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

• “According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
• “OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
• “Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
• “Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
• “The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
• The results:
  • Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
  • Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
• Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
• Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
• Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
• Other Findings:
• “Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
• Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
• “There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
• They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
• “Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
• This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
• “Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
• Multiple auto-updaters, that is what everyone wants
• “The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
• If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
• “Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
• So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
• Additional Coverage
• Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

• “The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
• According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
• “Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
• “I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
• “More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
• Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
• “Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
• That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
• It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

• “Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
• They want your card number
• They want your PIN number
• “To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
• “The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
• The post includes a video of a skimmer being installed in just a few seconds
• Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
• “A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
• “I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
• “We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
• “By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
• “The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
• This reaction is very common, and is starting to be troubling
• After some deduction, he determined the ports on the side were for a USB cable
• “Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
• “It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
• “After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
• “The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
• When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
• “Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
• “The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
• The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
• Going back a few days later, they found a fresh pin number camera installed

Feedback:

• Adam asks about running pfSense on top of FreeNAS
• Mark asks about Direct Access to home while on the road
• RAM Disk
• Ceph on FreeBSD

Round Up:

• Armed FBI agents raid home of researcher who found unsecured patient data
• Core windows utility can be used to bypass application whitelisting
• Internet Explorer use in freefall as people flock to Google Chrome
• The guy who swatted Krebs is going to prison
• Police are filing warrants for Android’s vast store of location data
• 50 people arrested in Russia in connection with $45m bank hack
• SELinux is beyond saving at this point
• CoreOS launches Torus, a new open source distributed storage system
• Off-The-Record (OTR) protocol patched against remote code execution flaw
• 2016 Internet Trends Report: Global Smartphone User Growth Slowing as Android Outpaces iOS
• Slack plugs token security hole that was leaking private code and chat transcripts to anyone on the internet
• New tool out of MIT/Berkeley called “Space”, is a static analyzer for web applications

The post Signature Bloatware Updates | TechSNAP 270 first appeared on Jupiter Broadcasting.

Meet Alphabet, the new conglomerate absorbing Google. Then we spend sometime celebrating Android’s adoption of Vulkan.

Plus Oracle’s security chief demands you stop looking for flaws, veggies in space & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Google Announces Plans for New Operating Structure
• Meet Alphabet, The New Conglomerate Absorbing Google That’s Run By Larry Page & Sergey Brin
• Low-overhead rendering with Vulkan
• Nvidia To Show Off Vulkan On NVIDIA GPUs & An OpenGL Linux Graphics Debugger | GamingOnLinux

• Oracle security chief to customers: Stop checking our code for vulnerabilities | Ars Technica

• Veggies in Space: Astronauts Sample Freshly Grown Lettuce – YouTube

The post Vulkan: The Only Logical API | TTT 204 first appeared on Jupiter Broadcasting.

The Backronym vulnerability hits MySQL right in the SSL protection, we’ll share the details. The hacker Group that hit Apple & Microsoft intensifies their attacks & a survey shows many core Linux tools are at risk.

Plus some great questions, a rockin’ roundup & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Backronym – ssl stripping mysql connections

• Researchers have identified a serious vulnerability in some versions of MySQL that allows an attacker to strip SSL/TLS connections of their security wrapping transparently.
• Researchers at Duo Security realized that even when they set the correct option to initiate an SSL connection with the MySQL server, they could not make the client enforce a secure connection.
• This means that an attacker with a man-in-the-middle position could force an unencrypted connection and passively sniff all of the unencrypted queries from the client to the MySQL database.
• The vulnerability lies within the behaviour of the ‘–ssl’ client option, which on affected versions it is being treated as “advisory”. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently “strip” the SSL/TLS protection.
• The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options.
• The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.
• The vulnerability is nicknamed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL) by the Duo researchers, who also put up a site that riffs on the recent trend of researchers putting up sites for major vulnerabilities.
• What does BACKRONYM stand for? Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL!
• They say: “We spent countless hours analyzing the BACKRONYM vulnerability to come up with a human-readable description that would convey the underlying root-cause to infosec professionals.”
• What do I need to do to fix BACKRONYM?
• Step 1: PANIC! I mean look at that logo – your database is basically exploding!
• Step 2: Tell all your friends about BACKRONYM. Use your thought leadership talents to write blog post about BACKRONYM to reap sweet Internet karma. Leverage your efforts in responding to BACKRONYM to build political capital with the executives in your organization. Make sure your parents know it’s not safe to shop online until BACKRONYM is eradicated.
• Step 3: Actually remediate the vulnerability in any of your affected MySQL client-side libraries (also MariaDB and Percona). Unfortunately, there’s no patch backported for MySQL <= 5.7.2. So if you’re on MySQL 5.6 like 99.99% of the Internet is, you’re basically out of luck and have to upgrade to the MySQL 5.7 “preview release” or figure out how to pull in libmysqlclient >= 6.1.3. Backporting security fixes is hard, apparently.
• Additional Coverage: New PHP release to fix backronym flaw
• The BACKRONYM Vulnerability

Hacker Group That Hit Twitter, Facebook, Apple and Microsoft Intensifies Attacks

• The hacker group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.
• After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity.
• Symantec has named the group behind the attacks “Butterfly”.
• Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.
• The first signs of Butterfly’s activities emerged in early 2013 when several major technology and internet firms were compromised. Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks. This was done by compromising a website used by mobile developers (that we covered before on the show) using a Java zero-day exploit to infect them with malware.
• The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door, Backdoor.Jiripbot, which was also used in the attacks.
• Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly.
• Butterfly has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the Central Asian offices of a global law firm were compromised in June 2015. The company specializes in finance and natural resources specific to that region. The latter was one of at least three law firms the group has targeted over the past three years.
• Butterfly has also developed a number of its own hacking tools. Hacktool.Securetunnel is a modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.
• Hacktool.Bannerjack is meanwhile used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.
• The group uses Hacktool.Eventlog to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete. Hacktool.Proxy.A is used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.
• Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Butterfly is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Butterfly is unaffiliated to any nation state.
• Links:
• Butterfly: Profiting from high-level corporate attacks | Symantec Connect Community
• Hacktool.Securetunnel | Symantec
• Wild Neutron – Economic espionage threat actor returns with new tricks – Securelist

Core Linux tools top list of most at-risk software

• The CII (Core Infrastructure Initiative), a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what projects need support now, instead of waiting for them to break.
• The Census, with both its code and results available on GitHub, assembles metrics about open source projects found in Debian Linux’s package list and on openhub.net, then scores them based on the amount of risk each presents.
• A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
• High scores in the survey, said the CII in its page on the project, don’t mean a given program should be ditched, or that it’s to be presumed vulnerable. Rather, it means “the project may not be getting the attention that it deserves and that it merits further investigation.”
• Apache’s https Web server, a large and “vitally important” project with many vulnerabilities tracked over the years, ranked as an 8 in part because “there’s already large development & review team in place.”
• Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
• One of tricky issues that bubbles up is the complications posed by dependencies between projects. For the libaprutil1-ldap project (with a score of 8), the notes indicate that “the general Apache Portable Runtime (APR) appears to be actively maintained. However, it’s not as clear that the LDAP library in it is as actively managed.” Likewise, anything that uses the Kerberos authentication system — recently implicated in a security issue — typically has “Kerberos” in the notes.
• linuxfoundation/cii-census · GitHub

Feedback:

• 6gig SAS

• fail2ban

• Colo or No-Go

Round Up:

• International cybercrime marketplace taken down
• Larry Wall on Perl 6 and teaching kids to code
• Uninstalled Google Photos? Thought your pics safe from slurping? WRONG, bozo
• Toshiba owned OCZ launches new line of SSDs at $0.40/GB. Uses new flash memory and controller directly from Toshiba. Do you trust something new? From
• ID Theft Service Proprietor Gets 13 Years
• When security and politics collide: Lifespan in the SES (Senior Executive Service)
• Intel confirms tick-tock-shattering Kaby Lake processor as Moore’s Law falters

The post Butterflies & Backronyms | TechSNAP 224 first appeared on Jupiter Broadcasting.

A follow up on our Fedora 22 review, including a few areas we missed. How Google’s Cardboard could kickstart open source VR & new features coming to Gnome 3.18.

Plus our take on the state of openSUSE, why 2015 might really be the year of the Linux Laptop & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

Catch Up:

Google crafts new Cardboard virtual reality headset – CNET

Google on Thursday detailed its newest virtual reality device, the second-generation Cardboard. The new version is an even simpler product than the initial device, taking only three steps to construct instead of 12, and it also fits larger phone sizes, including screens up to 6 inches.

Unlike virtual reality rivals that have created systems that cost hundreds of dollars, Google has been pushing an inexpensive product that essentially anyone could afford and build, opening up VR to a broader group of consumers.

The second-generation Cardboard also includes a change in a button to cardboard from the first generation’s magnet to make input functions work with all devices. It went on sale Thursday with partners, and Google will hand out the device to everyone at its I/O developer conference — where the product was unveiled — said Clay Bavor, vice president of product management.

• Google Cardboard 2.0 – YouTube

• Google Cardboard 2.0 | Unofficial Cardboard

Dell Is Telling Customers to Try a New OS, Ubuntu – Softpedia

“Canonical and Dell have teamed up to offer an extensive range of desktop, notebook and server configurations, certified and suitable for home use, business use or software development. Dell and Canonical engineers collaborate every day to certify Dell hardware on Ubuntu, to a level that customers can rely on. Dell and Canonical also work together to bring cloud infrastructure solutions to market, based on OpenStack and the Dell & Ubuntu reference architecture,” reads the official Dell website.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Feedback:

https://slexy.org/view/s2hYOPLleM
https://slexy.org/view/s21oGC9oJ6
https://slexy.org/view/s20ZlWB5bH

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Nautilus (Files) File Manager to Get a Major Update for GNOME 3.18

Looking at the changelog, we can notice a fix for some window focus issues that occurred when starting the file manager, a fix for the handling of the command-line options in certain cases, as well as the addition of a public API (Application Programming Interface) documentation for developers who want to create Nautilus extensions.

TING

• Ting – mobile that makes sense

Fedora 22 Review Follow Up

• fedup for F23 and beyond

We’ve come to the conclusion that the current design is unsupportable,
mostly due to upgrade.img, which turns out to cause more problems than
it solves.

So! For F23, fedup needs to be redesigned. Here’s how it should work:
1) Download packages for the new system
2) Use the systemd Offline Updates facility to install packages

This is really simple – simple enough that it should probably be
provided by the system packaging tools themselves.
As a proof-of-concept, I’ve implemented it as a DNF plugin, which you
can see here: https://github.com/wgwoods/dnf-plugin-fedup

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Disjunctive Normal Fedora | LINUX Unplugged 95 first appeared on Jupiter Broadcasting.

Researches find an 18 year old bug in Windows thats rather nasty, we’ve got the details. A new perspective on the bug bounty arms race & the security impact of Wifi on a plane.

Plus great feedback, a bursting round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cylance finds “SPEAR” a new spin on an 18 year old Windows vulnerability

• In 1997 Aaron Spangler discovered a flaw in Windows
• By causing a user to navigate to a file://1.2.3.4/ url in Internet Explorer, the user’s windows credentials would be sent to the remote server, to attempt to login to it
• “Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password”
• “It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network.”
• “Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability”
• “Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.”
• “Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools.”
• “While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day.”
• “Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 — either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps.”
• “Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”
• Cylance Whitepaper (PDF)

Given enough money, all bugs are shallow

• Eric Raymond, in The Cathedral and the Bazaar, famously wrote: “Given enough eyeballs, all bugs are shallow.”
• “The idea is that open source software, by virtue of allowing anyone and everyone to view the source code, is inherently less buggy than closed source software. He dubbed this “Linus’s Law”.”
• “However, the Heartbleed SSL vulnerability was a turning point for Linus’s Law, a catastrophic exploit based on a severe bug in open source software. How catastrophic? It affected about 18% of all the HTTPS websites in the world, and allowed attackers to view all traffic to these websites, unencrypted… for two years.”
• “OpenSSL, the library with this bug, is one of the most critical bits of Internet infrastructure the world has – relied on by major companies to encrypt the private information of their customers as it travels across the Internet. OpenSSL was used on millions of servers and devices to protect the kind of important stuff you want encrypted, and hidden away from prying eyes, like passwords, bank accounts, and credit card information.”
• “This should be some of the most well-reviewed code in the world. What happened to our eyeballs, man?”
• “In reality, it’s generally very, very difficult to fix real bugs in anything but the most trivial Open Source software. I know that I have rarely done it, and I am an experienced developer. Most of the time, what really happens is that you tell the actual programmer about the problem and wait and see if he/she fixes it”
• “Even if a brave hacker communities to read the code, they’re not terribly likely to spot one of the hard-to-spot problems. Why? Few open source hackers are security experts”
• “There’s a big difference between usage eyeballs and development eyeballs.”
• “Most eyeballs are looking at the outside of the code, not the inside. And while you can discover bugs, even important security bugs, through usage, the hairiest security bugs require inside knowledge of how the code works.”
• Peer reviewing code is a lot harder than writing code.
• “The amount of code being churned out today – even if you assume only a small fraction of it is “important” enough to require serious review – far outstrips the number of eyeballs available to look at the code”
• “There are not enough qualified eyeballs to look at the code. Sure, the overall number of programmers is slowly growing, but what percent of those programmers are skilled enough, and have the right security background, to be able to audit someone else’s code effectively? A tiny fraction”
• “But what’s the long term answer to the general problem of not enough eyeballs on open source code? It’s something that will sound very familiar to you, though I suspect Eric Raymond won’t be too happy about it.”
• “Money. Lots and lots of money.”
• “Increasingly, companies are turning to commercial bug bounty programs. Either ones they create themselves, or run through third party services like Bugcrowd, Synack, HackerOne, and Crowdcurity. This means you pay per bug, with a larger payout the bigger and badder the bug is.”
• However, adding more money to the equation might actually make things worse
• “There’s now a price associated with exploits, and the deeper the exploit and the lesser known it is, the more incentive there is to not tell anyone about it until you can collect a major payout. So you might wait up to a year to report anything, and meanwhile this security bug is out there in the wild – who knows who else might have discovered it by then?”
• “If your focus is the payout, who is paying more? The good guys, or the bad guys? Should you hold out longer for a bigger payday, or build the exploit up into something even larger? I hope for our sake the good guys have the deeper pockets, otherwise we are all screwed.”
• I like that Google addressed a few of these concerns by making Pwnium, their Chrome specific variant of Pwn2Own, a) no longer a yearly event but all day, every day and b) increasing the prize money to “infinite”. I don’t know if that’s enough, but it’s certainly going in the right direction.
• “Money turns security into a “me” goal instead of an “us” goal“
• “Am I now obligated, on top of providing a completely free open source project to the world, to pay people for contributing information about security bugs that make this open source project better? Believe me, I was very appreciative of the security bug reporting, and I sent them whatever I could, stickers, t-shirts, effusive thank you emails, callouts in the code and checkins. But open source isn’t supposed to be about the money… is it?”
• “Easy money attracts all skill levels — The submitter doesn’t understand what is and isn’t an exploit, but knows there is value in anything resembling an exploit, so submits everything they can find.”
• “But I have some advice for bug bounty programs, too”:
• “You should have someone vetting these bug reports, and making sure they are credible, have clear reproduction steps, and are repeatable, before we ever see them.”
• “You should build additional incentives in your community for some kind of collaborative work towards bigger, better exploits. These researchers need to be working together in public, not in secret against each other”.
• “You should have a reputation system that builds up so that only the better, proven contributors are making it through and submitting reports”.
• “Encourage larger orgs to fund bug bounties for common open source projects, not just their own closed source apps and websites. At Stack Exchange, we donated to open source projects we used every year. Donating a bug bounty could be a big bump in eyeballs on that code.”

FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen

• The Federal Aviation Administration (FAA) faces cybersecurity challenges in at least three areas:
• (1) protecting air-traffic control (ATC) information systems,
• (2) protecting aircraft avionics used to operate and guide aircraft
• (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices
• “FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace systems”
• “Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.”
• “FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors. FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems.”
• “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems”
• One would hope that the cockpit avionics are separated from the onboard entertainment and wifi systems by more than just a firewall. Even if they are not, a properly configured firewall is very difficult to compromise.
• Additional Coverage – BatBlue
• It seems that the authors of this report were not experts on the subject, and when interviewing experts on the topic, they asked questions like “is there any way to get around a firewall”

Feedback:

• Why does Allan hate CloudFlare?

• Hardware for pfSense

• Best Virtualizer for a few Linux VMs?

• No www or Yes www

Round Up:

• Remote Code Execution Via HTTP Request In IIS On Windows
• Snowden explains why you should use passphrases instead of passwords
• Florida middle schooler arrested, charged with hacking cybercrimes .
• After patch, details emerge about a number of Apple flaws (OS X and iOS) including Darwin Nuke, nVidia driver vulnerabilities, and a kqueue bug
• IBM claims new areal density record with 220TB tape tech
• LA Schools seeking refund after iPad rollout fails miserably
• Hacked French network exposed its own passwords during TV interview
• OEM designs have big impact on Intel Core M performance
• briankrebs on Twitter: “RT @RichardKarash: @SwiftOnSecurity @briankrebs There’s no hope for retail security! At a retail checkout yesterday: https://t.co/mUr9tcw8nD”
• Design vs User Experience

The post SMBTrapped in Microsoft | TechSNAP 210 first appeared on Jupiter Broadcasting.

Our bold predictions for Linux & open source over 2015. Thought provoking, sometimes a bit inspired or maybe just plain wrong, this edition of Unplugged promises to entertain.

Plus what goes into making a great & secure messaging system & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• User Liberation: Watch and share our new video

FU:

Telegram

Being good at going full Salesman on things comes with a certain responsibility if you care about your audience. Touting the security of Telegram should be avoided. By all means, use it if it fits your needs but please don’t portrait Telegram as something vetted and secure, that’s doing the audience a disservice.

Only half of the equation (the client) is open source and the protocol is full of weirdness and outright flaws. I believe their crypto contest charade was even featured and scoffed at on one of the network’s channels a while ago.

Its encryption score in the following table should be taken with a grain of salt since it’s vulnerable to ‘hostile server’ attacks, which are sadly just a subpoena away:

https://www.eff.org/secure-messaging-scorecard

• Is Telegram secure? – Information Security Stack Exchange
• Telegram, AKA “Stand back, we have Math PhDs!” – Unhandled expression
• F-Droid

Why isn’t Debian as popular as Ubuntu on LAS

I have been loving LAS for some time now, but it always bothers me that Debian (the mother of so many great Linux distros) isn’t discussed as a primary Linux distro option as Arch/OpenSUSE/Ubuntu and so on. What is the deal with that? // Thanks for a great year, keep up the good work LAS!

• Fedora 21 (or Anaconda) Installer

• Where to after Ubuntu?

2015 VLUG Linux Predictions

• HighDPI
• Secuirty? Audits? Shellshock 2.0?
• Elementary OS Fork
• The first batch of Steam Machines reach the general public?
• Ubuntu Touch?
• Firefox OS?

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

• Builder, An IDE of our GNOME | Indiegogo

• 4K Video Playback on two 1080P monitors with the X2Go Linux Terminal Server – YouTube

The post Predicting 2015 | LINUX Unplugged 73 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

New research reveals your browser cache contains a lot more than you might expect, and we’ve got the details on some security issues WordPress doesn’t have a fix for…

Plus: We’ll answer your questions, chat about rolling your own email server, and much much more!

On this week’s TechSNAP

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!
Ang Reports on her Android challange Catch episode 144 find out how things stand after her week on Android

Support the Show: