zero-day – Jupiter Broadcasting

We covered the WordPress bug in TechSNAP 306
See also [Security Firm Trend Micro’s Blog Falls Victim To Content Spoofing Attack]https://www.silicon.co.uk/security/trendmicro-blog-security-205197
and WordPress Quietly Fixes Zero-Day Flaw Tom
WordPress was alerted to the flaw on 20 January
WordPress officially released WordPress 4.7.2 to the world on Thursday 26 January.
- “The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.”
Dan confirms the above upgrade timeline; his WordPress sites were updated on 26 January, between 2:30 and 3:30 EST
Researcher’s Feb 1 blog post with details
WordPress’ Feb 1 10:59 AM blog post
NOTE: Virally growing attacks on unpatched WordPress sites affect ~2m pages
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours
Google trend chart

Hackers who took control of PC microphones siphon >600 GB from 70 targets

Real information in the blog post
Suggestions: put such devices on their own VLAN, but I’m not sure how their connections work
Large-scale ~= 70 organisations
Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.

Feedback

Round Up:

The post State Sponsored Audiophiles | TechSNAP 307 first appeared on Jupiter Broadcasting.

Curl Sleeper Agent | TechSNAP 266

chris — Thu, 12 May 2016 19:37:51 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Zero-day exploits striking over 100 systems, if you think copying links to bash scripts from the internet is okay, maybe you shouldn’t be root & the day Google automated itself off the internet.

Plus your questions, our answers, a huge round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Zero-day exploits against Microsoft used against PoS systems of over 100 companies

“More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability CVE-2016-0167 reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day was found by researchers at FireEye, who on Tuesday disclosed details.”
“The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability””
“FireEye said the flaw is a local elevation of privilege flaw in the win32k Windows Graphics subsystem. Attackers are able to exploit the flaw once they are able to remotely execute code on the targeted PC. Microsoft patched the vulnerability on April 12 and released a subsequent update (MS16-062) this week”
“In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY.”
“PUNCHBUGGY is a dynamic-link library (DLL) downloader, existing in both 32-bit and 64-bit versions, that can obtain additional code over HTTPS. This downloader was used by the threat actor to interact with compromised systems and move laterally across victim environments.”
“In some victim environments, the threat actor exploited a previously unknown elevation of privilege (EoP) vulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised machines”
“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication”
“Security experts say, as more U.S. companies snuff out point of sale malware by deploying chip-and-PIN bank card technology, attackers are rushing to exploit existing magnetic strip card systems still vulnerable to malware. FireEye, for example, reported last month that that a group of hackers that go by the name Bears Inc. are behind the latest barrage of attacks with a custom-built point of sale malware called Treasurehunt. This latest zero day vulnerability follows the same trend.”
I would argue that chip&pin does not make the PoS terminal any less vulnerable to malware
While it does make it harder to clone cards, it think it should not be viewed as a solution to malware
FireEye Report

If you think doing curl|bash is ok, you shouldn’t have root

“Installing software by piping from curl to bash is obviously a bad idea and a knowledgeable user will most likely check the content first. So wouldn’t it be great if a malicious payload would only render when piped to bash?”
So, we all know it is bad, some some people do it anyway. They tell themselves it is alright because they check the contents of the script before they run it
That only works if what you end up downloading is the same as what you actually reviewed
“Luckily the behaviour of curl (and wget) changes subtly when piped into bash. This allows an attacker to present two different versions of their script depending on the context :)”
“It’s not that the HTTP requests from curl when piped to bash look any different than those piped to stdout, in fact for all intents and purposes they are identical”
“Execution in bash is performed line by line and so the speed that bash can ingest data is limited by the speed of execution of the script. This means if we return a sleep at the start of our script the TCP send stream will pause while we wait for the sleep to execute. This pause can be detected and used to render different content streams.”
“Unfortunately it’s not just a simple case of wrapping a socket.send(“sleep 10”) in a timer and waiting for a send call to block. The send and receive TCP streams in linux are buffered on a per socket basis, so we have to fill up these buffers before the call to send data will block. We know the buffer is full when the receiving client to replies to a packet with the Window Size flag set to 0”
“The only character you can really use to fill the buffer is a null byte as it won’t render in most consoles. It also won’t render in chrome when the charset text/html is specified. As we don’t know the content-length data is transferred with chunked encoding with each chunk being a string of null bytes same size as the TCP send buffer.”
So, the attacker sends chunks of null bytes until all of the buffers on the client side are full, because bash is sleeping and not reading any more data yet
So the attacker just has to see if you are piping the content to bash, or to your terminal or browser. Only in the case of bash do they send the “payload”
There is a nice demo included in the article

Post Mortem: When google automated itself off the internet

“On Monday, 11 April, 2016, Google Compute Engine instances in all regions lost external connectivity for a total of 18 minutes, from 19:09 to 19:27 Pacific Time.”
This is the story of how automation knocked all of GCE off of the internet
“Google uses contiguous groups of internet addresses — known as IP blocks — for Google Compute Engine VMs, network load balancers, Cloud VPNs, and other services which need to communicate with users and systems outside of Google. These IP blocks are announced to the rest of the internet via the industry-standard BGP protocol, and it is these announcements which allow systems outside of Google’s network to ‘find’ GCP services regardless of which network they are on.”
“To maximize service performance, Google’s networking systems announce the same IP blocks from several different locations in our network, so that users can take the shortest available path through the internet to reach their Google service. This approach also enhances reliability; if a user is unable to reach one location announcing an IP block due to an internet failure between the user and Google, this approach will send the user to the next-closest point of announcement. This is part of the internet’s fabled ability to ‘route around’ problems, and it masks or avoids numerous localized outages every week as individual systems in the internet have temporary problems.”
Also know as “anycast”
“At 14:50 Pacific Time on April 11th, our engineers removed an unused GCE IP block from our network configuration, and instructed Google’s automated systems to propagate the new configuration across our network. By itself, this sort of change was harmless and had been performed previously without incident. However, on this occasion our network configuration management software detected an inconsistency in the newly supplied configuration. The inconsistency was triggered by a timing quirk in the IP block removal – the IP block had been removed from one configuration file, but this change had not yet propagated to a second configuration file also used in network configuration management. In attempting to resolve this inconsistency the network management software is designed to ‘fail safe’ and revert to its current configuration rather than proceeding with the new configuration. However, in this instance a previously-unseen software bug was triggered, and instead of retaining the previous known good configuration, the management software instead removed all GCE IP blocks from the new configuration and began to push this new, incomplete configuration to the network.”
“One of our core principles at Google is ‘defense in depth’, and Google’s networking systems have a number of safeguards to prevent them from propagating incorrect or invalid configurations in the event of an upstream failure or bug. These safeguards include a canary step where the configuration is deployed at a single site and that site is verified to still be working correctly, and a progressive rollout which makes changes to only a fraction of sites at a time, so that a novel failure can be caught at an early stage before it becomes widespread. In this event, the canary step correctly identified that the new configuration was unsafe. Crucially however, a second software bug in the management software did not propagate the canary step’s conclusion back to the push process, and thus the push system concluded that the new configuration was valid and began its progressive rollout.”
So, the automation software detected that the new configuration was bad, but, ignored this signal and went ahead anyway
“As the rollout progressed, those sites which had been announcing GCE IP blocks ceased to do so when they received the new configuration. The fault tolerance built into our network design worked correctly and sent GCE traffic to the the remaining sites which were still announcing GCE IP blocks.”
“With no sites left announcing GCE IP blocks, inbound traffic from the internet to GCE dropped quickly, reaching >95% loss by 19:09. Internal monitors generated dozens of alerts in the seconds after the traffic loss became visible at 19:08, and the Google engineers who had been investigating a localized failure of the asia-east1 VPN now knew that they had a widespread and serious problem. They did precisely what we train for, and decided to revert the most recent configuration changes made to the network even before knowing for sure what the problem was. This was the correct action, and the time from detection to decision to revert to the end of the outage was thus just 18 minutes.”
“With the immediate outage over, the team froze all configuration changes to the network, and worked in shifts overnight to ensure first that the systems were stable and that there was no remaining customer impact, and then to determine the root cause of the problem. By 07:00 on April 12 the team was confident that they had established the root cause as a software bug in the network configuration management software.”
Moving forward, Google will add:
Monitoring targeted GCE network paths to detect if they change or cease to function
Comparing the IP block announcements before and after a network configuration change to ensure that they are identical in size and coverage
Semantic checks for network configurations to ensure they contain specific Cloud IP blocks.
“We take all outages seriously, but we are particularly concerned with outages which affect multiple zones simultaneously because it is difficult for our customers to mitigate the effect of such outages. This incident report is both longer and more detailed than usual precisely because we consider the April 11th event so important, and we want you to understand why it happened and what we are doing about it. It is our hope that, by being transparent and providing considerable detail, we both help you to build more reliable services, and we demonstrate our ongoing commitment to offering you a reliable Google Cloud platform.”

Drama at the Internet’s malware dumping ground

VirusTotal is a popular online malware aggregation service started in 2004, and acquired by Google in 2012.
It allows researchers and users to submit malware samples which are tested against the static detection engines of some 50+ anti-virus vendors
An example analysis
However, there is concern that many “NextGen” Security startups, are just abusing the VirusTotal API rather than building their own detection engine
Worse, this type of use doesn’t contribute anything back to the community
So Google has changed the Terms of Services: “All scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services”
“Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO)”
Traditional vendors have applauded the move:
Trend Micro
MalwareBytes
Of course, there is also a response from the other side
The AV Bomb That Never Was
Includes responses from Cylance, and SentinelOne, two of the larger “NextGen” security companies
Also has summaries from Palo Alto Networks and CrowdStrike
How this actually impacts the industry is yet to be seen, but I don’t expect much outside of a few shady startups going away, but they were going to do that anyway
Additional Coverage

Feedback:

Round Up:

The post Curl Sleeper Agent | TechSNAP 266 first appeared on Jupiter Broadcasting.

Zero-Days Of Our Lives | TechSNAP 240

chris — Thu, 12 Nov 2015 10:22:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The first remote administration trojan that targets Android, Linux, Mac and Windows. Joomla and vBulletin have major flaws & tips for protecting your online privacy from some very motivated public figures.

Plus some great questions, a rockin’ roundup & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

First remote administration trojan that targets Android, Linux, Mac, and Windows: OmniRat

“On Friday, Avast discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.”
“OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.”
“On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.”
“Like DroidJack, OmniRat can be purchased online, but compared to DroidJack, it’s a bargain. Whereas DroidJack costs $210, OmniRat costs only $25 to $50 depending on which device you want to control.”
“A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.”
“The author of the post received an SMS stating an MMS from someone was sent to him (in the example, a German phone number is listed and the SMS was written in German). The SMS goes on to say “This MMS cannot be directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]“. Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number. Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.”
“The OmniRat APK requires users to accept and give OmniRat access many permissions, including edit text messages, read call logs and contacts, modify or delete the contents of the SD card. All of these permissions may seem evasive and you may be thinking, “Why would anyone give an app so much access?”, but many of the trusted and most downloaded apps on the Google Play Store request many of the same permissions. The key difference is the source of the apps. I always recommend that users read app permissions carefully. However, when an app you are downloading directly from the Google Play Store requests permissions, it is rather unlikely the app is malicious.”
“The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server. Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”
Additional Coverage: Softpedia
“The Softpedia article about OmniRAT includes a video, but declined to post the tool’s homepage. You can easily find it via a Google search.”

Joomla, one of the most popular web platforms after wordpress, has critical flaw affecting millions of sites

“Joomla is a very popular open-source Content Management System (CMS) used by no less than 2,800,000 websites (as of September 2015).”
An SQL injection attack was discovered that affects versions 3.2 through 3.4.4
“Unrestricted administrative access to a website’s database can cause disastrous effects, ranging from complete theft, loss or corruption of all the data, through obtaining complete remote control of the web server and abusing or repurposing it (for instance, as a host for malicious or criminal content), and ending in infiltration into the internal network of the organization, also-known-as lateral movement.”
“3 CVEs has been assigned to the vulnerability – CVE-2015-7297, CVE-2015-7857 and CVE-2015-7858. It has been tested and found working on a number of large websites, representing different business verticals”
“We encourage site administrators to update their Joomla installations immediately, deploy a 3rd-party protection product, or at the very least take their site down until a proper solution is found. According to the Verizon 2015 Database Breach Investigation Report, “99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published” so not patching your system will almost guarantee it will be hacked.”
Timeline:
Oct 15, 2015 – Disclosure to the Joomla security team
Oct 19, 2015 – Vulnerability is acknowledged by Joomla
Oct 22, 2015 – Patch released by Joomla
Oct 30, 2015 – Disclosure published by PerimeterX
It turns out, proper sanitization of the ‘select’ (columns) and ‘limit’ (pagination) parameter was not being done. One of the most obvious and ubiquitous SQL injection vectors.
“Using this SQLI we could extract all users, reset password tokens, sessions, and other configuration data stored in the DB. This will ultimately allow an attacker to obtain admin credentials, and therefore control the system’s PHP code using the ‘edit theme’ interface, effectively compromising the entire server.”
So I can replace the hash of the admin user with one I know the password for (or just create my own new admin user), as well as extract the hashed passwords of all other users.
“This vulnerability is a classic example of how having a too-dynamic code can reflect very severely on security. I expect this disclosure will stir up a hornet’s nest regarding the system’s dynamic nature, and more vulnerabilities exploiting it will be discovered. When you are developing a complex system, keep in mind that although your design is convenient for other developers, it is convenient for vulnerability researchers, too.”

Camgirl OPSEC: How the worlds newest porn stars protection their online privacy

Not the type of thing you would normally expect us to cover on TechSNAP, but it turns out, if you want to maintain your privacy online, it helps to take advice from the experts
Women already have more crap to deal with online, but camgirls often receive the worst of it
“But with modern technology comes modern problems: swatting, doxxing, and the fact that on most sites, there’s a large chat window right by the camgirl’s face, into which anyone with a credit card can say anything.”
If people can find out who you are, or where you live, they can do all sorts of nasty things.
Most “performers” use an alias, so for them, the first step is to protect their true identity
Related to this, they also wish to keep their location secret
Some examples of ways your location can be exposed:
- Pandora, the music streaming service, uses location based advertisements. In this case, they ask for your ZIP code, enter a fake one
- Many other sites also use location based advertisements, use a VPN to hide your real location
- “Speaking of VPNs, use one. If you use Skype, there’s Skype Resolvers out there that can show your IP by simply entering a username”
- “Amazon wishlists reveal your town, which is why people use PO boxes”
“People can simply call Amazon/the shipper and find out the address their purchase was sent to if they pry enough. I don’t know what the company policy is for this, but it’s happened”
“Camgirl #OpSec tip: I know craft beers are delicious, but they circumscribe your location to a very tight circle.”
Make sure photos that you post online do not have GPS or location metadata included
Even things as “smalltalk” as the weather, with multiple samples, can give away your location
“Also make sure you don’t go to your PO box alone, because someone may be waiting for you there, especially if you publicly reveal your PO box address and/or say specifically when you’ll be going to it”
“Google Voice provides fake numbers, so you can use them for texting, or any apps/sites that require a number”
“Do not accept gift cards as payments towards your service from random people”, they may be able to track how/where it was spent
Use a separate browser for “work” and “personal” internet use, to ensure cookies and logins do not get contaminated
Especially things like Facebook and Google that track you all over the internet
Avoid creating ‘intersections”, where your two identities can be correlated. Make sure your username doesn’t give it away
Consider changing your alias on a regular basis. Balance building a reputation against OPSEC
Use strong passwords, and DO NOT reuse passwords for multiple sites, use 2FA whenever possible

Feedback:

Round Up:

The post Zero-Days Of Our Lives | TechSNAP 240 first appeared on Jupiter Broadcasting.

National Security Breaking Agency | TechSNAP 236

chris — Thu, 15 Oct 2015 18:03:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

How the NSA might be breaking Crypto, fresh zero day exploit against Flash with a twist & Keylogging before computers.

Plus a great batch of your questions, a rocking round-up & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

How might the NSA be breaking crypto?

“There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand. However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community.”
“Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.”
PDF: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
“The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”
“If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
“For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
“Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”
“Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.”
“8.4% of Alexa Top 1M HTTPS domains allow DHE_EXPORT, of which 92.3% use one of the two most popular primes”
“After a week-long precomputation for each of the two top export-grade primes (see Table 1), we can quickly break any key exchange that uses them. Here we show times for computing 3,500 individual logs; the median is 70 seconds.”
“Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?”
If the NSA has precomputed just one DH 1024 group, they would be able to compromise 37% of the HTTPS traffic to the top 1 million sites using an active downgrade attack. If they have precomputed the ten most popular DH 1024 groups, that number increases to 56%
When applied to VPNs, the single most popular DH 1024 group would comprise 66% of all traffic. For SSH, the number is 25%. For both VPN and SSH, the top 10 does not increase the likelihood of compromise, this suggests that outside of a specific very popular 1024 bit group, most other sites do not reuse the same group as others.
“we performed a scan in which we mimicked the algorithms offered by OpenSSH 6.6.1p1, the latest version of OpenSSH. In this scan, 21.8% of servers preferred the 1024-bit Oakley Group 2, and 37.4% preferred a server-defined group. 10% of the server-defined groups were 1024-bit, but, of those, near all provided Oakley Group 2 rather than a custom group”
Recommendations from the paper:
- Transition to elliptic curves: Transitioning to elliptic curve Diffie-Hellman (ECDH) key exchange with appropriate parameters avoids all known feasible cryptanalytic attacks
- Increase minimum key strengths: Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger.
- Avoid fixed-prime 1024-bit groups: For implementations that must continue to use or support 1024-bit groups for compatibility reasons, generating fresh groups may help mitigate some of the damage caused by NFS-style precomputation for very common fixed groups.
- Don’t deliberately weaken crypto: Our downgrade attack on export-grade 512-bit Diffie-Hellman groups in TLS illustrates the fragility of cryptographic “front doors”. Although the key sizes originally used in DHE_EXPORT were intended to be tractable only to NSA, two decades of algorithmic and computational improvements have significantly lowered the bar to attacks on such key sizes.
“Prior to our work, Internet Explorer, Chrome, Firefox, and Opera all accepted 512-bit primes, whereas Safari allowed groups as small as 16 bits. As a result of our disclosures, Internet Explorer, Firefox, and Chrome are transitioning the minimum size of the DHE groups they accept to 1024 bits, and OpenSSL and Safari are expected to follow suit.”
Additional information from the researchers site WeakDH.org
Sysadmin’s guide to securing your servers

https://www.onlinemeetingnow.com/register/?id=pmsy0fu2ck&inf_contact_key=c3de960e4fc660a9c3744ecc74a608bdde91a80fc9d58288c71bfd6d9c0209ad

Fresh Zero Day exploit against fully patched Adobe Flash

Just last week, we were commenting on how quiet things have been on the Adobe Flash front
Sorry for jinxing it for everyone
This zero day exploit even affects Flash version 19.0.0.207 which was released on Tuesday
Adobe expects to release a patch that fixes the Zero day some time next week
“Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers”
“So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available”
“In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit”
In this wave of attacks, the emails were about the following topics:
- “Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
The most startling thing here is that you would not expect government employees to get such news via email, so they should know better than to fall for emails with these subjects or follow links with such headlines.
“It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.”
It will be interesting to see if any of the exploit kits manage to pick up this Zero-day before the patch is released
This attack is currently focused on the government, and the attackers likely want to keep their zero-day to themselves
Once a fix is released, I would expect the regular malware authors to reverse engineer the fix to find the exploit, and see this added to the regular exploit kits
Additional Coverage: Krebs

Keylogging before computers: How Soviets used IBM Selectric keyloggers to spy on US diplomats

“A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world’s first keylogger—a 1970s bug that Soviet spies implanted in US diplomats’ IBM Selectric typewriters to monitor classified letters and memos.”
“The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.”
“The Soviet implants were discovered through the painstaking analysis of more than 10 tons’ worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.”
“”Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets,” an NSA document, which was declassified several years ago, concluded. “It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time.” The NSA document was published here in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier.”
“When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses.”
“In fact, the implant was far more advanced and worked by measuring the movements of the “bail,” which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball.”
“In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors.”
“There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either.”
“The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined.”
“There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active.”
“The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations.”
I thought this was an interesting example of how espionage works and how hard it can be to detect

Feedback:

2gbps with direct connections?
- ifconfig lagg0 create
- ifconfig lagg0 laggproto roundrobin laggport igb0 laggport igb1
- ifconfig lagg0 192.168.101.1/24
VLAN Basics
PHP-FPM Tweaking
Remote PC power on
- APC AP7900 is $600+, but can be cheap on ebay

Round Up:

The post National Security Breaking Agency | TechSNAP 236 first appeared on Jupiter Broadcasting.

OPM Data too Valuable to Sell | TechSNAP 219

chris — Thu, 18 Jun 2015 17:58:20 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Kaspersky labs has been hacked, we’ll tell you why it looks like a nation state was the attacker, why OPM data is too valuable sell & the real situation with LastPass.

Plus some great questions, our answers & a rocking round up.

All that and much, much more on this week’s TechSNAP!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Kaspersky Lab hacked

“Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today, Kaspersky Lab CEO and founder Eugene Kaspersky wrote, “We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it.“”
“The firm dubbed this attack Duqu 2.0. It’s named after a specific series of malware called Duqu, which was considered to be related to the Stuxnet attack that targeted states like Iran, India, France, and the Ukraine in 2011.”
“The post went on to say that it was not wise to use an advanced never-before-used technology to spy on a firm. For one, Kaspersky sells access to a great deal of its technologies, so this group could have just paid for it. Also, in its attempt to infiltrate Kaspersky, it clued the company into the next generation spying technologies hackers are developing.”
“”They’ve now lost a very expensive technologically-advanced framework they’d been developing for years,” the post explained.”
“In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.”
“From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.”
Blog: Kaspersky statement on Duqu 2.0 attack
Research: The mystery of Duqu 2.0
Research: The Duqu 2.0 persistence module

U.S. Office of Personnel Management (OPM) hacked

“OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit monitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government.”
The Office of Personnel Management (OPM) confirmed that both current and past employees had been affected.
The breach could potentially affect every federal agency
OPM said it became aware of the breach in April during an “aggressive effort” to update its cyber security systems.
As the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely to increase. In these cases, the risk to Federal employees and their families will probably linger long after the free credit monitoring offered by these companies expires.”
“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”
“That quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of healthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or uncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files that include interviews with a target’s friends and acquaintances over the years, some of whom could well have shared useful information about that person’s character flaws, weaknesses and proclivities.”
Krebs Coverage
The Krebs article has a great timeline
US Law Makers demand encryption after OPM hack
DHS says: Encryption would not have helped OPM
OPM’s archaic IT infrastructure to blame for breach
Krebs finds that [version of OPM data on the darkweb] is actually from a different hack of ](https://krebsonsecurity.com/2015/06/opms-database-for-sale-nope-it-came-from-another-us-gov/)

Feedback:

BSDCan Videos:

The videos from BSDCan have started to appear. Not all of them are online yet, but a good sample to get you started.

https://www.youtube.com/playlist?list=PLWW0CjV-TafY0NqFDvD4k31CtnX-CGn8f

Round Up:

The post OPM Data too Valuable to Sell | TechSNAP 219 first appeared on Jupiter Broadcasting.

Group Problemcy | TechSNAP 201

chris — Thu, 12 Feb 2015 19:09:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A 20 year old design flaw in Windows has just been patched & it requires some major re-working of the software. Attackers compromise Forbes.com & why Facebook’s new ThreatExchange platform could be a great idea.

Plus a great batch of feedback, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Critical Microsoft Vulnerabilities

“In this month’s Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software.”
The two higher priority fixes are MS15-011 (dubbed JASBUG) and MS15-014
What makes these vulnerabilities special, is that they are not the usual problem with the “implementation” of a protocol or feature. They are actually a design flaw in windows, that required Microsoft to invent entirely new features to solve. These new features needed to be tested against all supported versions and configurations of windows, and a process had to be developed and documented for deploying the new feature
Most corporate network security features in Windows are deployed via “Group Policies”
One of those group policies, is SMB signing, which makes a client verify the identity of a remote server before trusted it
The MS15-014 bug allows an attacker to interfere with the application of the group policy, leaving the SMB signing feature off
Then when a user tries to run a trusted program from a network server, they instead connect to the malactors server and run a malicious program
MS15-011 is related, and is actually a catch-22
During the process where the windows client downloads the group policy from the domain controller, authentication is not enforced (as this is set via the group policy, which needs to be downloaded first)
As part of the group policy download, the client also runs a series of scripts from the domain controller (login.cmd, login.bat, etc)
This means a malactor could use a man-in-the-middle position to replace the group policy with one that reduces the security of the machine, and cause the users’ system to run any commands they want
To solve this issue, Microsoft has introduced a new feature to require “Mutual Authentication”
This feature is enabled by… you guessed it, Group Policy
So clients must make one last insecure connection to the domain controller, at which point they will verify the identity of the domain controller before accepting any future group policy from anyone
It is unclear if fresh installs of windows will be vulnerable the first time they connect to the domain
Microsoft is not patching Windows XP, Windows 2000, nor Windows Server 2000 and 2003
MS15-011 was found by JAS Global Advisors which “found the bug while working on a project for ICANN looking into security issues surrounding the release of new generic Top Level Domains and Top Level Domains. The Group Policy issue was discovered during the research phase of this project, but is unrelated to new gTLDs or TLDs”
“It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” the JAS advisory said. “We will release the specifics of the other attack scenarios we’re aware of at some future point, but for now it’s important that folks patch and not become complacent because of a perceived on-LAN requirement. It’s not a strict requirement. Go patch.”
“Not only are Windows clients too trusting of the responses they get back from DNS, they can also be fairly easily tricked into downgrading to unauthenticated and unencrypted transit protocols (like WebDav over http)”
Microsoft rolled out a new feature to address the vulnerabilities called UNC Hardened Access, which ensures the right authentication and in-transit encryption is carried out.
“Instead of being subject to the OS “trying too hard” to make communication work, the UNC infrastructure within Windows now allows the higher layer resource requestor to specify whether Mutual Authentication, Integrity, and/or Privacy are required for the communication,” Schmidt said. “This is the right, general-purpose solution to this problem.”
“Schmidt said there is an outstanding issue that Microsoft has not addressed wherein Active Directory clients could leak DNS requests to the open Internet. The Internet’s DNS infrastructure, he said, will try to resolve those queries as it would any other and provide pointers to the right sources, rather than a result from the local AD controller for an enterprise domain, for example. He said during JAS’ research, more than 200,000 AD reached out to JAS via a series of customized DNS registrations”
Additional Coverage: Krebs on Security
Additional Coverage: Threat Post
Additional Coverage: Naked Security

Attackers compromise Forbes.com and uses IE and Flash zero days

“A Chinese APT group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer 9, to compromise a popular news site late last year“
“The group’s aim was to gain access to computers at several U.S. defense and financial firms by setting up a watering hole attack on the site that would go on to drop a malicious .DLL”
It is not clear how the Forbes.com site was actually compromised
The flash powered “thought of the day” widget was changed to redirect to a malicious .swf flash file, which would exploit an Adobe Flash 0-day to take control of the visitors system
The flaw also optionally used an IE9+ ASLR bypass to ensure it could infect the machine even if it had additional attack mitigation features enabled
“While the Adobe bug, a buffer overflow (CVE-2014-9163) was patched back on Dec. 9, the ASLR mitigation bypass (CVE-2015-0071) was one of many patched yesterday in Microsoft’s monthly Patch Tuesday round of patches, an update that was especially heavy on Internet Explorer fixes.”
The release of the details was timed to coincide with Microsoft’s release of a patch for the IE9 ASLR bypass
Researcher Post – Invincea
Researcher Post – iSightPartners

Facebook launches ThreatExchange

Facebook has launched a new information sharing platform to allow IT companies to share details and signatures of the evolving attacks they see against their networks and users
Some early members of the platform include: Pinterest, Yahoo, Tumblr, Twitter, Bitly and Dropbox
“The cost is free, and most of the heavy lifting is done by Facebook’s infrastructure. The platform developers were also cognizant of some of the concerns enterprises have about sharing threat data, from both a competitive and risk management standpoint. Privacy controls are built in to ThreatExchange that not only sanitize information provided by members, but also allows contributors to share data with all of the exchange’s members, or only particular subsets. In addition to threat information shared by contributors, open source threat intelligence feeds are pulled into the platform”
“Facebook hopes the initial partner list grows to include other technology companies with a large Internet footprint. Microsoft, for example, has developed its own information sharing platform called Interflow, while the FBI announced last winter that it was releasing an unclassified version of its malware repository in the hopes of spurring public-private sharing of threat data”
“If some reasonably large Internet properties cooperate on attacks they’ve seen and responded to, the vast majority of the Internet will be safer,” Hammell said. “We want to bring in more companies like that and eventually broaden it beyond big companies to smaller web properties and researchers. We want to create a forum where we can share attack and threat information in an easy way and share it with as many who want to receive it”
“The classic example is an attack you’re investigating where only you and a few companies are targeted,” Hammell explained. “They can collaborate together on that particular attack and share data, but perhaps they don’t feel it’s appropriate to go wider because it may tip their hand and alert the attacker, or it would not be beneficial to the investigation if others started poking at the infrastructure and possibly disrupt the work they’re doing. It’s an important scenario to get right.”

Feedback:

Round Up:

The post Group Problemcy | TechSNAP 201 first appeared on Jupiter Broadcasting.

Internet of Problems | TechSNAP 199

chris — Thu, 29 Jan 2015 18:32:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The internet of dangerous things is arriving but what about taking care of the devices we already have? We’ll discuss!

Plus details on critical updates from Adobe, the surprising number of Gas Stations vulnerable to exploitation via the internet, your questions, our answers & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Flash Updates

On January 22nd Adobe released an emergency patch for Flash Player to resolve the zero day vulnerability that we discussed last week
Adobe released Flash Player 16.0.0.287 on the 22nd
It turns out that this fix did not completely close the vulnerability, and the exploit kit quickly worked around the fix and continued to exploit the vulnerability
Adobe issued a security advisory (different than an bulletin) about the issue
On January 27th, Adobe released Flash Player 16.0.0.296 in another bulletin
The latest release, 16.0.0.296 fixes both CVE-2015-0311 and CVE-2015-0311
The researcher who originally discovered the exploits in the wild, has also pointed out that the 2015-0311 flaw is being used outside of the exploit kit now as well
FireEye also discovered the 2015-0311 vulnerability being exploited in a different way

Gas Stations vulnerable to exploitation via the internet

“An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” said HD Moore, the chief research officer at security firm Rapid7
“Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
While doing research, HD Moore found that more than 5000 gas gauge devices are connected to the internet with no authentication. The automated tank gauges generally only have a serial port.
“Approximately 5,800 ATGs (Automated Tank Gauge) were found to be exposed to the Internet without a password,” Moore said. “Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.”
Some of the devices have TCP/IP interfaces, and those that do not can be connected to a serial server, a common device in the IT industry, then be connected to the internet. Most serial servers do offer the ability to require a password to access the port, however this feature is often not enabled, and is not very secure
“Operators should consider using a VPN [virtual private network] gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” the researcher said. “Less-secure alternatives include applying source IP address filters or setting a password on each serial port.”
Another example of taking devices that were not meant to be put on the internet, and then doing so, without taking into account the security implications. Even with a password and source IP filtering, these devices should not be directly connected to the Internet. That is what VPNs are for
Additional Coverage – ITWorld

The internet of dangerous things

Krebs talks about the trends in Distributed Denial of Service Attacks
Krebs cites data from Arbor networks, and their subsidiary Prolexic, which Krebs uses to protect his site, which was under constant attack from various sources throughout December
The point needs to be raised that a growing number of these attacks are sources from ‘Internet of Things’ type devices, small consumer devices with an embedded operating system that receives no updates after it ships
The attacks against Sony and Microsoft over Christmas used exploited routers, but a growing number of other devices could be vulnerable, especially in light of things like the new Linux Ghost vulnerability
We have seen viruses attacking NAS and other types of storage devices, and I am sure it will not be long before the first attack against set-top boxes like the Boxee and Roku.
“As Arbor notes, some of the biggest attacks take advantage of Internet-based hardware — everything from gaming consoles to routers and modems — that ships with networking features that can easily be abused for attacks and that are turned on by default. Perhaps fittingly, the largest attacks that hit my site in the past four months are known as SSDP assaults because they take advantage of the Simple Service Discovery Protocol — a component of the Universal Plug and Play (UPnP) standard that lets networked devices (such as gaming consoles) seamlessly connect with each other.”
“Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks.”
It has been over a year since these amplification vulnerabilities were patches, but there are still many systems being exploited to perform these attacks
“According to the Open Resolver Project, a site that tracks devices which can be abused to help launch attacks online, there are currently more than 28 million Internet-connected devices that attackers can abuse for use in completely anonymous attacks.”
“According to Arbor, the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.”
While analyzing the data from the dump of the Lizard Stresser database, Krebs found that one of the most popular targets for attack were small personal minecraft servers
Krebs: “Tech pundits and Cassandras of the world like to wring their hands and opine about the coming threat from the so-called “Internet of Things” — the possible security issues introduced by the proliferation of network-aware devices — from fitness trackers to Internet-connected appliances. But from where I sit, the real threat is from The Internet of Things We Already Have That Need Fixing Today.”

Feedback:

Round Up:

The post Internet of Problems | TechSNAP 199 first appeared on Jupiter Broadcasting.

Certified Package Delivery | BSD Now 33

chris — Thu, 17 Apr 2014 18:59:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

This year\’s BSDCan will kick off on May 14th in Ottawa
The list of speakers is also out
And finally the talks everyone\’s looking forward to
Lots of great tutorials and talks, spanning a wide range of topics of interest
Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

The bi-monthly FreeBSD journal\’s second issue is out
Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
\”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
We finally have a timeline of events
Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
pfSense released a new version to fix it
OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
Sounds like someone else was having fun with the bug for a while too
There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
Now there\’s a (completely unofficial) portable version of it on github
If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

The OpenBSD foundation has reached their 2014 goal of $150,000
You can check their activities and goals to see where the money is going
Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
The FreeBSD foundation has kicked off their spring fundraising campaign
There\’s also a list of their activities and goals available to read through
Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

New PBI runtime that fixes stability issues and decreases load times
\”Update Center\” is getting a lot of development and improvements
Lots of misc. bug fixes and updates

Feedback/Questions

There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
Brad writes in
Sha\’ul writes in
iGibbs writes in
Matt writes in

All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.

Attacking the Devs | TechSNAP 98

chris — Thu, 21 Feb 2013 19:40:44 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Facebook and Apple are compromised by the same Java exploit, and the details are quite interesting, Punkbuster service goes offline, taking down online game servers for 100s of users.

And a thorough look at report claiming the Chinese military is responsible for hundreds of system compromises.

Plus a big batch of your questions and more!

Thanks to:

GoDaddy.com

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go28off2 to save 28% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

TechSNAP 100 Limited Edition Shirt:

Limited time left on our limited run TechSNAP 100 T-shirt!

Oracle releases another Java Critical Patch Update

As discussed previously, Oracle accelerated Java 7u13 from its planned release date of Feb 19th to Feb 1st due to the flaws it fixed being exploited in the wild
According to Oracle, this caused a number of fixes to not make the cut and so they have released Java 7u15 on the originally scheduled date to address those flaws
The patch includes fixes for 5 vulnerabilities, 3 rated with a CVSS score of 10/10
Patch Notes

Facebook and Apple compromised by Java exploit

A watering hole attack was successfully executed against Facebook, Apple and other mobile developers
Malware was found on the iPhoneDevSDK web forum. The site was apparently compromised by the attackers and the java applet was injected into the HTML to infect members of the site
The zero-day exploit that was used is one of the ones patched in Java 7u13, and may have been the biggest reason behind Oracle accelerating the release of that patch
The exploit used separate payloads to compromise machines running either Windows or MacOS
This is one of the most widespread and successful attacks against Mac OS, and underscores the fact that with the growing popularity, OS X has become a real target for malware authors
This may provide insight into the reasoning behind Twitter’s comments about disabling java in their announcement when 250,000 twitter users’ accounts were compromised
It was also likely the reasoning behind Apple’s disabling of outdated java on all versions of OS X that upset some users
The most worrying part of this attack is that it might have gone undetected if it were not for the Facebook Security Team finding suspicious activity on their internal network, including DNS queries to almost legit looking domains (Apple spelled wrong, a fake cloud storage service, etc)
100s or 1000s of other mobile app developers’ machines may have been compromised, and through them, the source code for their applications, meaning that there may be apps in your favourite app store containing code not but there by the author, but by an attacker
It is recommended that anyone who visited the forum check their computers, and also check the revision history of their source code repositories and look for any unauthorized changes
Facebook Announcement
Additional Coverage
Additional Coverage

Punkbuster service goes offline, taking down online game servers for 100s of games

Punkbuster is an online anti-cheating/hacking service, that can take screenshots of gaming sessions and provide md5 hashes of files in the game directory to prove that files have been altered or that cheats are being used. Punkbuster also runs a blacklisting service which bans your hardware hash from all games that use the service
The service is used by many online games, especially from publishers such as EA, Ubisoft and Activision
On Wednesday February 13th, the Punkbuster service went down, making it impossible for gamers to connect to any server with the service enabled (all official and ranked servers are required to run Punkbuster)
This again highlights the problems with replying on a 3rd party provider for critical services
At the same time, if each studio or publisher had to maintain their own system, the service level may be worse, as the studios are unlikely to maintain dedicated teams to run the service

iOS 6.1 security flaw allows bypassing lock screen

Through a series of key presses, anyone with physical access to your iOS device can bypass the lock screen and gain access to your contacts
Unauthorized users could make calls from your phone, access your voicemail, view and edit your contacts, or by attempting to add/change the photo for a contact, they can browse all photos stored on your phone
an Apple spokesperson said: “Apple takes user security very seriously. We are aware of this issue, and will deliver a fix in a future software update.”
No word on when we can expect an update from Apple
An Ontario court ruled today that Police officers only need a warrant to search your phone if you have a password on it

Mandiant, the security firm hired by the NY Times to investigate the breech of their network, releases a report called APT1

Mandiant has written a 76 page report detailing who they believe to be behind the attack on the New York Times and over 140 other organizations, the attackers have been dubbed ‘APT1’
“APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.”
APT1 is believed to have taken hundreds of terabytes of designs, drawings, intellectual property, intelligence, and other data from victims in english speaking countries
97% of the 1900+ attacks attributed APT1 originated from a set of IP addresses registered in Shanghai and from computers with the Simplified Chinese character set
They have also identified 3 unique personas that play various roles in APT1
The appendices of the report include a list of domain names that have been used by APT1, as well as MD5 hashes of known malware samples and SSL certificates
The data is also available as definition files for Mandiant’s free tool Redline, for detecting APT1 threats
Video evidence of an APT1 actor
View the report and Appendicies
A recruitment notice for PLA Unit 61398 from 2004 found on the website of Zhejiang University Translated
Symantec has detected one or more attackers attempting to use the Mandiant report as bait, the .PDF attached to the emails actually drops Trojan.Pidief using CVE–2013–0641, an Adobe Acrobat remote code execution exploit

Feedback:

Round Up:

The post Attacking the Devs | TechSNAP 98 first appeared on Jupiter Broadcasting.