26 Mar 2015

feedPlanet Grep

Paul Cobbaut: black beer

There is always room for beer (linky).







Inglorious Quad : excellent !
Oesterstout: excellent !
Embrasse: very good.
Zumbi: excellent !
Barbe Noire: very good.

26 Mar 2015 9:12pm GMT

Frank Goossens: Music from Our Tube; Bela Lugosi’s dead by lots of guys

Bela Lugosi's Dead is one of the most famous Bauhaus-tracks and is (according to Wikipedia) often considered as the first gothic rock record to have been released. But here you can see and hear a live version by TV on the Radio, Trent Reznor (Nine Inch Nails) and Bauhaus' Peter Murphy himself. Great stuff!

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Possibly related twitterless twaddle:

26 Mar 2015 4:05pm GMT

25 Mar 2015

feedPlanet Grep

Mattias Geniar: Belgium Leader in IPv6 Adoption

The post Belgium Leader in IPv6 Adoption appeared first on ma.ttias.be.

According to Akamai, at least.

European countries continued to be heavily dominant, taking 8 of the 10 spots. Newcomer Norway, with an 88% quarter-over-quarter jump in IPv6 traffic, pushed France out of the top 10.

Belgium again maintained its clear lead, with 32% of content requests made over IPv6 - more than double the percentage of second-place Germany.

Source: akamai's [state of the internet] 2014

10 points to Belgium! More than 30% of all requests to Akamai are running over IPv6. That's impressive.

IPv6 Traffic Percentage, Top Countries/Regions

Worldwide, Telenet, Brutele and Belgacom are all present in the top 20.

akamai_ipv6_percentage_provider

IPv6 adoption is really speeding up in Belgium.

The post Belgium Leader in IPv6 Adoption appeared first on ma.ttias.be.

Related posts:

  1. Recycling older IPv6-related posts About a year ago, I was focussing on mastering the...
  2. Address Notations In IPv6 From a visual point-of-view, the biggest change from IPv4 to...
  3. Re-enabling IPv6 support on CentOS kernels after update A Kernel update on one box led to the following...

25 Mar 2015 3:45pm GMT

24 Mar 2015

feedPlanet Grep

Frank Goossens: iBert droomt; schaf de NMBS af!

een niet zelfrijdende peseroEen mens moet durven dromen! Bert Van Wassenhove deed dat ook en in zijn "Laat ons een begin maken met de ontmanteling van de NMBS" stelt hij dan ook voor om treinen te vervangen door -zoals een innovatie-minnende entrepreneur betaamt- zelfrijdende busjes van Google, Apple, BMW of Tesla.

De kern van zijn betoog (mijn samenvatting, lees het artikel vooral zelf):

De NMBS kost te veel en de reizigers zijn ontevreden door vertragingen en andere problemen. De trein kan onze mobiliteitsproblemen dus blijkbaar niet oplossen. De spoorwegen zijn immers een concept uit de industriële revolutie, want we rijden al lang niet meer met z'n allen naar één kantoorgebouw of fabriek naast een station in Brussel. Vandaag zijn er andere revoluties aan de orde die een oplossing kunnen brengen; zelfrijdende busjes die zoals de Pesero's in Mexico-city volledig vrije-marktgestuurd reizigers oppikken waar het meeste vraag is.

Ik schreef (een deel van) deze blogpost op de vroege dubbeldekker tussen Lokeren en Brussel. De bezetting: pakweg 1.000 pendelaars. We zijn vanzelfsprekend niet de enige trein die van/ naar Brussel rijdt; cijfers van 2013 geven een dagelijks gemiddelde van 180.000 instappende reizigers in de Brusselse stations en het merendeel daarvan (120.000?) zal er ongetwijfeld tijdens de piekuren moeten op- en op de terugweg weer uitstappen. Volgens andere cijfers telt Brussel in totaal 330.000 pendelaars, die dus met openbaar vervoer of de auto komen. Je moet geen doordachte transport-economische analyses maken om hieruit te besluiten dat een héél grote groep mensen nog steeds en masse "naar één kantoorgebouw of fabriek naast een station in Brussel" moet en dat er zonder de trein dan ook bijna de helft meer auto's in en rond Brussel zouden rijden. De trein vervoert volgens de cijfers van statbel overigens jaar na jaar meer reizigers, met tussen 1997 en 2010 een stijging van 144 naar 224 miljoen reizigers. Dat kan tellen, als (significante bijdrage aan) het verlichten van het mobiliteitsprobleem? Het nadeel; net zoals het wegverkeer, is de trein tijdens de piekuren oververzadigd en dat zorgt inderdaad voor heel wat problemen.

Met die cijfers van de benodigde (piek-)capaciteit in het achterhoofd lijkt inzetten van al dan niet zelfrijdende Pesero's dan ook een utopie; 120.000 mensen in Brussel afzetten/ oppikken, gerekend aan een capaciteit van pakweg 10 passagiers per busje, dat geeft al snel 12.000 extra busjes in en rond Brussel tijdens de ochtend- en avondpiek. Indien we, zoals Bert voorstelt, één trein-traject als test zouden vervangen door een vloot aan Pesero's en dat toepassen op "mijn" lijn (Sint-Niklaas -> Brussel -> Kortrijk), dan zouden alleen al voor het deel-traject tot en met Brussel 100 busjes moeten rijden om de 1.000 pendelaars op het piekuur tot in de hoofdstad te krijgen. Ik weet niet wat U, maar ik zou de impact daarvan op de mobiliteit liever niet in de praktijk testen.

Maar het artikel van Bert is niet zonder verdienste; terwijl 100 pesero's met die ex-treinreizigers van Sint-Niklaas, Lokeren en Dendermonde het fileprobleem alleen maar erger zouden maken, kunnen diezelfde 100 zelfrijdende busje ook 1000 personenwagens vervangen en dus voor aanzienlijk minder drukte op de weg zorgen. Dat zou nog eens een bijdrage aan de oplossing van het mobiliteitsprobleem zijn!

Blijft het probleem van grote groepen mensen die op ongeveer hetzelfde moment op ongeveer dezelfde plaats moeten zijn en daar komen we bij de droom die Bert al als realiteit ziet; wat als we inderdaad niet meer met z'n allen naar één kantoorgebouw of fabriek naast een station in Brussel zouden moeten komen? Want (nog) meer thuis, decentraal of lokaal werken is inderdaad de enige fundamentele oplossing voor de capaciteitsproblemen tijdens de piekuren van zowel de auto- als spoorwegen. Hoe kunnen we grote en kleinere bedrijven en hun werknemers daarvan overtuigen? Misschien is dat juist Bert zijn ultieme bedoeling; het probleem erger maken door de spoorwegen af te schaffen om zo een mentaliteitswijziging af te dwingen? Een sluwe dromer, die iBert!

Possibly related twitterless twaddle:

24 Mar 2015 6:18am GMT

23 Mar 2015

feedPlanet Grep

Mattias Geniar: When Private Browsing Isn’t Private On iOS: HTML5 And AirPlay

The post When Private Browsing Isn't Private On iOS: HTML5 And AirPlay appeared first on ma.ttias.be.

Private Browsing: the illusion of privacy.

This applies to mobile devices that use iOS (iPhone, iPad). They have have a peculiar way of handling a "private" session.

chrome_incognito_browsing

Shared HTML5 Storage

It's actually explained in the incognito FAQ, but HTML5 storage on those iOS devices have a shared state. Everything stored in HTML5 storage in Incognito Mode can be accessed in normal mode.

... regular and incognito mode tabs share HTML5 local storage in iOS devices. HTML5 websites can access their data about your visit in this storage area.

Source: Browse in private

This mostly shows when websites use the HTML5 local storage for searchbox completion or store the session state of games. In most common use cases, you won't notice. Mainly because HTML5 Local Storage isn't that widely adopted yet.

AirPlay Cache

Apple devices have the ability to use AirPlay to stream audio and video to a remote receiver, like a stereo (Airport Express) or a TV (Apple TV).

When you start such a session in Incognito Mode and stream your audio or video, and later close that session, the Airplay cache will still hold the filename/title of the media item you most recently played.

For instance, if you play Psy's Gangnam Style on an iOS device in Incognito mode, close the tab and continue browsing in Regular Mode, the Airplay info screen will still show you the filename/title of the movie last played.

ios_incognito_bug_airplay_1_1

This meta info of the media played is only removed after you forcefully close the browser.

ios_incognito_bug_airplay_2

Closing the tab isn't enough. This meta info will also be broadcast to any remote device you have connected, be it an Apple TV, Airport Express or in-car entertainment that syncs with AirPlay.

It Could Be Worse

Sure, it's not as bad as storing Incognito URLs in a plain DB file like Safari does, but it just goes to show: Incognito Mode isn't really incognito. It's perfect for testing websites in a fresh environment though.

Regardless of server-side user matching, man-in-the-middle proxies and network sniffers, even local devices can't separate regular vs incognito mode properly. Don't use Incognito Mode for anything you don't want people to know. Expect, one day, to see your Incognito Browsing habbits to be made public.

Make sure you don't have to be (too) ashamed.

The post When Private Browsing Isn't Private On iOS: HTML5 And AirPlay appeared first on ma.ttias.be.

Related posts:

  1. Clickjacking - Shere Brilliance! While the idea of clickjacking isn't new at all, I'm only...
  2. Security Panel Lands In Firefox 37 Firefox Nightly (or if you prefer, Firefox's Developer Edition) just...
  3. Game of Chromes I saw this a few days ago on Twitter, but...

23 Mar 2015 9:10pm GMT

22 Mar 2015

feedPlanet Grep

Mattias Geniar: Life Without Ops

The post Life Without Ops appeared first on ma.ttias.be.

There's a reason why the --noop mode doesn't actually do anything. It's a reflection of life without Ops. https://t.co/R9ZHsYII52

- ma.ttias.be (@mattiasgeniar) March 22, 2015

Have you ever done a Puppet run with the --noop option? It does what the name implies: nothing.

Use 'noop' mode where the daemon runs in a no-op or dry-run mode. This is useful for seeing what changes Puppet will make without actually executing the changes.

This is exactly what happens if you have no Ops. Nothing.

Startup Mentality

Not everyone is the same. Neither is every startup. However, I see more and more startups misinterpreting what DevOps is all about. They are publicly looking to hire Developers with a bit of sysadmin knowledge, and expect that to be DevOps.

That's like asking a carpenter to also fix your leaky plumbing.

DevOps isn't about developers doing your system administration. Neither is it letting your sysadmins perform development related tasks. You can have the DevOps spirit and still have those 2 perfectly defined job roles.

DevOps however preaches communication. Breaking silo's. Having Dev and Ops work together. Learning from each other. Complementing each other. Not doing each other's work.

Why Ops Exist

It's so easy to implement some complex Puppet modules and have them working. But do you know what you're doing? What happens when your downloaded modules fail on you, and a few months in your ElasticSearch suddenly breaks? Of you've reached the limits of your MongoDB setup? Or you suddenly realise Redis is singlethreaded?

This is what Ops are for. They've fought the battle. They know what the bottlenecks are, because they've experienced them. Server-side. They know what happens to the network, the disk I/O, the memory and the CPU cycles whenever you reindex your SOLR cores.

This isn't knowledge to take for granted. You can't expect a fulltime developer, with basic knowledge of systems administration, to have the same level of experience. And maybe you don't expect it. Maybe it's OK in the first few months.

But here's my plea I'm hoping you'll understand: go take advice from experienced system administrators. Find someone with battle scars, that's walked the walk. If you can't find it in-house, consider outsourcing. Or plain one-off consultancy.

There's a reason Ops exist. It isn't to cost you money, it's to help you save money in the long run.

The post Life Without Ops appeared first on ma.ttias.be.

Related posts:

  1. Puppet: Error: Could not retrieve catalog from remote server: Error 400 on SERVER: stack level too deep on node something.pp As a Puppet user, you can run into the following...
  2. Automating the Unknown While Config Management isn't new as a concept, it is...
  3. Setting custom puppet facts from within your Vagrantfile You may want to set custom puppet facts in your...

22 Mar 2015 8:11pm GMT

Mattias Geniar: Silly Little IP Tricks

The post Silly Little IP Tricks appeared first on ma.ttias.be.

I'll show you a few things you can do with IP addresses you may not know yet. They aren't new -- just part of the RFC -- but you don't encounter them that often.

Octal values

For instance, did you know that if you prefix an IP address with 0's, they get treated like Octal values? Spot the conversion in the ping below.

$ ping 193.239.211.036
PING 193.239.211.036 (193.239.211.30): 56 data bytes
Request timeout for icmp_seq 0
...

You would've expected the ping request to go to the IP ending in .36, instead if went to .30. Why? Because 036 is actually the octal value for the decimal 30.

Straight Up Integers

IP addresses are formed out of binary sequences, we know this. The binary forms get translate to decimals, for readability.

$ ping 3253719844
PING 3253719844 (193.239.211.36): 56 data bytes
64 bytes from 193.239.211.36: icmp_seq=0 ttl=57 time=17.003 ms
...

Pinging to an integer, like 3253719844, actually works. In the background, it's converted to the real IP notation of 193.239.211.36.

Let's Hex It

You probably saw this coming. If you can ping the integer notation of an IP, would the HEX value work?

$ ping 0xC1EFD324
PING 0xC1EFD324 (193.239.211.36): 56 data bytes
64 bytes from 193.239.211.36: icmp_seq=0 ttl=57 time=18.277 ms
...

Yup!

Skipping A Dot

A great addition thanks to Petru's comment, is to skip a digit in the IP address.

$ ping 4.8
PING 4.8 (4.0.0.8): 56 data bytes
64 bytes from 4.0.0.8: icmp_seq=0 ttl=48 time=156.139 ms
...

The last digit-group is treated as the remainder of the values, so ping 4.8 actually expands to ping 4.0.0.8, because the digit '8' is treated like a 48bit 24bit integer.

If you ever want to have fun with a junior colleague, think of these examples. Especially the octal values are very easy to miss, if you place the leading zeros somewhere in the middle.

Oh and if you decide to test these examples, you'll be pinging one of our nameservers. No harm, feel free to.

The post Silly Little IP Tricks appeared first on ma.ttias.be.

22 Mar 2015 7:45pm GMT

19 Mar 2015

feedPlanet Grep

Xavier Mertens: Troopers15 Wrap-Up Day #2

Troopers VenueThis is my wrap-up for the second day of Troopers15. Before the review of the talks, a few words about the conference. The venue is really nice as well as the facilities. A good WiFi coverage (IPv4/IPv6) and even a dedicated GSM network! "Troopers" SIM card were available for free at the reception desk. Besides the classic activities, a charity auction was also organized to help organizations to realize projects around the Internet like installing a satellite link in a refugee camp.

The second keynote was assigned to Sergey Bratus, Research Assistant Processor at Dartmouth College. Sergey is an amazing speaker! His keynote title was "My favourite things".

Sergey on stage

Sergey explained via multiple examples how we are facing impossible problems against we cannot fight: The fact of hard vs (probably) impossible. Examples: Hard is flight and impossible is the perpetual motion. Computer programs rely on inputs. A classic path is:

input -> processing -> output.

And, nothing new, we cannot trust inputs. The idea presented by Sergey is to clearly split the analyse of inputs and processing. To sanitise inputs, we need to parse the data but writing parsers is very difficult. As he said: "Parsers is like crypto, don't write them by yourself". He demonstrated how some quick patches in popular applications (Apache, NGinx) are stupid checks and could be avoided by writing correct parsers of data. Other examples were reviewed:

The Heartbleed bug

Sergey recommended a parser called Hammer. You must have a bright line between the input stream & validation and the processing (malloc(), memcpy()). The final tip provided by Sergey was: Simplify the inputs, use a grammar and keep it simple.

For the talks, my first choice was to go to the "defence" track where Friedwart Kuhn presented "How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise". It was based on a real-world expertise. Microsoft is present in almost every company network with its ActiveDirectory architecture. The first question asked by Friedwart was: "Do you think that you/your AD is safe?".

Do you think you are protected?

For a while, ActiveDirectory infrastructures have been targeted by multiple attacks: Pass-the-Hash, Golden Tickets, etc. I liked the comparison with Terminator-2 who can impersonate anybody and bypass security controls. Stolen credentials remain a major threat today. To explain how the authentication processes work in the Windows operating systems would require much more than a 1-hour talk but Friedwart made a good compilation of the most common terms and protocols (the LSASS process, NTLM, Kerberos, etc). Keep in mind that for most versions of the Microsoft OS, data are still stored in memory which makes them readable by many tools (like mimikatz). Friedwart also insisted in the fact that other operating systems are vulnerable too. Ubuntu stores the Kerberos tickets in temporary files. And the root account can access all of them. After this introduction (with a white-hat), Friedwart switched to the black-hat side and explained how easy it is to look at credentials theft & reuse. He explained what is the "pass-the-hash" attack and the "Golden Ticket" attack. He made a live demo and created a Golden ticket valid for ten years(!).

Finally, Friedwart explained how to mitigate such attacks. He split the response in two slides. One for the management based on three major steps:

The good news: this does not require huge investments! The other slides explained mitigation techniques from a technical point of view. The idea is to design and implement in 3 tiers: DC / Servers / Workstations. You also need to separate stuff and use the ESAE forest (a service offered by Microsoft). To mitigate attacks, there is not much to do if you already implemented the above requirements. A last tip: Reset the KRBTGT account on a regular basic and of course… monitor your logs!

My second choice was about CVE-2011-2461. Luca Carettoni and Mauro Gentile. Adobe Flex (now Apache Flex since 2011) is an open source SDK to build SWF files. It provides a lot to fools and classes to develop interactive apps. Starting from Flex V3 apps support dynamic localization (multiple languages). This can be done at compilation time or dynamically using a component called Resource Module. It allows to change text labels without recompiling the app. Resource pre-loading by passing FlashVars in the HTML wrapper. SOP is available in Adobe plug-ins. (Same Origin Policy). What if a malicious web page can ask Flex apps to load arbitrary resource modules? This is CVE-2011-2461.

CVE-2011-2461

Some exploitation scenarios?

They performed life demo of the vulnerability. To conclude:

The last question was: Are they application still vulnerable? Four years later? Yes of course! To identify such application, the speakers developed a cool called ParrotNG. It can be used from the command line or, even more powerful, as a BurpSuite plug-in. Finally, keep in mind that all files must be patched and the player does not help. Suggestion to Adobe: implement checks into the player to block vulnerable applications.

After the lunch, Martijn Grooten, from Virus Bulletin, presented "The stat of email in 2015". More precisely, the talk was how to fight against spam which remains a major issue today. Everybody uses email for years. It did not change since the 90's. One fact: Alice can send a mail to Bob without prior permission, this is called "unsolicited mail" (spam). To cancel spam, email must be redesigned!

Martijn on stage

Then came spam filters… content based and filters but, still today, it remains a cat & mouse game. Spammers realised that they can be someone else and use bots. So, how to mitigate the spam problem?

What is SPF (Sender Policy Framework)? Think about asking via DNS requests if an IP address can send emails for a domain. DMARC is a mix of SPF/DKIM. The status today is that spam is fairly well mitigated. Note that current anti-spam infrastructure remains vulnerable to big changes. Then, IPv6 came and change the landscape! Good news and bad news: Email runs properly on IPv6 (layer 7) but… spam filters makes heavy uses of … IPv4… Why not keep them on IPv4? We don't need so many IPv6 servers…Can't stop IPv6 deployment… Solutions? Adapt blacklists to IPv6?

Then Martijn, switched to the next big issue with emails, privacy! In email, there was the before and post-Snowden era… Encryption is popular but… if mails are sent to the 1st smtp hop using TLS, what about the other relays? PGP to the rescue! PGP is not easy no scalable and leaks a lot of metadata! A few words about DIME (Dark Internet Mail Environment) Encrypted + very low amount of metadata. DMTP is an extension of SMTP. DIME has been written by people who understand email. It integrates smoothly into email and allows users to place trust in servers (webmail). Users don't need to understand crypto! Can we be optimistic? We have collectively shown that we're very good at fighting spam. DIME includes various levels of security and trust. Spam filters can be integrated into those.

The next talk was "Weapons of Mass Distraction - Sock Puppetry for Fun & Profit" by Marco Slaviero and Azhr Desai. I was also curious about the title that's why I deduced to attend their presentation.

Sock Puppet

Internet being a media, it was already disconnected from times to times by governments (ex: Egypt, Tunisia). But instead of stupidly cutting down the Internet, the same governments found that it can also be used to control their citizens. UGC ("User Generated Content") became more and more important across the last years. Everybody can generate some content on blogs, social network. UGC is the new paradigm. How will the government censorship handle UGC? Censorship 2.0 is profoundly important. With such amount of data created online, how can we affect the way they receive attention from people. The research made by Marco and Azhr is based on sock puppets. What is a sock puppet? Here is the Wikipedia definition: A sock puppet is an online identify used for purposes of deception. The questions posed by the speakers were:

The challenge is to measure efficiency of your increase/decrease of attention? How to divert the attention of your readers? They reviewed multiple ways to share information and applied different scenarios:

It was very interesting to see how people will react differently to a message if it is posted alone or a new message with several replies. Is there real sock puppet in the wild? Yes, this happens. How to attract them? Use hot topics or controversial. The analysed the relation between the registration times and the posted comments time. The suck puppet army is really active on the following forums: CNN & AJ English and Jerusalem Post. They used https://disqus.com/ to achieve this. What are the topics?
But who's behind this army? They have no idea. The conclusion to this talk: all UGC sites have been trivial to manipulate!

Finally, the latest talk was "Wallstreet of Windows Binaries" by Marion Marschalek and Joseph Moti. For a while bugs have names, logos, websites. They have better documentation that before because today it's cool to find a bug! Researchers need their 5-mins of fame.

Marion on stage

Moti explained why the 0-day business is very close to the trading rules:

Finding a 0-day is like having a stock: you have to value it, you can sell it, you can trade it with another 0-day. How to value a 0-day: IPO (Initial Public Offering). Value depends on the market. The market decides of the value not the developer! Insider trading? Prohibited… if you are working for the target and have access to sources/tools/docs. Buy and sell the same 0-day multiple times? Exclusive vs shared sale. Where do you trade? O-day? white or black market. White : ZDI, I-defense, black? more money! If you go to the black market, you need a broker who will take it, valuate and search for customers (with a percentage as commission). Windows vulnerability API/keyword. as companies have code: ex: GradientFill -> Fill.

Finding vulnerabilities by rating functions? Marion's tool is called "Wallstreet". Data analytics for cheap people: Marion showed a picture with sheep, one of them being black. How to separate the black sheep from others?

  1. Problem: Find Frank the black sheep
  2. Attributes: Hair length, color
  3. Attributes evaluation: Sound won't work
  4. Fine graining: 2 colors only
  5. Magic: SELECT * FROM … WHERE color='black'

The tool is based on:

The presentation ended with a demo how to find which process load a specific DLL which could lead to a compromized system.

It's already over for me. I drove immediately back to Belgium after the last talk. First amazing experience with TROOPERS! Thanks to the crew and particularly to Enno to welcome me.

19 Mar 2015 10:34pm GMT

Mattias Geniar: OpenSSL CVE-2015-0291 and CVE-2015-0286

The post OpenSSL CVE-2015-0291 and CVE-2015-0286 appeared first on ma.ttias.be.

As announced, OpenSSL releases a patch to a high severity vulnerability in the library.

For OpenSSL v1.0.2, this is the Denial of Service CVE.

Changes between 1.0.2 and 1.0.2a [19 Mar 2015]

*) ClientHello sigalgs DoS fix

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will
occur. This can be exploited in a DoS attack against the server.

This issue was was reported to OpenSSL by David Ramos of Stanford
University.
(CVE-2015-0291)
[Stephen Henson and Matt Caswell]
OpenSSL 1.0.2 release notes

For OpenSSL v1.0.1 and v1.0.0 and v0.9.8, it's this one (also a Denial of Service).

Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
Changes between 0.9.8ze and 0.9.8zf [19 Mar 2015]

*) Segmentation fault in ASN1_TYPE_cmp fix

The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
(CVE-2015-0286)
[Stephen Henson]
OpenSSL 1.0.1 release notes -- OpenSSL 1.0.0 release notes -- OpenSSL 0.9.8

So it's upgrade time again, although the impacted systems could be a relatively small subset of your servers. However, if you're vulnerable, you may want to give this some priority.

The patch (the actual changed code) to the v1.0.2 vulnerability is like this.

OpenSSL CVE 2015 0291

Full commit is here: 34e3edbf3a10953cb407288101fd56a629af22f9.

The 0.9.8, 1.0.0 and 1.0.1 patches are much smaller, but have the same DoS effect.

openssl_CVE-2015-0286

Full commit is here: 02758836731658381580e282ff403ba07d87b2f8.

The feared Denial of Service attack is, unfortunately, not limited to OpenSSL v1.0.2, as was anticipated. It affects v1.0.1 and v1.0.0 and v0.9.8 as well.

Responsible Disclosure

Announcing these kind of patches in advance, even without publishing the details of the patch or the CVE, will surely attract the attention of some bad guys as well. You can be sure they were awaiting the release and are now working on ways to make use of it.

Having said that, this kind of responsible disclosure is of the best kind: everyone knows in advance to reserve (human) resources in order to deal with the problem. OpenSSL did it right for 90%. The remaining 10% would have been deserved if they had bothered to securely and discretely update LibreSSL of this issue, so they could prepare patches on their end as well.

Update: OpenSSL did inform the LibreSSL team of this vulnerability. A well-deserved 100% score for this responsibly disclosed vulnerability.

How to patch

As usual with OpenSSL patches, it's a 2-step fix. First, update the library on your OS.

$ yum update openssl

or

$ apt-get update
$ apt-get install openssl

Then, find all services that depend on the OpenSSL libraries, and restart them.

$ lsof | grep libssl | awk '{print $1}' | sort | uniq

Since the attack is a remote DoS, you should restart the public facing services as soon as possible. The internal services could be done at a later, more convenient, time.

Note: local system users may still be able to exploit those internal services, but it's another requirement in the whole exploit. Short-term, attackers will aim for the low hanging fruit: externally available services.

Long-term Library Fixes

Every time something like this happens, either in OpenSSL or in glibc, I keep thinking about mapping these library dependencies in config management.

Maybe some day, I'll make a proof of concept for this. And some day, it'll save me a few hours of work, for every emergency patch that comes out. Some day.

The post OpenSSL CVE-2015-0291 and CVE-2015-0286 appeared first on ma.ttias.be.

Related posts:

  1. Patch against the heartbleed OpenSSL bug (CVE-2014-0160) A very unfortunate and dangerous bug has been discovered in...
  2. GHOST: critical glibc update (CVE-2015-0235) in gethostbyname() calls A very serious security issue has been found and patched:...
  3. Forthcoming OpenSSL releases Let's hope this isn't as bad as it sounds. Forthcoming...

19 Mar 2015 2:24pm GMT

Joram Barrez: Interview about Activiti on Software Engineering Radio

My good friend Josh Long did an interview with me about Activiti and Business Process Management in general. I must admit, I was quite nervous before the recording, as I had never done a podcast before (note : the editors at SE radio did a really great job ). Here's the link: http://www.se-radio.net/2015/03/episode-223-joram-barrez-on-the-activiti-business-process-management-platform/ All feedback, as always, […]

19 Mar 2015 11:23am GMT

18 Mar 2015

feedPlanet Grep

Xavier Mertens: Troopers15 Wrap-Up Day #1

Troppers 15This is my first Troopers conference. I already heard lot of positive comments about this event but I never attended it. As I'll start a new job position soon, I had the opportunity to take some days off to join Heidelberg in Germany. The conference is split across two days and three tracks: "attack & research", "defence & management" and a special one dedicated to the security of SAP. Honestly, I'm not working with SAP environments so I decided to not follow the last track. The core organizer, Enno Rey, made a funny introduction speech and gave some numbers about the 2015 edition: 73 speakers, 160 people from the industry and 51 students (fresh blood). A key message for the conference is to not see speakers as super-stars. Don't be afraid to talk to them and share!

The first day started classically with a keynote presented by Haroon Meer, the founder of Thinkst, an applied research company with a deep focus on information security. The title was "The hard thing about the hard thing".

Haroon on stage

It's a fact: Doing security is pretty hard. Harmon cited a tweet: "If our industry is so broken, why don't you leave and become a truck driver". For him, (un)fortunately, we don't have to convince people anymore that security is important. We have to focus on the bug problem and not on secure engineering. Another interesting quote was: "We don't have a malware problem, we have an adversary problem". Harmon reviewed three key components which directly affect security:

What about complexity? Networks of the future (today?) will become complex and complex and difficult to manage from a security point of view. As an example, Haroon cited the Linux kernel and the Chrome browser. The code is maintained by thousands of developers and has millions of code. Think about this when you just browser a website! It became so complex that sometimes we loose the control and how to protect something that we don't understand? In a composite system, there is no critical gate, everything is a gate. We are bad at writing safe code. Microsoft spent millions of dollars to improve code for years and today IE still suffers of many vulnerabilities (in the last Microsoft security bulletin of February 2015, many patches were released for Internet Explorer!). Shellshock is a very example of composite system. Another example: the black phone. Mark Dowd found a bug in the messaging application. Based on software quality checks, we better defend our network with PowerPoint than with a CheckPoint firewall (quote from FX). The market is also a source of problems. Incentives are part of the business failure. Managers get promoted by shipping new software all the time. Check out how many operating systems and versions you used since you're working with computers. Even if some companies suffered of giant breaches, this did not affect their value or their customers. In organisations, it's difficult to evaluate risks. To correctly evaluate them, you must know what can happen. Not easy! Remember: "You can't buy security!". Haroon gave many other examples which prove that we are at an inflection point with hard problems to be solved. A very nice keynote!

For the first talk, my choice was to follow Arrigo Triulzi who presented "Pneumonia, Shardan, Antibiotics and Nasty MOVs: a dead hand's tale". A curious title! Arrigo was not able to travel from Switzerland to Heidelberg and gave his presentation via a Webex. From a technical point of view, it was perfect, I must confess that it's not the same as seeing the speaker in real life even if Arrigo started with a joke: "I'm not a Snowden".

Webex

The talk started with a review of all technologies used during the cold war with nuclear weapons. For a long time, attackers use the "decapitation attack" to take out the C&C. To avoid this, defenders developed countermeasures to not loose the control if the C&C is compromized. As analogy with the infosec field, Arrigo explained that a SOC in a big company may become blind of the deployed sensors are killed. Back to the modern world, Arrigo explained how he successfully changed the microcode of processors. The biggest issue was the persistence. If the CPU is power cycled, the changes are gone. To prevent this, he explained step by step how he added persistence using, i.e. nicssh, another project used to run a SSH daemon in a NIC firmware. If the idea of the talk was interesting, I had some difficulties to follow Arrigo's ideas, maybe due to the webex?

Then, I switched to the second track with "Game over, does the CISO get an extra life?" presented by Richard Rushing, CISO of Motorola Mobility. The Richard's idea was interesting: He compared the daily life of a CISO to a modern online game. He started with some facts called "Security camping";

Richard on stage

A game focuses is on the player, but security focus is on the attack surface. Think about the "shark in the water" : never use terms like "theoretical". A good quote: "What is the difference between theoretical and practical? A few lines of code!". The next comparison was based on grinding or farming: What we do, what we hate in our job. Automatisation is good but we can't buy a solution. According to Richard, we must build it because all structures are different. Then came the lagging… So important in games but also in security. People also lag. Keep in mind that we can get pwned by a 10y-old kid. We need good IR process, vulnerability reports. The time is critical! The next analogy with games was the multi-players aspect. Security is a team sport. Everybody listens and comments. Especially if you have processed like incident response. Bring people that can make decisions. What about "power levelling"? Use known strategies to level faster, learn from friends, strangers and old-guys? What about newbies or noobs in security? Use them even if it is for cannon fodder. Like games, security can have glitches: we need patches. And Richard gave more examples. IOC's can be compared to easter-eggs in software (hidden messages). And what about the final boss in games? The problem with security is that it's a never over game. A good talk with nice analogies to the gaming world.

After a lunch break, I moved back to the attack and defence side. Michael Ossmann presented "RF Retroreflectors, Emission Security and SDR". This was the best talk of the day IMHO. The goal was to explain then demonstrate a retroreflector attack. The principle is based on an attacker -> target -> implant -> radar. It really acts like a classic radar, listening for returned data.

Michael on stage

In such attack, the implant is very important. Note that attackers can also benefit from unintentional emissions like screens. The first implant in the history was the "thing" (The great seal bug). It was very simple, required no battery, can run for years and very difficult to detect. Between the Thing and the ANT catalog, 53 years… What happened during this period? There is no real study, only rumors and speculations. So, to listen to the data returned by the implant, you need a "radar". Michael started to play with old police radar but it was not very effective. Later he found a game radar from Hotwheels which was good enough.

Hot-Wheels Radar

He explained the lab that he deployed, based on two HackRFOne, one for emitting and one for reception data). They act as a sound card using a microphone and speakers. Instead of classic antennas, Michael used coffee cans. The implant he developed was very simple and called the "Congaflock". If this one is easy to hide into a cable or a keyboard, he quickly developed a new mode with PS/2 connector (more convenient). He made a live demo and captured some key press on the keyboard.

Gimme a "Q"

The next device which was presented is the "Salsaflock" which listen for VGA signals. Michael explained how screenshots can be captured using… The Gimp!

VGA data in Gimp

More details are available here.

Then Gabriel Barbosa and Rodrigo Branco talked about "Modern platform-supported rootkits". Why this talk? They are working at Intel and they had to follow mandatory trainings. But they had ideas to attack systems in different ways.

Intel guys on stage

This talk was the result to their research. The biggest problem is assumption. People assume that a system behaves in a specific way. This is wrong! It is programmed to behave like this. A malware will change the way a system works.The current challenges for modern rootlets are: OS dependency, security mechanisms and the different model of computers. Gabriel and Rodrigo reviewed many examples of system abuse. It was really technical and hard to follow for me.

After the afternoon coffee break, "Defender Economics" was presented by Andreas Lindh. The goal of this talk was to understand attackers, their capabilities and their constraints. Yes, they also have constraints! Because if was a defensive talk, the goal was to use this to improve our defences. Two facts: An attacker only need to find one way to hit his target. But a skilled and motivated attacker will always find a way.

Defenders economics

We must keep in mind that attackers are evolving and we can't protect against everything. A good point is that attackers don't have unlimited resources. Do you really need to protect against everything? Not sure. Attackers also have bosses and budgets. They also use basic maths: if the cost of an attack is less than the value of the information to attack, go for it!. The attacker's economics are:

And for the defenders:

Attackers can be profiles. What are their motivations, resources and procedures? Motivation behind the attack and level of motivation per tatted. What about resources? People and skills, tools and infrastructure or the supply chain. Regarding the procedures, what are the attack vectors, post exploitation activities and flexibility. Andreas explained this by comparing two scenarios:

The company X has multiple solutions to reduce the risks:

Keep in mind that we do not fight the armor but the man inside. Security is hard but:

Another good talk with good examples!

The day ended with some lightning talks. I really liked the one about virtual machine introspection & DRAKVUF. This is a dynamic malware analysis system which does not work as the other ones. Why focus on WMI? In-guest agents are easy to detect and vulnerable to rootkits. So, we need to move the security outside the VM. Quick presentation of a nice tool to perform malware analysis. Have a look at it.

The first day was closed with the social event in a typical German restaurant. As usual, good food, beers and very interesting chats. For a first day, I'm really happy with the organization: nice venue, stable WiFi, SIM card available with a dedicated mobile network (I did not trust it ;-), good food, lot of Club-Mate. I'm looking forward the second day!

Social Event

18 Mar 2015 10:56pm GMT

Frank Goossens: Music from Our Tube: Andy Schauf – You’re out wasting

Andy Shauf is a Canadian songwriter and below "You're out wasting" is a song of his third album "The Bearer of Bad News". Well worth the listen to if you're in a somewhat quiet(er) mood.

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Possibly related twitterless twaddle:

18 Mar 2015 4:23pm GMT

17 Mar 2015

feedPlanet Grep

Xavier Mertens: The lack of network documentation…

[This blogpost has also been published as a guest diary on isc.sans.org]

Document All Things

Writing documentation is a pain for most of us but… mandatory! Pentesters and auditors don't like to write their reports once the funny stuff has been completed. It is the same for the developers. Writing code and developing new products is fun but good documentation is often missing. By documentation, I mean "network" documentation. Why?

When you buy from a key player some software or hardware which will be connected to a corporate environment, the documentation usually contains a clear description of the network requirements. They could be:

But today, more and more devices are connected (think about the IoT-buzz - "Internet of Things"). These devices are manufactured in a way that they automatically use any available network connectivity. Configure a wireless network and they are good to go. Classic home networks are based on xDSL or cable modems which provide basic network services (DHCP, DNS). This is not the best way to protect your data. They lack of egress filters and any connected device will have a full network connectivity and potentially exfiltrate juicy data. That's why I militate in favour of a documentation template to describe the resources required to operate such "smart" devices smoothly. Here is an good example. I've a Nest thermostat installed at home and it constantly connects to the following destinations:

54.227.140.192.9543
23.21.241.75.443
23.23.91.51.80
54.243.35.110:443
87.106.208.187:80

It's easy to make your home network safer without spending a lot of time and money. When a new device is connected to my network, it receives a temporary IP address from a small DHCP pool (Ex: 192.168.0.200-210). This pool has a very limited network connectivity. It uses a local DNS resolver (to track used domains) and is only allowed to communicate over HTTPS to the Internet. A Snort IDS and a tcpdump are constantly running to capture and inspect all packets generated by the IP addresses from the DHCP pool. This is easy to configure with the following shell script running in the backgound.

#!/bin/bash
while true
do
    TODAY=`/bin/date +"%Y%m%d"`
    /usr/sbin/tcpdump -i eth1 -lenx -X -s 0 -w /data/pcaps/tcpdump-$TODAY.pcap \
        host 192.168.0.200 or \
             192.168.0.201 or \
             192.168.0.202 or \
             192.168.0.203 or \
             192.168.0.204 or \
             192.168.0.206 or \
             192.168.0.207 or \
             192.168.0.208 or \
             192.168.0.209 or \
             192.168.0.210 &
    TCPDUMP_PID=$!
    sleep 86400 # Go to sleep for one day
    kill $TCPDUMP_PID
    gzip -9 /data/pcaps/tcpdump-$TODAY.pcap
done

When a new device is connected, its traffic is automatically captured and can be analyzed later. Once completed, a static DHCP lease is configured with the device MAC address and the firewall policy adapted to permit the required traffic. Not only, it helps to secure your network but it can reveal interesting behaviors.

17 Mar 2015 7:29am GMT

16 Mar 2015

feedPlanet Grep

Mattias Geniar: Forthcoming OpenSSL releases

The post Forthcoming OpenSSL releases appeared first on ma.ttias.be.

Let's hope this isn't as bad as it sounds.

Forthcoming OpenSSL releases
============================

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.

Yours

The OpenSSL Project Team

The good news is, OpenSSL isn't dead. The bad news is, we may have a new heartbleed on our hands.

The post Forthcoming OpenSSL releases appeared first on ma.ttias.be.

Related posts:

  1. Recent OpenSSL Security Advisories Are a Good Thing The announcement of upcoming security advisories was just finalized with...
  2. Patch against the heartbleed OpenSSL bug (CVE-2014-0160) A very unfortunate and dangerous bug has been discovered in...
  3. Scan your network for Heartbleed vulnerabilities with Nmap Nmap now has an NSE script (Nmap Scripting Engine) to...

16 Mar 2015 10:09pm GMT

Lionel Dricot: Je ne veux plus conduire !

OK, let me drive...

Je ne veux plus conduire car j'ai l'impression de perdre mon temps. Lorsque je conduis, je ne peux ni lire, ni écrire, ni admirer, ni respirer, ni rêver, ni me défouler, ni aimer, ni faire plaisir, ni me faire plaisir. 1h30 de conduite par jour, et on y est plus vite qu'on ne l'imagine, représente un sacrifice de 10% de notre temps éveillé, 10% de notre vie.

Je ne veux plus conduire car la conduite est morbide. Assis, sans pouvoir bouger, mes muscles s'atrophient, se contractent, se rigidifient. La position force mes poumons à se refermer. De toutes façons, je ne fais que respirer les gaz d'échappement de ceux qui me précèdent. Il suffit de voir la couleur que prend la neige au bord d'une route pour réaliser que nos poumons font de même. Au fond, conduire n'est pas très éloigné de la torture physique.

Je ne veux plus conduire car je n'aime pas risquer ma vie en permanence. Lancé dans un bolide de métal à des vitesses folles, mon esprit doit être en permanence alerte, aux aguets. Je dois prévoir les comportements erratiques des autres conducteurs, anticiper les conditions difficiles. Ma vie est en jeu ! Si je l'oublie et que je me détends, bercé par l'habitude d'un trajet journalier et la confiance en mes talents, je ne fais qu'ignorer un danger exacerbé par mon insouciance. Et je me transforme en criminel potentiel…

Je ne veux plus conduire car je ne veux plus soutenir le véritable culte qui entoure désormais l'automobile. D'utilitaire, elle est devenue religion. Les constructeurs les font brillantes et volontairement fragiles. L'adoration liturgique se fait dans les grands salons annuels et dans les discussions de tous les jours. Effleurer une voiture en stationnement la fera hurler, y laisser une griffe, même ténue et involontaire, vous transformera en ennemi public, en criminel haï et poursuivi. Rien que critiquer le dieu automobile fait de moi un paria.

Je ne veux plus conduire car toute notre société est aux ordres de l'automobile. Tous nos paysages sont entièrement adaptés à la conduite. Nos routes ne déservent plus nos maisons, ce sont nos maisons qui déservent les routes. De monstrueuses arches de bétons s'élèvent autour des villes et à travers les campagnes. Un grondement continu rugit et assourdit. Personne n'oserait bloquer, ne fut-ce que quelques minutes, les passages d'automobiles. Alors qu'au même endroit il n'est pas rare de laisser des trottoirs ou des pistes cyclables encombrées pendant des mois, forçant les non-automobilistes à risquer leur vie. C'est bien simple : me rendre à vélo au travail compte plus de kilomètres qu'en voiture car les voies rapides les plus directes sont strictement réservées aux automobiles.

Je ne veux plus conduire car l'automobile est devenue une guerre. J'ai vu trop de sacrifices, de jeunes vies fauchées. Les personnes que j'ai connues et qui sont mortes avant leur 50 ans ont, dans leur immense majorité, été tuées par l'automobile. Certains qui ne sont pas morts sont restés handicapés à vie. Aujourd'hui encore, malgré parfois plusieurs lustres, je revis régulièrement ces terribles secondes où j'ai appris la mort d'un proche, d'une fréquentation ou d'une vague connaissance. Je reste profondément choqué par la violente soudaineté de ces injustices. Tout en sachant que je pourrais bien être la prochaine victime ou le prochain assassin.

Je ne veux plus conduire car quand je vois des jeunes pleins de vie dilapider leur premier salaire dans l'automobile, quand je les vois faire vrombir leur moteur, faire crisser les pneus, je sais qu'un jour ils se retourneront contre nous, qu'ils nous montreront leurs blessures, leurs morts, leur terre meurtrie et qu'ils nous diront : "Pourquoi nous avez-vous enseigné cette religion ? Pourquoi nous avez-vous laissé faire ? Pourquoi avez-vous retardé toutes les innovations qui permettaient de se débarrasser de l'automobile ? Est-ce que l'industrie de l'automobile méritait une seule de nos vies ?".

Je ne veux plus conduire car je sais que mes descendants me regarderont comme un criminel en me disant "Tout cela uniquement dans le but de se déplacer ?". Et ils auront raison.

Photo par F Mira. Lectures suggérées : La proclamation, L'inauguration du RER, La voiture, 1er front de la guerre à l'innovation.

Merci d'avoir pris le temps de lire ce billet librement payant. Prenez la liberté de me soutenir avec quelques milliBitcoins, une poignée d'euros, en me suivant sur Tipeee, Twitter, Google+ et Facebook !

Ce texte est publié par Lionel Dricot sous la licence CC-By BE.

flattr this!

16 Mar 2015 4:04pm GMT

15 Mar 2015

feedPlanet Grep

Mattias Geniar: Running Varnish 4.x on systemd

The post Running Varnish 4.x on systemd appeared first on ma.ttias.be.

If you're thinking about running Varnish 4.x on a systemd system, you may be surprised that many of your "older" configs no longer work.

Now I don't mean the actual VCL files, those have a seriously changed syntax and there are proper documentations on handling a 3.x to 4.x upgrade.

I mean the /etc/sysconfig/varnish config, that will no longer work in a systemd world. It's being replaced by a /etc/varnish/varnish.params file, that is being included by systemd.

To see what's going on under the hood, check out the systemd configuration file at /usr/lib/systemd/system/varnish.service.

$ cat /usr/lib/systemd/system/varnish.service
[Unit]
Description=Varnish a high-perfomance HTTP accelerator
After=syslog.target network.target

[Service]
# Maximum number of open files (for ulimit -n)
LimitNOFILE=131072

# Locked shared memory (for ulimit -l)
# Default log size is 82MB + header
LimitMEMLOCK=82000

# Maximum size of the corefile.
LimitCORE=infinity

EnvironmentFile=/etc/varnish/varnish.params

Type=forking
PIDFile=/var/run/varnish.pid
PrivateTmp=true
ExecStartPre=/usr/sbin/varnishd -C -f $VARNISH_VCL_CONF
ExecStart=/usr/sbin/varnishd \
        -P /var/run/varnish.pid \
        -f $VARNISH_VCL_CONF \
        -a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
        -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
        -t $VARNISH_TTL \
        -u $VARNISH_USER \
        -g $VARNISH_GROUP \
        -S $VARNISH_SECRET_FILE \
        -s $VARNISH_STORAGE \
        $DAEMON_OPTS

ExecReload=/usr/sbin/varnish_reload_vcl

[Install]
WantedBy=multi-user.target

Most importantly, it loads the file /etc/varnish/varnish.params that can/should contain environment variables, that you can use to manipulate the systemd service.

At the very end, it contains the $DAEMON_OPTS variable. Previous sysconfig files would have that contain the entire startup parameter for varnish, including the -a parameter (what port to listen on), -S (the secret file), ... etc. With the Varnish 4.x configs on systemd, the $DAEMON_OPTS should only contain the additional parameters that aren't already specified in the varnish.service file.

For example, you should limit the varnish.params file to something like this.

$ cat /etc/varnish/varnish.params
# Varnish environment configuration description. This was derived from
# the old style sysconfig/defaults settings
RELOAD_VCL=1
VARNISH_VCL_CONF=/etc/varnish/default.vcl
VARNISH_LISTEN_PORT=80
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
VARNISH_SECRET_FILE=/etc/varnish/secret
VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1G"
VARNISH_TTL=120
VARNISH_USER=varnish
VARNISH_GROUP=varnish
#DAEMON_OPTS="-p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300"

If you're migrating from a sysconfig-world, one of the most important changes is that the systemd-config requires a user and group environment variable, which wasn't set previously.

$ cat /etc/varnish/varnish.params
...
VARNISH_USER=varnish
VARNISH_GROUP=varnish
...

For all other changed parameters in the $DAEMON_OPTS list, check out the Varnish man-pages (man varnishd) that contain very accurate documentations on what parameters are allowed and which have been changed.

The post Running Varnish 4.x on systemd appeared first on ma.ttias.be.

Related posts:

  1. Debug Varnish 4.x on systemd That Fails to Start So you're stuck in systemctl start varnish, now what? Well,...

15 Mar 2015 8:26pm GMT