Friday, February 20, 2015

News: Superfish

Lenovo, I trusted you.

Wednesday, October 1, 2014

Info: Xen Advisory 108

This happened:

AWS announced that it will be doing maintenance on its infrastructure due to a security concern brought to their attention by Xen Project.

AWS Writes:

"This Xen Security Advisory was embargoed until a few minutes ago; we were obligated to keep all information about the issue confidential until it was published."

Which is standard practice on this sort of topic, it mitigates any damage that may be caused relating to this issue. But what worries me more is the providers that haven't mentioned anything yet.

Linode uses a Xen Infrastructure and they have yet to return my emails for comment. I'm curious how DigitalOcean is fairing on this news as well. I'm sure there are also other providers that have been affected by this.

The advisory states that a buggy Hypervisor can cause a host to crash or read data from other hosts on the system... WHAT?!:

"A buggy or malicious HVM guest can crash the host or read data relating to other guests or the hypervisor itself. " - Advisory

Well that sounds VAGUELY IMPORTANT!

For now, not many providers have come forward but I'm sure they will as the news gets out. Or if they do business like Amazon does, they already know and are franticly running around trying to patch their systems.

This seems like an interesting bug, and while it isn't a shellshock or heartbleed, it is none the less very serious. I'll look into the technical aspect of this advisory and come back with any information I find.

Thursday, September 25, 2014

Info: Bash Bug, Shellshock, CVE-2014-6271

Hello internet! It has been a while since the last post, and I figured why not talk about the latest bash exploit!

Stephane Chazelas, who seems to be a Unix guy. Has discovered a vulnerability in how bash parses environment variables. So lets get to it:

env x='echo hello world'

This does not execute, as it shouldn't when your are defining an environment variable. Check this:

env x='() { :;}; echo hello world'

This also doesn't execute so all is well and good. Or is it?:

env x='() { :;}; echo hello world' bash -c "echo stuff"

Now this executes both the first and second echo statements. What gives?

Well Stephane has discovered that the way that environment variables parse functions is wrong, and anything after the function will get executed. Let's got back to the second example and move some stuff around:

env x='() { :;};' echo hello world

This executes because after the second ' the function ends and the rest of the code is execute due to the parsing error. Here is how the output would differ between a patched system and one that is not patched:

The vulnerable system being on top.

Reminder on bash function syntax:

this_function () {
    echo "hello world"


this_function () { echo "hello world" }

: =  True
; = Command separator


() { :;}

Returns and empty function with constant True bool.

Any this is a huge issue. As many web forms and functions define env variables. It has been common practice for a while with many cgi scripts.

Redhat and Ubuntu have already issued a patch correcting the issue. We are still waiting from word on Apple.

Here is a nifty guide on patching the vulnerability;

PATCH ME! TLDR; see below;

Redhat / CentOS
yum update bash

Debian / Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade bash

Wednesday, July 30, 2014

Tutorial: Defcon Prep!

So as I'm preparing to get out west and join my people I thought to myself: "There aren't nearly enough preparation guides for Defcon". A quick google search only gave me about 2,043,423 results. So I figured I'd chime in on the topic. I will split it into 3 sections.

Section 1: Avoid the Wall of Sheep

I have concluded from talking to various parties, that there is a simple and easy way to Avoid the dreaded and celebrated "Wall of Sheep". Here it is -

Step 1: Turn off all your devices and leave them off within 1 km of the Hotel.

Very simple. Turn everything off, your phone, your tablet, your glass, your laptop, your pacemaker, your car. Just leave it off. Not in airplane mode, not on standby, just off.

Note: Ask your doctor about the pacemaker. I'm in in a medical field

Step 2: Buy a hardcore RFID blocking wallet and passport cover.

Again simple, go to amazon and type: "RFID blocking wallet". Buy one, put your cards and passport in this thing, and keep it there. If you want to go all out, put the wallet in an RFID bag and then put it in your pants.

Step 3: Use cash don't leave stuff unattended.

Cash: Simple. Just use cash.

Stuff: I can't believe this is a thing, where people actually leave their items and tech unattended, but they do, and don't be one of them.

Note: If you follow these steps 100%, you'll still probably get owned.

Section 2: The Brave Participant

Ok maybe your goal is to have fun and... ugh... talk to people. In this case you will still have to do #2 and #3 from Section 1. But your allowance on #1 changes a bit.

Step 1: Turn on your laptop but protect it!

If you must participate and have a good time, I highly suggest the following:
  • Wipe your Laptop
  • If super paranoid: Zero out your drive
  • Install Linux
  • Don't use a common password that you already use
  • block all incoming traffic on your firewall: iptables -I INPUT 1 -j DROP (don't forget IPV6)
  • Manage outgoing traffic on your firewall as well
  • Make sure your OS is up to date
  • Make sure your AV Packages and firewall software is up to date
  • Make sure Wifi radio is off
  • Make sure Bluetooth radio is off
  • Make sure NFC is off
  • If you are going to use the Wifi to partcipate, use it with a Linux Live USB, something similar to Kali or Tails
  • Don't plug in any  random USB drives or CD's you "find" around.
  • When you get home, wipe it again. 
Section 3: General Advice

Full disclosure, this is my first time actually at Defcon, though I've been to other security con's before and this stuff is really important.

Step 1: Hydrate

Hydrate, hydrate, hydrate. I don't care if you're in the hotel for the entire time, keep the fluids going, especially if you are drinking alcohol.

Step 2: Walking Aids

You're going to be on your feet a lot, so have some items that help with that. Insoles, comfortable shoes / boots, etc.

Step 3: Meds

Have Asprin handy, because... well Asprin.

This should have you covered. I'll see you on the floor.

Also: don't forget your cool T-shirts!

Info: Net Neutrality

So a good friend of mine just wrote a piece on Net Neutrality. Her name is Liv, she is a lawyer. Her piece provides an interesting perspective on the matter, and I would highly recommend it to anyone who wants a bit of perspective on the matter from a legal standpoint. Granted there are a lot of legal standpoints on this very hot topic, but this one is from a 20 something recently graduated lawyer.

"The archaic nature of the statute is the problem. The only individuals that have the power to change the statute are politicians who are ultimately guided by lobbyists." - OK
You tell em!

Check it out here:

Brilliant name Liv. 

Friday, July 18, 2014

Info: Windows Features to Turn off via Lifehacker!

The people at lifehacker were kind enough to get us a list of features that we can turn off in windows safely. If you are interested in what these features are, I will point directly to the article:

Lifehacker: All the Windows features you don't need.

If that does not tickle your fancy, I have a better list / solution to this problem. Install Linux.

Happy Friday!

Tuesday, July 15, 2014

News: Project Zero

Google, announced Project Zero today.

"Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet."
Project Zero aims to fix the internet, to prevent Zero Day vulnerabilities, help stop industrial espionage and targeted attacks. I would love to be a fly on the wall of this Google section... or you know, an employee. I'm sure they have a team of very skilled, very professional researchers and engineers working on this thing. You know the stereotype, these really smart really technical guys that make most really smart, really technical guys look like complete children. Hopefully there will be much good that comes from this, maybe a way to prevent our privacy from being breached by state actors. That would be nice. We can dream.