Posts tagged ‘chrome’

Linux How-Tos and Linux Tutorials: How To Install And Use The Chrome Remote Desktop Sharing Feature In Ubuntu

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Falko Timme. Original post: at Linux How-Tos and Linux Tutorials

Chrome Remote Desktop Sharing feature in Ubuntu

In this tutorial I will introduce you with the Chrome remote Desktop sharing feature. This is an alternate as similar to team-viewer type property for sharing the screen with remote clients. It seems to be very useful for remote desktop control features. I will install the webplugin in Ubuntu 14.04.

Read more at HowtoForge

TorrentFreak: Chrome Blocks uTorrent as Malicious and Harmful Software

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

maliciousutorrWith millions of new downloads per month uTorrent is without a doubt the most used BitTorrent client around.

However, since this weekend the number of installs must have dropped quite a bit after Google Chrome began warning users away from the software. According to Chrome the BitTorrent client poses a serious risk.

“uTorrent.exe is malicious and Chrome has blocked it,” the browser informs those who attempt to download the latest stable release.

Chrome does give users the option to restore the file but not without another warning. The browser is convinced that the file is harmful and suggests that the uTorrent website may have been hacked.

“This file will harm your computer. Even if you have downloaded files from this website before, the website may have been hacked. Instead of recovering this file you can retry the download later.”

Blocked
malic-blocked

The first reports of Chrome’s block came in three days ago and at the time of writing the problems persist. The warnings appear for the latest stable release (3.4.2.32354) and no other releases appear to be affected.

Currently there is no indication why the software has been flagged, but a scan by more than 50 of the most popular anti-virus services reveals no active threats.

Google’s safe browsing diagnostic page claims that the uTorrent website was involved in malware distribution in recent months, but no further details on the nature of the supposed malware are provided.

“This site has hosted malicious software over the past 90 days. It infected 4 domain(s), including kioskea.net/, ziggi.uol.com.br/, majorgeeks.com/,” the diagnostics page reads.

This isn’t the first time that uTorrent has reported problems with Chrome. The same happened late last year when the malware blocking feature was still in beta. At the time uTorrent parent company BitTorrent Inc. managed to resolve the issues after several days.

Thus far, none of the developers have responded to user complaints in the uTorrent forums.

Update We discovered that uTorrent occasionally serves other versions as well, these are not blocked. The vast majority of the downloads are still blocked though.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Operate Linux Spycams With Motion

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

fig1 spycamWhen you want something a little simpler and more lightweight than Zoneminder for operating surveillance cameras, try Motion.

Motion is a nice lightweight, yet capable application for operating surveillance cameras on Linux. It works with any Linux-supported video camera, including all V4L Webcams, many IP cameras, Axis cameras, and it controls pan and tilt functions. Motion records movies and snapshots in JPEG, PPM, and MPEG formats, and you can view these remotely in a Web browser thanks to Motion’s built-in HTTP server. It stores image files in a directory of your choosing, and it does not require a database, though it supports MySQL and PostgreSQL if you do want to use one.

First let’s look at how to get an IP camera working with Motion using my trusty Foscam FI8905W (figure 1), and then we’ll add a USB Webcam.

Installation is easy on Debian and Debian derivatives, because Motion is included in the standard software repositories. So all you need to do is run apt-get install motion. You also need libav-tools, which is a fork of ffmpeg. Many moons ago, Debian dropped ffmpeg and replaced it with libav-tools (See Is FFmpeg missing from the official repositories in 14.04? to learn the gory details, and how to get ffmpeg itself if that’s what you really want). On other distros, check the downloads page and installation guide for instructions. Most other distros still include ffmpeg.

The installer should create a motion group and user, and add the motion user to the video group. If it doesn’t, then you must create them yourself. Add yourself to the video group as well, to get around permissions hassles.

Now run motion to see if it works:

$ sudo motion
[0] Processing thread 0 - config file /etc/motion/motion.conf
[0] Motion 3.2.12 Started
[0] ffmpeg LIBAVCODEC_BUILD 3547904 LIBAVFORMAT_BUILD 3544067
[0] Thread 1 is from /etc/motion/motion.conf
[1] Thread 1 started
[0] motion-httpd/3.2.12 running, accepting connections
[1] Failed to open video device /dev/video0: No such file or directory
[0] motion-httpd: waiting for data on port TCP 8080
[1] Could not fetch initial image from camera
[1] Motion continues using width and height from config file(s)
[1] Resizing pre_capture buffer to 1 items
[1] Started stream webcam server in port 8081
[...]

It will go on for many more lines, until you see:

[1] Failed to open video device /dev/video0: No such file or directory
[1] Video signal lost - Adding grey image

Point your Web browser to localhost:8081 and you will see a gray image:

fig2 gray image

This is good, as it means Motion is installed correctly, and all you have to do is configure it. Press Ctrl+C to stop it. Then create a .motion directory in your home directory, copy the default configuration file into it, and change ownership to you:

~$ mkdir .motion
~$ sudo cp /etc/motion/motion.conf .motion/
~$ sudo chown carla:carla .motion/motion.conf

You also need a directory to store images captured by motion:

~$ mkdir motion-images

When you start Motion it looks for a configuration file in the current directory, then in ~/.motion, and finally /etc/motion. Now edit your ~/.motion/motion.conf file– this example includes basic configurations, and the lines relevant to my Foscam IP camera:

# Start in daemon (background) mode and release terminal (default: off)
daemon on
# Output 'normal' pictures when motion is detected (default: on)
[...]
output_normal off
# File to store the process ID, also called pid file. (default: not defined)
process_id_file /var/run/motion/motion.pid 
# Image width (pixels). Valid range: Camera dependent, default: 352
width 640
# Image height (pixels). Valid range: Camera dependent, default: 288
height 480
# Maximum number of frames to be captured per second.
# Valid range: 2-100. Default: 100 (almost no limit).
framerate 7
# URL to use if you are using a network camera, size will be autodetected (incl http:// ftp:// or file:///)
# Must be a URL that returns single jpeg pictures or a raw mjpeg stream. Default: Not defined
netcam_url value http://http://192.168.10.250:8080/videostream.cgi
# Username and password for network camera (only if required). Default: not defined
# Syntax is user:password
netcam_userpass admin:mypassword
# Target base directory for pictures and films
# Recommended to use absolute path. (Default: current working directory)
target_dir /home/carla/motion-images
# Codec to used by ffmpeg for the video compression.
[...]
ffmpeg_video_codec mpeg4

You need to create the directory for storing the PID file, as it says in motion.conf:

$ sudo mkdir /var/run/motion

Now try starting it up again:

$ sudo motion
[0] Processing thread 0 - config file /home/carla/.motion/motion.conf
[0] Motion 3.2.12 Started
[0] Motion going to daemon mode

Good so far, now try localhost:8081 again:

fig3 driveway

Well look, there is my driveway. Now I will have plenty of warning when visitors come, so I can loose the moat monsters. Run around in front of your camera to trigger motion detection, and when you come back your images directory should have some .avi movies in it. You should also find a simple Motion control panel at localhost:8080.

IP Camera Settings

How to Operate Your Spycams with ZoneMinder on Linux (part 1) goes into some detail on setting up your camera. You must follow the vendor’s instructions for the initial setup, such as assigning a login and password, and setting the IP address. You may have other options as well, such as frame size, motion sensitivity, and color depth or black and white.

Getting the correct netcam_url is sometimes a hassle. For my Foscam I brought up its control panel in Firefox, right-clicked on the image (figure 4), then left-clicked View Image Info. This opens a screen like figure 5, which shows the exact URL of the videostream. In the Chrome browser use “Inspect element.”

fig4 control panel

fig5 foscam

Fine-tuning Configuration Values

You can make all kinds of adjustments in your configuration file such as image size, image quality, frame rate, sensitivity to movement, greater sensitivity in selected areas of the frame, file paths, HTTP server settings, and time stamp formats. Motion Guide – Alphabetical Option Reference Manual gives detailed information on each option. Remember to harmonize your Motion settings with the settings in your camera’s control panel, if it has one.

USB Cameras

Any V4l-supported USB Webcam should work with little fuss. The video device will be /dev/video0/dev/video0 will be present only when a video camera is connected directory to your computer. This is a basic example configuration for my Logitech Webcam:

videodevice /dev/video0
width 640
height 480
framerate 24
output_normal off
ffmpeg_video_codec mpeg4
target_dir /home/carla/motion

And again, remember that settings such as frame rate and size are dependent on what your camera supports.

Daemonizing Motion

Once you have everything working, make Motion run as a daemon by editing /etc/default/motion, and changing start_motion_daemon=no to start_motion_daemon=yes. Now Motion will start automatically when you start your computer, and you can start and stop it like any other daemon.

Controlling Multiple Cameras

Motion manages multiple cameras with ease — all you do is give each camera its own configuration file, named thread1.confthread1.conf, and so on. You still need your main motion.conf for common options such as daemon on and filepaths. Then each “thread” file has configurations specific to each camera.

Krebs on Security: Microsoft, Adobe Push Critical Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

brokenwindowsMost of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.

The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).

More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blog, Qualys’s site, and the SANS Internet Storm Center.

Adobe’s Flash Player update brings Flash to version 14.0.0.145 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.125.

brokenflash-aFlash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

flash-14-0-0-125

Errata Security: Products endorsed by cybersec experts

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The idea came up in Twitter, so I thought I’d write a quick blog post answering the question: “What products do cybersec experts endorse as being secure?”

The answer, of course, is none. It’s a fallacy, because perfect security is impossible. If you want your computer data to be perfectly secure, then smash your device to pieces, run them through a blender, and drop the bits into volcanic lava.
With that said, we cybersec experts do use stuff. From this you can derive some sort of implicit endorsement. I use Windows, iPhone, and GMail, from which you can assume they are probably “secure enough”.
I use an iPhone because it has excellent security. For all I criticize Apple’s security, the fact is that they have very smart people solving the toughest problems. For example, their most recent operating system will randomize MAC addresses when looking for WiFi in order to avoid disclosing your identity. This is a security problem I’ve blogged about for years, and it’s gratifying that Apple is the first company to tackle this problem.
If you do the right thing, such as locking your iPhone with a complex code, you are likely safe enough. If a thief steals your phone, they will likely not get your private secrets from it.
On the other hand, if you don’t lock your iPhone, then the thief can steal everything from your phone, including things your phone has access to, like your email. That’s the problem with “security endorsements”: I as an expert can’t help if you don’t help yourself. Your biggest threat isn’t the products you use, but you yourself. Your top threats you are getting easily tricked by “phishing emails”, drive-by downloads, lack of patches, and using the same password across many websites. Choosing greater or lesser secure product doesn’t really much matter in the face of bad decisions you make with those products.
With that said, there are some recommendations I can make. Public wifi, such as at Starbucks or the airport, is very very bad. Among the things I’m known for is demonstrating just had bad this can be (“sidejacking”). The safest thing is not to use it — tether through your phone instead. But, if you have to use it, use a VPN. This encrypts your data to a remote site across the Internet, so that local people near you can’t decrypt it. There are lots of free/cheap VPN providers. Another option is “Tor”, which acts like a VPN, but also anonimizes your identity. These are a little bit technical and hard to use, but can make using public WiFi secure.

We in the security industry know that some things are exceptionally bad. Browser apps using Java and ActiveX, the thing found in most corporate environments, are very bad. Adobe products Flash and PDF are likewise insecure in the browser. These technologies aren’t bad in of themselves, but only bad when hackers have direct access to them via the web browser. What you want instead is a browser like Chrome using JavaScript applets, HTML5 replacing Flash, and built-in viewers for PDF rather than Adobe’s viewer.

We experts know that the standard way of building web apps on the backend using the “LAMP” stack is inherently insecure. PHP, in particular, is a nightmare. Pasting strings together to form SQL queries is bad. Not whitelisting output characters is bad. If programmers just heeded these last three sentences, they’d stop 99% of the ways hackers break into websites.
Microsoft, Apple, and Google care about cybersecurity. They are really the only companies I can point to that really do care. Their problems stem from the fact that they are also popular, and therefore, the top targets of hackers. Their problems also stem from the fact that security is a tradeoff: caring too much about security makes products unusable.
Tradeoffs is why Android is less secure than iPhone. Apple limits apps to only those they’ve approved, whereas Android allows apps to be downloaded from anywhere. Android’s policy is better, it gives control over the phone to the user rather than than the fascist control Apple has over their phones. But the price is additional risk, as users frequently download apps from dodgy websites that “infect” their phone with a “virus”. Thus, if you want a secure phone, choose iPhone, but if you want a phone that you can control yourself, choose Android. Note that Microsoft makes technically excellent phones, but nobody cares, because they don’t have the apps, so I don’t mention them in the comparison :).
I use GMail. Google’s web apps have the best track record of security, being the first to adopt SSL everywhere all the time. There are still problems, of course, but their track record is better than others.
As an operating system, I currently use Win7, Mac OS X, and Ubuntu (using Windows the majority of the time). I use them with full disk encryption. They are all equally secure as far as I’m concerned. I use Microsoft’s Office, on both Windows and Mac, as well as their cloud apps.
Finally, I want to discuss the security community’s historic dislike of Microsoft. It’s not valid. It’s always been a political dislike of Microsoft’s monopolistic control over the desktop, and an elitist preference for things like Linux that aren’t useable by mainstream. I point this out because I can’t endorse the advice form security experts — their advise is more often going to be political rather than technical.

The Hacker Factor Blog: Not So Bright

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

There’s a feature that I’ve wanted to enable at FotoForensics for quite a while: brightness control. Some pictures are just too dark, and some analysis algorithms generate dark results that could benefit from a little brightening. (Not ELA, where dark means “low quality”. But other algorithms could use some brightness control.)

The one thing I don’t want to do is use the server to manage minor color alterations. That would just be too high of a load and consume far too much disk space with temporary files. (If I permit increments of 10%, then that’s 11 potential brightness renderings per picture. And there may be dozens of pictures: original, ELA, full-size, scaled, etc.)

Fortunately, FotoForensics requires HTML5. That means JavaScript, CSS filters, and other fun options to offset this work to the client’s browser and not task the server.

Unfortunately, I’m still hitting some problems…

Problem #1: Browser Support

CSS and CSS3 have a huge amount of support. To paraphrase Visa’s slogan: CSS3 is everywhere I want to be. And most CSS3 filters have support on most browsers. Filters like rotation, translation, and skewing are very common.

Unfortunately, the brightness filter lacks widespread support. The web site caniuse.com maintains a great list of HTML and CSS features and their support across most web browsers. For brightness, only Chrome and Opera really have full support. Safari supports it as of 6.0, but if you have an older version of Safari then you’re out of luck. (All of my Macs are too old, so none of them support CSS3 brightness.) And unless you have the most recent mobile device, you probably don’t support it. (People who use Firefox or Internet Explorer are out of luck.)

Since I consider brightness to be a “nice to have” feature and not a mandatory requirement, I’ve built a little JavaScript code to detect if it is supported. If the browser supports it, then it is enabled. But if it isn’t supported, then the user never sees the option.

I have similar conditional JavaScript checks for the rotation and flip buttons. You only see the buttons if your browser supports the feature. But unlike brightness, rotate and flip are almost universally supported.

Problem #2: Brightness Parameters

According to the CSS3 specifications, brightness takes one parameter in one of two formats. You can either specify a percentage or a fraction. Code like img.style['-webkit-filter']="brightness(110%)"; will make the picture brighter. The values range from 0% (black) to 200% (white) with 100% being “no adjustment”. When using fractions, the values range from -1 (black) to +1 (white) with 0 being unaltered.

This seems simple enough… except that the implementation seems inconsistent. Older Chrome browsers (those with version numbers in the 20s) only support the numerical values. Newer Chrome browsers only consistently support the percentages. As far as I can tell, brightness is a “work in progress” on Chrome, and different versions support different parameters.

The nice thing about JavaScript is that unsupported styles are never added to the element. I ended up making a complicated JavaScript detector that checks if the browser supports brightness and identifies which parameters to use. It works by adding various styles and checks to see if they were actually added:

var properties = [ '-webkit-filter' ];
var p;
var BrightnessVal=-100; // undesirable value
var BrightnessMin=100;
var BrightnessMax=100;
var BrightnessStep=10;
var BrightnessChar='';
while((BrightnessVal==-100) && (p = properties.shift()))
{
// My properties are currently only -webkit-filter.
// Check if the browser supports -webkit-filter.
if (p in document.body.style)
{
// create a temporary image element to test with
el = document.createElement('img');
// See if it supports the percent parameters
el.style[p]='brightness(200%)'; // set value
if (el.style[p]=='brightness(200%)') // check value
{
// Supported! Set the range and notations
BrightnessMin=0;
BrightnessVal=100;
BrightnessMax=200;
BrightnessStep=10;
BrightnessChar='%';
}
else
{
// No percent support? Check for fractions!
el.style[p]='brightness(0.5)';
if (el.style[p]=='brightness(0.5)')
{
// Supports fractions! Set the range and notations
BrightnessMin=-1;
BrightnessVal=0;
BrightnessMax=1;
BrightnessStep=0.1;
BrightnessChar='';
}
}
delete el;
}
}
// Now see if it is supported...
if (BrightnessVal > -100)
{
// it's supported, so add the user controls
}

With this code, I know if the browser supports the brightness parameter as well as the minimum and maximum values and whether to include the “%” character. This means that I can support Chrome, Opera, and some versions of Safari.

Problem #3: Fractions

JavaScript has made huge strides over the last decade. It used to be a huge security risk and really slowed down the computer. But with better compiler designs and implementation decisions, it really isn’t the same huge security risk that it previously was. And as far as speed goes: wow — I can do most tasks in real time and with minimal computer resources.

So it really makes me shake my head when I hit a really bad, fundamental problem with JavaScript. JavaScript sucks at fractions.

I created two buttons. One increases the brightness by 10%, and the other decreases it by 10%. My basic test is to click on each button 3 times. When using the integer range (0% – 200%): 100% + 10% + 10% + 10% – 10% – 10% – 10% = 100%. There is no floating point error. This works fine.

However, I hit a problem when I use the fractional range (-1 to +1): 0 + 0.1 + 0.1 + 0.1 – 0.1 – 0.1 – 0.1 = 0.0000000000004. Different browsers generate different values for the floating point error. But seriously, why am I seeing any floating point error when I’m adding and subtracting tenths??? At this point, I have two options. I can either do everything as integers (10 times all values and just divide by 10 before use), or I can call Math.round(val×10)/10 to strip the error out after each addition and subtraction. (I went with the latter option since it mitigates long-term error accumulation.)

Back in college, I collected buttons. I have a button that says “2+2=5 for sufficiently large quantities of 2″. I fear that this is really the case with JavaScript.

Update: Stuart and Justin left great comments about why this happens. I still think JavaScript could take steps to mitigate the issue, but at least it is understandable.

Problem #4: Applying Brightness

In computer graphics, there are two common ways to brighten up an image. The first way scales the RGB values. For example, I can multiply every value by 1.1 and achieve a 10% increase in brightness. The value “1″ becomes “1.1″ which rounds to 1, 2 becomes 2.2 which is 2, 3 becomes 3, but 5 becomes 5.5 which rounds to 6. 7 becomes 8, 8 becomes 9, … and 200 becomes 220. The bigger the number is, the more the number moves.

Think of this like elementary school gym class. Everyone stands in a line and then the teacher says to stand one arm’s length apart. People at the front of the line barely move. People at the end of the line have to walk a long distance in order to remain one arm’s length apart. (This always sucked for the kids who’s last names began with Z. And the kids with names that begin with “A” always wondered why this simple “spread out” task took so long…)

This scaling approach emphasizes differences in the darker regions. By moving darker colors more, minor gradient differences among the darker colors are scaled larger. Brightening up the picture permits you to see details within the darkness more clearly.

The other common approach is to convert the colors to HSV, YUV, or some other colorspace where the intensity (V or Y) is separate from the hue. The intensity is adjusted linearly and then the colors are converted back to RGB. This approach typically brightens the image but mutes details a little since differences that are only in the chrominance (the color and not the intensity) are unchanged.

However… there is a method for brightening images that I have only seen used on the web — real graphics applications never use this approach and I don’t think it is taught in any graphics courses. It’s a fake brightening algorithm because it doesn’t “brighten” so much as “wash out” the image. Here’s how the algorithm works: apply a completely white image as a transparency over the image. The amount of transparency controls the brightness. That’s right: it combines the picture with “white”.

Using this pseudo-brightness approach, big numbers barely change while little numbers change a lot. For example, at 10% brighter, the value 200 gets combined with a white (255) transparency: 10%×255 + 90%×200 = 205.5 and rounds to 206, so it moves 6 values in intensity. The value 2 becomes 10%×255 + 90%×2 = 27.3 and rounds to 27, so it moves 25 values in intensity. This makes dark values look lighter, but it removes details because the gradients between adjacent dark values is reduced. The result is a “brighter” picture but with less detail. If the purpose of brightening the image is to see minor differences in the dark regions, then this brightness function won’t help you.

Other Options

At this point, we have a “brightness” function that is not widely supported, has inconsistent parameters, and is poorly implemented. As a result, I have no desire to release this as an option at FotoForensics. It is rarely supported and doesn’t do the job when it is supported.

I’ve seen a couple of forums where people have tried to do workarounds. The most common suggestion is to use a white background and to adjust the image’s transparency. Every HTML5 browser seems to support transparencies, so this is a functionally applicable option. However, this is the same pseudo-brightness algorithm that mutes details rather than actually brightening the image. This is not a practical solution.

A better option is to use an HTML5 canvas object. Canvas is widely supported and gives me (the developer) full control over every pixel. I can easily implement the scaling RGB function. However, this introduces another problem… Some pictures can be very large, and not every browser implementation supports HTML5 with OpenGL functions. (OpenGL provides speed to graphical rendering.) As a result, increasing the brightness may be very slow. I have a few sample pictures where each click on the “increase brightness by 10%” button takes 2-3 seconds. (Longer if you’re on a mobile device.) This speed issue hinders usability, so I’ve ruled it out as an option.

(JavaScript libraries like Raphaël and jquery are dependent on the canvas object, so they have the exact same speed limitations.)

I’m still looking for alternative methods to implement a real ‘brightness’ function in JavaScript. However, it looks like I will have to wait for JavaScript to grow up a little more. Right now, I’m out of bright ideas.

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products.

winiconThe vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month (MS14-035) shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.

Most of the vulnerabilities Microsoft fixed today earned its “critical” rating, meaning malware or bad guys could exploit the flaws to seize control over vulnerable systems without any help from users, save perhaps for having the Windows or IE user visit a hacked or booby-trapped Web site. For more details on the individual patches, see this roundup at the Microsoft Technet blog.

Adobe’s update for Flash Player fixes at least a half-dozen bugs in the widely-used browser plugin. The Flash update brings the media player to v. 14.0.0.125 on Windows and Mac systems, and v. 11.2.202.378 for Linux users. To see which version of Flash you have installed, check this link.

brokenflash-aIE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. Chrome version 35.0.1916.153  includes this Flash update; to see which version of Chrome you’re running, click the 3-bars icon to the right of the address bar and select “About Google Chrome.”

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.110 for Windows, Mac, and Android.

flash14-0-0-125

LWN.net: Making end-to-end encryption easier to use (Google Online Security Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser.
While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.

However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)”

Клошкодил: 2014-06-01 Лекцията ми от Websummit 2014, “Възможности, които всички web услуги трябва да имат”

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

(презентацията)

[slide 2 Идеята за тази лекция]

Идеята за тази лекция ми дойде около няколко разговора с различни хора и от нашият опит с правенето на pCloud. Много често ни се случваше да погледнем конкуренцията как е направила нещо и да се ужасим в първия момент.
(а след това да се зарадваме, че се срещу нас има такива хора)

За всичките неща, за които ще говоря има лесни решения – прости като идея и сравнително лесни за реализация, като правенето им трябва да доведе до един по-добър свят.

Също така в историята има много случаи на проблеми, които са се случвали и за които всички са забравили или просто са отказали да обърнат внимание.

Нищо от това, което ще кажа не е особено ново, гениално или изобщо велико откритие. Всичкото е откриваемо с малко четене в google, wikipedia и от време на време някоя книга. Извинявам се предварително, че нямаме осигурени възглавници за хората, на които ще им се доспи от скучните неща, които ще разказвам.
(ако четете това като текст – нищо против нямам да го ползвате за приспиване)

[slide 3 Защо ние го говорим това]

Ние харесваме добре написаните неща. Също така се стараем да сме максимално отворени откъм API, код и т.н., и за това държим да правим неща, от които да не се срамуваме, или даже да се гордеем с тях.

Също така съм съвсем наясно, че тази лекция звучи като безкрайно фукане. Поне половината е такава :) За това искам да отбележа, че доста от тези грешки сме ги допускал и ние, в този или предишен проект.

[slide 4 Кои сме ние]

Минутка за реклама – ние сме cloud storage услуга, направена правилно. Startup сме, има ни от около година, имаме около 600k потребители и 600TB заето място и правим всякакви интересни неща, за които обаче ще ми трябва тричасов слот, че да ги изброя :)

Стараем се да сме максимално отворени – имаме пълна документация на API-то ни, както и код, който си говори с него. Ние самите за приложенията, които пишем ползваме същото API, т.е. не крием нищо от разработчиците :)

[slide 5 Authentication]

Почти всички услуги трябва да пазят в някакъв вид пароли за потребителите си и да им дават да влизат в системата, за да получат достъп до някаква допълнителна функционалност. Човек би си помислил, че това е изчистено и изяснено и трябва да няма проблеми…

[slide 6 Стандартен метод за auth]

По принцип в повечето случаи влизането в системата се реализира чрез изпращане на user и парола и получаване на отговор/token, с който да работим след това.

Което е лоша идея, понеже паролата ви минава по мрежата в някакъв вид, и не може да сте сигурни дали някой не подслушва или дали някой не се прави на отсрещния сървър.

[slide 7 Правилен метод]

Правилният метод, който използва един прост криптографски примитив, се нарича challenge-response. Има и реализация в самия HTTP протокол, т.нар. digest authentication, както и в много други системи (например SIP). В web твърде рядко се среща, поради нуждата от още една заявка (или поради неинформираността на разработчиците).

Работи по следния начин:
Сървърът ви генерира nonce – някаква стойност, която е произволна, няма да се повтори пак. Смятате криптографски hash в/у нея и паролата и изпращате резултата на сървъра. Той от своя страна може да направи същото изчисление и да разбере, че вие знаете същата парола.

Така никаква информация за самата ви парола не минава през мрежата, така че дори някой да се представя за сървъра, няма начин да бъде научена.

Методът е по-бавен от другия, понеже изисква още една заявка (да си вземете nonce, с който да работите), т.е. вкарва още един round-trip. Това не е проблем, понеже това така или иначе не трябва да е особено бърз процес – т.е. колкото по-бърз е, толкова по-лесно може да се използва за brute-force атаки.

Тази схема с малко разширяване дава възможност и клиентът да потвърди, че сървъра има паролата (т.е. да се получи двустранна auth.), което ще ви оставя за домашно :) Ние все още не го реализираме, но е в плановете за светлото бъдеще.

[slide 9 Plaintext в базата данни]

Пазенето на паролите се оказва проблем, който твърде малко хора успяват да решат.

Така като гледам, сме 2014, и все пак се случва някоя сериозна услуга да пази паролите в plaintext. Това в някакви моменти е удобно – lost password функционалността може да ви прати директно паролата по пощата (сигурността на което няма да обсъждам).

От друга страна обаче, поне няколко услуги биват hack-нати всяка година и паролите им попадат в ръцете на лоши хора (или в целия internet). Това е доста неприятно за потребителите, понеже те въпреки съветите на експерти и други заблудени люде все пак използват същата парола на много места, което води до допълнителни пробиви и подобни неприятни проблеми.
(съвсем скорошен пример – преди седмица-две-три източиха на ebay паролите)

[slide 10 Първи лесен (и грешен) вариант]

Първото решение на проблема, което е лесно и грешно, е просто да се съхранява някакъв криптографски hash на паролата – md5 (много-лоша-идея) или sha1 (не-толкова-лоша идея). Това се атакува тривиално с rainbow таблици.

Съвсем накратко, rainbow таблиците са пресметнати таблици с (почти) всички възможни пароли, така че лесно да може да се намери в тях някакъв валиден string, който да отговаря на дадения hash. Също така имат метод за съхраняване на по-малко данни, та по принцип за md5 таблиците са под 2TB, за sha1 има таблици с повечето пароли пак в някакъв такъв размер.

Накратко – лоша идея.

[slide 11 Втори лесен (и правилен) вариант]

Второто решение (и първото работещо) е известно на света от поне 1970та година, от хеширането на паролите в старите unix системи, дори в повечето езици името на функцията – crypt() идва от там (тя дори не криптира).

Идеята е проста, генерираният hash да е на някакъв salt и паролата. Salt-ът се подбира да е различен за всяка парола, и се слага преди получения hash. Така лесно може да се пресметне, но не може да му се генерира rainbow таблица (т.е. ако се генерира, ще трябва да съдържа и възможните salt-ове).

[slide 12 Трети не-толкова-лесен (но правилен) вариант]

Третият вариант, който може да се използва (и който сме реализирали при нас) е да се пази “частичен” hash на паролата (т.е. по-точно пълния state на hash функцията) и някакъв salt, така че да може и да се реализира challenge-response. Това ни отне малко повече време за реализация, но така не пазим пароли в plaintext и можем да реализираме challenge-response, за да гарантираме максимална сигурност на потребителите си.

Много близко е до lenghtening атаката в/у хешове.

( Корекция след самата лекция: Реално погледнато, challenge-response може да се реализира дори с хеширани пароли по предишния начин)

[slide 13 Четвърти (велик и труден за правене) вариант]

И последният метод, който дава най-голяма сигурност, и който не съм виждал реализиран никъде, освен на една лекция. Идеята му е в общи линии като на password-authenticated key agreement протоколите, повечето от които поне доскоро бяха патентовани и като цяло не се срещат особено често.

На база на паролата се захранва един pseudo-random генератор, от който след това се генерира двойка RSA ключове (частен и публичен). На сървъра се дава само публичния ключ, а клиентът няма нужда да пази нищо, понеже от паролата може да генерира същата двойка когато си реши. Автентикацията става чрез стандартните схеми за RSA и дава възможност да се пазите от всичките атаки по-горе, и дава още едно ниво на сигурност – ако някой ви се добере до базата на сървъра, с информацията после няма да може даже да влиза при вас, т.е. даже няма да има нужда потребителите да си сменят паролите.

За съжаление не съм виждал никъде реализация на схемата. Описанието и видях в една лекция на Дан Камински преди няколко години.

[slide 14 Further reading]

И понеже темата е доста обширна, може да потърсите този стандарт – password-based key derivation function, както и да погледнете конкурсът за нови такива алгоритми за съхраняване на пароли, може да са ви полезни.

Специално PBKDF2 показва едно доста важно свойство на всички тези схеми. Важно е проверката на паролата да не е максимално бързо действие, а да отнема някакво малко, но достатъчно време, така че да да се направят brute-force атаките по-трудни.
Самият PBKDF е схема за прилагане на хеш функция много пъти (1000, 10000 или нещо такова) върху входни данни и salt, така че от това да се получи някакъв набор битове, които да се използват или като съхранена парола, или като ключ за нещо друго. Поради големия брой действия, които няма как да се направят по-лесно, лесно може да се сметнат параметри, които да ви дадат нещо като 10ms за извършване на сметката, което да доведе до невъзможност да се правят повече от 100 теста в секунда на един core.
М/у другото, пример за използвана такава схема е WPA при wi-fi мрежите – там ключът за комуникация се генерира с pbkdf2 с 1000 пъти sha1 и essid-то (името) на мрежата за salt. Ако някой е пробвал да чупи такива пароли знае, че върви доста по-бавно, отколкото просто на хешове.

[slide 15 Комуникация]

Изразът с тъпата брадва идва от едно изречение на Дийкстра, “Молив не може да се наостри с тъпа брадва, същото важи и за 10 тъпи брадви”. Подобен израз, който може би е по-подходящ (и за който се сетих на лекцията) е “Манчестърска отвертка” – която всъщност е чук, идеалният инструмент за решаване на всякакви проблеми.

[slide 16 Стандартни неща]

По принцип всичко живо използва JSON и HTTP. Те са бавни протоколи, текстови, с много overhead и не-чак-толкова удобни за parse-ване (добре поне, че има такива библиотеки в почти всеки език).

Да не говорим, че HTTP е мислен за съвсем различни неща от тези, за които се използва в момента.

[slide 17 Трябва алтернатива]

Добре е да имаме алтернативи. Не всичките ни клиенти са browser-и, но всички са принудени да ползват интерфейси, писани за тях, което е доста неприятно и на моменти – много неефективно (но понеже хората са свикнали, вече не обръщат внимание). Най-добрият пример е какво ползват мобилните приложения – все http базирани api-та, а те уж са устройства, които трябва да пестят от батерия и CPU колкото се може повече.

Дори в самите browser-и вече не е това единственият подходящ и ефективен начин – в момента навлизат websockets и webrtc, точно заради това.

(имах въпрос от публиката после защо нещо не съм много оптимистично настроен по темата webrtc, човекът (Лъчко всъщност) се надявал да може да замести skype – понеже това, което реално успява да прави skype е да работи през всякакви мрежи и NAT-ове, което за останалата телефония е сложно и не се справя толкова добре. Webrtc-то още не е стигнало да бори наистина сериозно такива проблеми и вероятно ще му трябва доста време, докато започне да се справя с тях).

[slide 18 Примерен binary протокол]

По тази причина ние сме направили допълнителната възможност да може да се комуникира с интерфейсите ни през просто binary api.
Като казвам просто – то наистина е такова, описанието му се събира на няколко страници, реализацията (която имаме публикувана в github) е 700 реда на C или 536 реда на java, заедно с коментарите. Има много по-малко overhead, и се обработва много лесно на всякаква платформа. Също така в себе си има няколко хитрини, например ако в даден пакет определен string се среща повече от веднъж, съдържанието му се пази само на едно място и останалите са reference.

Разбира се, има и други варианти – в един предишен проект сме използвали protobuf (който се оказа доста удобен), има msgpack и какви ли не още отворени проекти с публични реализации за повечето платформи.
(ползвали сме protobuf за един друг проект и даже аз, дето по принцип не пиша код се оправих съвсем лесно да си parse-вам данните)

[slide 19 QUIC и пътят напред]

И да слезем по-надолу – един от проблемите в съществуващите протоколи е, че осъществяването на връзка е бавно. Нужни са 3 пакета (и 1 RTT), за да се осъществи връзка м/у две точки по TCP, а когато добавим SSL/TLS, добавяме и още 2-3 RTT-та в зависимост от някои настройки на протокола.

Едно от съществуващите решения е разработка на google, казва се QUIC – Quick UDP Internet Connections, протокол, който замества комбинацията от TCP+TLS. Има в себе си всички полезни неща от TCP, като правилните алгоритми за напасване на скоростта и congestion avoidance, но криптирането в него е по подразбиране, и осъществяването на връзка става в рамките на едно rtt, заедно с избирането на ключове и т.н..
Има също така интересни feature-и, като например multiplexing – да се обработват няколко заявки в една връзка (като в SCTP). Друго нещо е forward error correction, да може да коригира грешки в пакетите или изгубени такива по вече пратени данни.

Ние сме в процес на разглеждане на протокола, ако ни хареса достатъчно, мислим да го използваме. В момента има поддръжка в chrome и opera, ако придобие достатъчно разпространение, ще реши проблема и с firewall-ите. Разработката на google е пусната под BSD лиценз, и е сравнително малко код на C++, та би трябвало скоро да се появи и на други места.

Като цяло, струва си да прочетете описанието, протоколът е пример как трябва да изглежда следващото поколение internet протоколи.

[slide 20 Употреба на SSL/TLS]

Ако не сте живели под камък в последната година и половина, вероятно сте наясно защо е важно да се ползва криптиране на връзките и по принцип SSL/TLS.
(ако сте, питайте търсачките за Edward Snowden)

Вече повечето услуги имат поддръжка за TLS – отне години и доста лобиране/мрънкане от страна на общността, но е често срещано. Не винаги е реализирано правилно обаче…

[slide 21 Правилна употреба на SSL/TLS]

Първото е, че в твърде много случаи не се обръща внимание на шифрите, които се използват, съответно сигурността на връзката с някои места е почти същата като за без криптография. Пример за това е как преди около година Android смениха списъка си с поддържани шифри/алгоритми и приоритетите им, понеже “в java стандарта било така” (предишния им списък беше взет от openssl). Java 6 е стандарт на около 10 години и в новия е оправено…

Друго важно нещо е т.нар. forward secrecy – това е възможността след осъществяването на връзката двете страни да разменят през DH или друг алгоритъм ключове, които са само за тази сесия и се забравят след нея. Така се подсигуряваме, че дори да изтекат главните ключове на сървъра, то записаната от преди това комуникация няма да може да се декриптира и ще остане тайна.

За заинтересуваните хора, които имат сървъри – на този сайт може да проверите поддръжката си на подходящите алгоритми и шифри, резултатът може да ви е интересен.

И разбира се, SSL/TLS не е панацея, и те имат собствени проблеми (като например heartbleed наскоро).

[slide 22 SSL/TLS Session caching]

За услуги, които имат повече от един физически сървър, който поема криптираните сесии (но на същия domain), има друг полезен момент – да се реализира глобален SSL session cache, който да пази определени параметри, за да не се renegotiate-ват всеки път. Това спестява едно RTT от всяка заявка и определено се усеща.

За целта може да ви се наложи да използвате някакъв backend storage (memcache или redis), в който всичките ви сървъри да пазят тези сесии, но да се подкара не е особено сложно и може да има видим ефект за потребителите ви.

[slide 23 Privacy]

Много услуги правят грешката да разкриват информация за потребителите си, която реално не трябва да излиза извън тях. Например често през някоя функционалност, като lost password или invite може да разберете дали даден потребител е регистриран в услугата.
Това е неприятно, понеже улеснява всякакви атаки в/у вашите потребители, особено ако не сте ориентирани към разпространяване на информацията на потребителите ви и продаването и/им (като почти всички социални мрежи)
(корекция от публиката на лекцията – всички социални мрежи)

Примерът за разкриването дали даден файл (което btw е проблем, който идва основно от дедупликацията в повечето такива услуги) е как един определен service можеше да му кажеш “аз ще ти кача файл с тоя MD5″ и той казваше “а, аз го имам, заповядай”. Това за известно време сериозно се използваше за share-ване на файлове без реално да се вижда какво става…

[slide 24 Не всички клиенти са равни]

Изобщо, на моменти имам чувството, че много от интерфейсите са правени от някой, който приятелката му го е зарязала заради някой developer и той сега държи да си го върне. Представям си човек, който стои в тъмна стаичка, пише спецификация и си мисли “и аз на теб да ти го …”…

Няма един правилен интерфейс, един правилен начин, един пръстен, който ги владее и т.н.. Колкото и да ни се повтаря от някакви хора, които нямат въображение, няма да стане вярно :) Има нужда от интерфейси, който да са удобни за различни хора, по различен начин, от различни среди и различни начини на мислене.

[slide 25 Предаване на параметри]

Например, предаването на параметри. При нас параметър може да бъде предаден където ви е удобно – като GET, като POST, в URL-то на POST-а, или в cookie. Даваме ви възможност за прострелване в крака, но от друга страна ви даваме начин да ни ползвате от възможно най-простите клиенти на тоя свят, които нямат POST.

[slide 26 обработка на request-и в движение]

Нещо, което е повече в категорията “имам тъпа брадва и искам с нея да остря моливи” – ужасно много услуги обработват заявката, след като я получат цялата. Ако качвате файл, който трябва после да отиде по други машини, имате една очевидна латентност, дължаща се на последвалата обработка.

Това се дължи най-вече на ползването на HTTP и криви сървъри, и като цяло може да не е така – повечето content може да се обработва в реално време, докато се качва – да се копира на други места, да му се смятат checksum-и и какво ли не още. Не е нужно да караме потребителите да чакат, само защото нас ни е домързяло да направим няколко прости подобрения.

[slide 27 blatant self-promotion]

И оставащата част от презентацията е хубави неща, които са специфични за cloud storage услуги, или “защо ние сме по-добри от останалите”. Не само ние правим тези неща, но май само ние правим всичките.

[slide 28 Thumbnail combining]

Нещо, което пак идва от тъпата брадва на HTTP/AJAX и компания – ако имате да покажете галерия от thumbnail-и, няма смисъл да ги дърпате един по един. Много по-ефективно е да може да ги комбинирате в един голям файл и да ги показвате, докато пристигат.

Конкретните методи за това са доста грозни (thumb-овете, изредени по един на ред в base64 и се декодират после), но си личи промяната в скоростта.

[slide 29 On-the-fly zip]

Нещо, което идва основно от мързела на разработчиците – не е нужно да генерирате zip файл и така да го дадете на потребителя, може директно да му го stream-нете, понеже zip-ът е такъв удобен формат (явно идва от времената, в които е трябвало да може да се пише на лента). Не е единственият такъв, но е пример за как някои неща могат да се случват моментално, вместо да се изчакват.

[slide 30 Rsync-подобен протокол]

Rsync съществува като идея от времената, в които аз бях младши системен администратор, но по някаква причина не се среща достатъчно често като идея в повечето услуги.

Идеята е много проста – ако от едната страна имате част от даден файл или негова по-ранна версия, е много по-лесно да копирате само разликите, а не целият файл. Поддържаме го и в двете посоки – и за качване, и за сваляне на файлове, като самата идея не е сложна за реализация, дори и в web приложения. Не ползваме директно rsync протокола, понеже не пасва добре в нашия интерфейс, но сме сравнително близо, и също така за една част от хешовете използваме друга функция, понеже се оказва по-удобна.

(още нямаме качена документацията за метода, понеже не остана време, обещавам да я качим в най-скоро време. Ще качим и код, който го реализира.)

[slide 31 Видео с напасващ се bit rate]

Една хубава възможност, която доста video услуги биха могли да предлагат – да се напасва bitrate на видеото към връзката ви (т.е. да не праща с повече, отколкото вие може да приемете), което прави възможно да гледате видеа и на доста неприятна връзка.

[slide 32 Файлови операции]

И накрая нещо, което е повече интересно, отколкото важно – интерфейсът за дребни промени по файловете, редакция на място е доста удобен и помага да се пренесат различни приложения и действията им директно към storage услугата.

[slide 33 Други готини неща за в бъдеще]

Тук исках да кажа и други неща, но не ми стигна времето да ги извадя.

Това е един план за светлото бъдеще (в рамките на годината) – да направим end-to-end криптиране на файловете на потребителите, т.е. да им дадем функционалност, чрез която те още при себе си да криптират всичко и да не можем да го четем, както и да са сравнително сигурни, че не не им подменяме или омазваме файловете. Би трябвало всички да го правят – реално погледнато няма причина нещата, които са лични за потребителя да могат да бъдат известни на оператора на услугата, и има доста разработки по въпроса.
Например, има дори няколко paper-а по темата за криптирана база данни – тя стои криптирана на един сървър (който няма ключовете), вие пращате криптирана заявка, сървъра прави някакви сметки и ви дава отговор от вашите данни, който също е криптиран и който само вие може да разберете. Все още нещата са в начални стадии, но са една добра идея за бъдещето.

[slide 34 Отворени сме към други идеи]

Сигурен съм, че има неща, които съм пропуснал в лекцията, и за които не сме се сетили да сложим в нашата услуга. Приемаме всякакви идеи и критики, а тази лекция винаги може да се удължи (например като за едно-семестриален курс).

Приемаме всякакви корекции и идеи – по принцип имаме натрупана работа като за 3-4 години напред, но това още не е успяло да ни уплаши :)

Errata Security: Can I drop a pacemaker 0day?

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Can I drop a pacemaker 0day at DefCon that is capable of killing people?

Computers now run our cars. It’s now possible for a hacker to infect your car with a “virus” that can slam on the brakes in the middle of the freeway. Computers now run medical devices like pacemakers and insulin pumps, it’s now becoming possible assassinate somebody by stopping their pacemaker with a bluetooth exploit.

The problem is that manufacturers are 20 years behind in terms of computer “security”. They don’t just have vulnerabilities, they have obvious vulnerabilities. That means not only can these devices be hacked, they can be easily be hacked by teenagers. Vendors do something like put a secret backdoor password in a device believing nobody is smart enough to find it — then a kid finds it in under a minute using a simple program like “strings“.
Telling vendors about the problem rarely helps because vendors don’t care. If they cared at all, they wouldn’t have been putting the vulnerabilities in their product to begin with. 30% of such products have easily discovered backdoors, which is something they should already care about, so telling them you’ve discovered they are one of the 30% won’t help.
Historically, we’ve dealt with vendor unresponsiveness through the process of “full disclosure”. If a vendor was unresponsive after we gave them a chance to first fix the bug, we simply published the bug (“drop 0day”), either on a mailing list, or during a talk at a hacker convention like DefCon. Only after full disclosure does the company take the problem seriously and fix it.
This process has worked well. If we look at the evolution of products from Windows to Chrome, the threat of 0day has caused them to vastly improve their products. Moreover, now they court 0day: Google pays you a bounty for Chrome 0day, with no strings attached on how you might also maliciously use it.
So let’s say I’ve found a pacemaker with an obvious BlueTooth backdoor that allows me to kill a person, and a year after notifying the vendor, they still ignore the problem, continuing to ship vulnerable pacemakers to customers. What should I do? If I do nothing, more and more such pacemakers will ship, endangering more lives. If I disclose the bug, then hackers may use it to kill some people.
The problem is that dropping a pacemaker 0day is so horrific that most people would readily agree it should be outlawed. But, at the same time, without the threat of 0day, vendors will ignore the problem.
This is the question for groups that defend “coder’s rights”, like the EFF. Will they really defend coders in this hypothetical scenario, declaring that releasing code 0day code is free speech that reveals problems of public concern? Or will they agree that such code should be suppressed in the name of public safety?
I ask this question because right now they are avoiding the issue, because whichever stance they take will anger a lot of people. This paper from the EFF on the issue seems to support disclosing 0days, but only in the abstract, not in the concrete scenario that I support. The EFF has a history of backing away from previous principles when they become unpopular. For example, they once fought against regulating the Internet as a public utility, now they fight for it in the name of net neutrality. Another example is selling 0days to the government, which the EFF criticizes. I doubt if the EFF will continue to support disclosing 0days when they can kill people. The first time a child dies due to a car crash caused by a hacker, every organization is going to run from “coder’s rights”.
By the way, it should be clear in the above post on which side of this question I stand: for coder’s rights.

Update: Here’s another scenario. In Twitter discussions, people have said that the remedy for unresponsive vendors is to contact an organization like ICS-CERT, the DHS organization responsible for “control systems”. That doesn’t work, because ICS-CERT is itself a political, unresponsive organization.

The ICS-CERT doesn’t label “default passwords” as a “vulnerability”, despite the fact that it’s a leading cause of hacks, and a common feature of exploit kits. They claim that it’s the user’s responsibility to change the password, and not the fault of the vendor if they don’t.

Yet, disclosing default passwords is one of the things that vendors try to suppress. When a researcher reveals a default password in a control system, and a hacker exploits it to cause a power outage, it’s the researcher who will get blamed for revealing information that was not-a-vulnerability.

I say this because I was personally threatened by the FBI to suppress something that was not-a-vulnerability, yet which they claimed would hurt national security if I revealed it to Chinese hackers.

Again, the only thing that causes change is full disclosure. Everything else allows politics to suppress information vital to public safety.


Update: Some have suggested it’s that moral and legal are two different arguments, that someone can call full disclosure immoral without necessarily arguing that it should be illegal.

That’s not true. That’s like saying that speech is immoral when Nazi’s do it. It isn’t — the content may be vile, but the act of speaking never immoral.

The “moral but legal” argument is too subtle for politics, you really have to pick one or the other. We saw that happen with the EFF. They originally championed the idea that the Internet should not be regulated. They, they championed the idea of net neutrality — which is Internet regulation. They original claimed there was no paradox, because they were saying merely that net neutrality was moral not that it should be law. Now they’ve discarded that charade, and are actively lobbying congress to make net neutrality law.

Sure, sometimes some full disclosure will result in bad results, but more often, those with political power will seek to suppress vital information with reasons that sound good at the time, like “think of the children!”. We need to firmly defend full disclosure as free speech, in all circumstances.


Update: Some have suggested that instead of disclosing details, a researcher can inform the media.

This has been tried. It doesn’t work. Vendors have more influence on the media than researchers.

We say this happen in the Apple WiFi fiasco. It was an obvious bug (SSID’s longer than 97 bytes), but at the time Apple kernel exploitation wasn’t widely known. Therefore, the researchers tried to avoid damaging Apple by not disclosing the full exploit. Thus, people could know about the bug without people being able to exploit it.

This didn’t work. Apple’s marketing department claimed the entire thing was fake. They did later fix the bug — claiming it was something they found unrelated to the “fake” vulns from the researchers.

Another example was two years ago when researchers described bugs in airplane control systems. The FAA said the vulns were fake, and the press took the FAA’s line on the problem.

The history of “going to the media” has demonstrated that only full-disclosure works.

Krebs on Security: Why You Should Ditch Adobe Shockwave

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.

shockwaveMy re-education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon University’s CERT. In a recent post on the release of the latest bundle of security updates for Adobe’s Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes.

Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. By my count, Adobe has issued nearly 20 separate security updates for Flash since then, including fixes for several dangerous zero-day vulnerabilities.

“Flash updates can come frequently,  but Shockwave not so much,” Dormann said. “So architecturally,  it’s just flawed to provide its own Flash.”

Dormann said he initially alerted the public to this gaping security hole in 2012 via this advisory, but that he first told Adobe about this lackluster update process back in 2010.

As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH.

“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH.   Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”

Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player.

“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.

For those who need Shockwave Player installed for some reason, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET 4.1 or higher)) can help prevent the exploitation of this weakness.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.

Krebs on Security: The Mad, Mad Dash to Update Flash

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An analysis of how quickly different browser users patch Adobe Flash vulnerabilities shows a marked variation among browser makers. The data suggest that Google Chrome and Mozilla Firefox users tend to get Flash updates relatively quickly, while many users on Microsoft’s Internet Explorer browser consistently lag behind.

The information comes from ThreatMetrix, a company that helps retailers and financial institutions detect and block patterns of online fraud. ThreatMetrix Chief Technology Officer Andreas Baumhof looked back over the past five months across 10,000+ sites the company serves, to see how quickly visitors were updating to the latest versions of Flash.

Baumhof measured the rates of update adoption for these six Flash patches:

Jan 14, 2014 – APSB14-02 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Feb 4, 2014 – APSB14-04 Security updates available for Adobe Flash Player (2 critical flaws, including 1 zero-day)

Feb 20, 2014 – APSB14-07 Security updates available for Adobe Flash Player (1 zero-day)

Mar 11, 2014 – APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Apr 8, 2014, – APSB14-09 Security updates available for Adobe Flash Player (4 critical vulnerabilities)

Apr 28, 2014 - APSB14-13 Security updates available for Adobe Flash Player (1 zero-day)

Overall, Google Chrome users were protected the fastest. According to Baumhof, Chrome usually takes just a few days to push the latest update out to 90 percent of users. Chrome pioneered auto-updates for Flash several years ago, with Firefox and newer versions of IE both following suit in recent years.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

Interestingly, the data show that IE users tend to receive updates at a considerably slower clip (although there are a few times in which IE surpasses Firefox users in adoption of the latest Flash updates).  This probably has to do with the way Flash is updated on IE, and the legacy versions of IE that are still out there. Flash seems to have more of a seamless auto-update process on IE 10 and 11 on Windows 8 and above, and more of a manual one on earlier versions of the browser and operating system.

Another explanation for IE’s performance here is that it is commonly used in business environments, which tend to take a few days at least to test patches before rolling them out in a coordinated fashion across the enterprise along with the rest of the Patch Tuesday updates.

The following graphic depicts Flash patch adoption by IE version for Period #4 in the image above (Mar 11, 2014 - APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)):

Adoption of Flash patch APSB14-08 (Mar. 11, 2014), broken down by IE version.

Adoption of Flash patch APSB14-08 (Mar. 11, 2014), broken down by IE version.

“In the period 4 you can see that IE11 is nicely up to 90% – which is in line with Chrome, but obviously the older the browser version, the less updated Flash is,” Baumhof said.

It’s unclear what might explain the apparent slow uptake of Flash patches for IE and Firefox users following the January and early April Flash updates. It’s worth noting, however, that the Flash patches which saw the fastest uptake regardless of browser type included fixes for zero-day vulnerabilities (see periods 2, 3 and 6 in the first graphic above).

While Chrome appears to have the speediest update process for Flash patches (the company frequently pushes Flash updates out even before Adobe releases them publicly), it’s important to remember that applying any auto-pushed Flash patches in Chrome requires a restart of the browser.

“I use Chrome and I typically never close my browser as I always just hibernate my computer,” Baumhof said. “I noticed that it took me almost seven days to apply a Flash update because Chrome could only do this when you restart the browser, and I simply wasn’t aware of it.”

Flash is a buggy security risk, but a great many Web sites simply won’t work or display certain content without the Flash plugin installed. As such, I’ve urged readers to take advantage of Click-to-Play, which blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash content inside of them.

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released software updates to plug dangerous security holes in their products. Adobe pushed patches to fix holes in Adobe Acrobat/Reader as well as Flash Player. Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.

A majority of the patches released by Microsoft are fixes for products that run in enterprise environments. Chief among the consumer-facing Microsoft updates is cumulative patch for Internet Explorer that fixes a pair of flaws in all supported versions of IE. This patch also includes the emergency update that Microsoft released earlier this month to address a zero-day vulnerability in IE. Microsoft also issued fixes for several Office vulnerabilities. This month’s batch also includes a .NET fix, which in my experience is best installed separately.

Adobe released a fix for its Flash Player software that corrects at least six security flaws. The Flash update brings the media player to v. 13.0.0.214 on Windows and Mac systems, and v. 11.2.202.359 for Linux users. To see which version of Flash you have installed, check this link

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In addition, there is an update available that fixes at least 11 security holes in versions of Adobe Acrobat and Adobe Reader. Windows and Mac users should update to the latest  version (11.0.07).

SANS Internet Storm Center, InfoCON: green: And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards, (Tue, May 6th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

As we all know, web standards are only leaving “draft” status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our “Defending Web Applications” class, and I got reminded again about some of the changes we had to make over the last year or so.

Autocomplete=Off

This weekend we just had yet another post about people picking bad passwords. The only real way around this problem is a password manager. For a long time, browsers included features to allow you to save passwords. But historically, these features were not liked very well as they tended to protect the password inadequately. But with the number of leaked passwords going up and up, and browser makers feeling more confident about their built in password safe features, some browsers started to ignore this setting. For example recent versions of Chrome and Safari will offer saving your password no matter if the “autocomplete=off” attribute is set or not.

BTW: You may still need to keep your autocomplete=off attribute in your forms to pass the PCI audit. After all, in this case you are not defending against hackers but against auditors and the attribute still works great to fend of auditor questions.

In the end, this means it is up to the user to decide to enable or disable this feature, and what password safe to use. Personally I don’t think you can do without a password safe. But some people still think they can remember > 100 random passwords/passphrases. (I am having a hard time with one or two).

Cookie2 Headers

“nobody” ever really used the Cookie2 header. It was supposed to address privacy concerns people had with regular cookies. Cookies set via the Cookie2 header are essentially session cookies. They can not be set “cross domain” and they expire as soon as you close the browser. But that was back in the day when people still considered privacy as something attainable. RFC 6265 officially obsoletes Cookie2 back in 2011. I guess nobody noticed (me neither) because nobody uses it.

URL Bars

Another “good old days” feature of many browsers was URL bars. They are slowly disappearing. The simple reason is that most users (no… you are not “most users” as you are reading this post) have no idea what a URL is or how to decipher it. It all started with mobile browsers who pushed the URL off the screen as soon as possible to save the few mega pixels it would take to render the URL bar. I think it was Internet Explorer 8 where I first noticed that the URL bar got squished into a corner in order to provide more space for the search bar. Google now is tying to make this change more official by only showing the hostname, not the full URL, in recent beta releases of Chrome. The idea here is that the hostname is what matters and the other parts of the URL are usually just used by phishers to confuse the user as to the actual location of the page.

Anything I missed? Not looking for brand new features like HTTP/2.0 but for old features that no longer work in new browsers and are somewhat security related. I may add a couple more items to this post or as a comment as I remember them.

 

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: How to Use Google Web Designer for HTML5 Design on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

Google Web Designer is a GUI tool created by Google for designing advanced HTML5 content using an integrated visual editor interface. It can create an interactive HTML5 web page as well as animated graphic ads that can run on any device. This tool is finally available for Linux, while it is still in beta stage. […]
Continue reading…

The post How to use Google Web Designer for HTML5 design on Linux appeared first on Xmodulo.

Read more at Xmodulo

Krebs on Security: Adobe Update Nixes Flash Player Zero Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.

brokenflash-aThe Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users. To see which version of Flash you have installed, check this link.

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In its advisory about this vulnerability, Adobe said it is aware of reports that an exploit for the flaw (CVE-2014-0515) exists in the wild, and is being used to target Flash Player users on the Windows platform.

That advisory credits Kaspersky Lab with reporting the vulnerability, and indeed Kaspersky published a blog post today detailing two new exploits that have been spotted in the wild attacking this vulnerability. Both exploits, according to Kaspersky, have been used in so-called “watering hole” espionage attacks, an increasingly common attack technique involving the compromise of legitimate websites specific to a geographic area which the attackers believe will be visited by end users who belong to the organization they wish to penetrate.

This is the second time in as many months that Adobe has shipped a patch to fix a zero-day vulnerability in Flash. What’s more, a well-known Flash exploitation technique was implicated in a separate Internet Explorer zero-day attack that Microsoft warned about yesterday.

While Flash is required by a great many Web sites, there is no reason to let this browser plug-in run content automatically when you visit a Web site. Rather, I’ve urged readers to rely on “click-to-play,” a feature built into Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them. For more on setting up your browser to use click-to-play for Flash and other browser plugins, see Help Keep Threats at Bay with Click to Play.

SANS Internet Storm Center, InfoCON: yellow: Reverse Heartbleed Testing, (Sun, Apr 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: yellow. Original post: at SANS Internet Storm Center, InfoCON: yellow

I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory.  Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.  

Seeing is still believing in my book.  So I set out to see what the interweb world was doing to test this out.  There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url.   These are a black box.  Trust is hard to earn at times, especially when you are dealing with an exploit like this one.  I wanted to see source code, or at least pseudocode so I could craft my own.  I found a script out there called Pacemaker [1] that was written and provided by Peter Wu.  I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).

So simple, I was able to review it for harm and function, and cut and paste it into vi.  Escape, write, quit, and I was off and running.   Basically it works like a simple webserver, very simple.  The script is executed and listens on port 4433.  You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.  

I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly.   I also hit it with Chrome and Safari to see the error messages.

Here is what I tested with it.

wget 1.11.4:  

Connection from: 10.0.0.11:60401
Unable to check for vulnerability: SSL 2.0 clients cannot be tested
 
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5:
 
Connection from: 10.0.0.11:60418
Got Alert, level=Fatal, description=40
Not vulnerable! (Heartbeats disabled or not OpenSSL)
 
curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5:
 
Connection from: 127.0.0.1:59451
Possibly not vulnerable
 
Chrome 34.0.1847.116:

Connection from: 127.0.0.1:59490
Got Alert, level=Fatal, description=47
Not vulnerable! (Heartbeats disabled or not OpenSSL)
 

I am interested in seeing more output from known vulnerable client software.  Feel free to give this a ride and share your results.  If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.

 

[1]   https://github.com/Lekensteyn/pacemaker


-Kevin

ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, Microsoft Push Critical Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.

crackedwinTwo of the four patches that Microsoft issued come with Redmond’s “critical” rating (its most severe), meaning attackers or malware can exploit the flaws to break into vulnerable systems without any help from users. One of the critical patches is a cumulative update for Internet Explorer (MS14-018); the other addresses serious issues with Microsoft Word and Office Web apps (MS14-017), including a fix for a zero-day vulnerability that is already being actively exploited. More information on these and other patches are available here.

As expected, Microsoft also used today’s patch release to pitch XP users on upgrading to a newer version of Windows, warning that attackers will begin to zero in on XP users even more now that Microsoft will no longer be issuing security updates for the 13-year-old operating system. From Microsoft’s Technet blog:

“From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.”

Microsoft offers free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself in addition to the software. In any case, beyond this month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

ADOBE

Adobe fixed at least four vulnerabilities in Flash, all of them critical. The company says it is not aware of any exploits in the wild against the flaws. The latest version is v. 13.0.0.182 for Windows, Mac and Linux systems. The Adobe advisory for the Flash update is here.

This link will tell you which version of Flash your browser has installed. IE10/IE11 for Windows 8.0/8.1 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 34.0.1847.116 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you use Adobe AIR (required by some desktop software products such as Pandora, e.g.,), you’ll need to make sure that’s updated as well. AIR usually does a good job of checking for new versions on startup. If you’re not sure whether you have AIR installed or what version it’s at, see these directions. The latest version is 13.0.0.83, and is available for manual download here.

flash13-0-0-182

Linux How-Tos and Linux Tutorials: Replace the Retiring Windows XP with Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

Windows XP is officially retired as of April 8, 2014. Microsoft has tried to retire XP several times before, but due to enterprise customer demand had to continue supporting it. But this time they really really mean it, for reals.

If you’re using Windows XP, it won’t stop working. All this means is you won’t get security patches or technical support anymore. So what should you do? You can continue using it, as you always have. Or, you can upgrade to Windows 8.1, the newest Windows, or Windows 7. Or switch to Linux. Let’s look at the pros and cons of upgrading to a newer Windows.

KDE desktop

Windows 8.1 has a completely re-designed interface that looks a lot like an over-excited automated teller machine. It adds support for touchscreens, and is supposed to be less obese and peppier than 7. Windows 7 does not support touchscreens, and doesn’t look much different from XP. If you buy a new computer that comes with 8.1 and decide you don’t like it, you can “downgrade” to Windows 7. Downgrading is a huge hassle that requires having the proper “license rights”, the purchase of Windows 7 Professional at $139 for the OEM version, or $209 for the full retail version, phoning home to Microsoft for permission to do what you want with your own computer, and then installing it. The OEM version comes with no technical support; otherwise it’s pretty much the same as the full retail version. Microsoft considers this a temporary downgrade, until you come to your senses and learn to love 8.1.

Another option is to purchase Windows 8.1 or 7 and install it on your XP computer. If your XP machine is more than six years old, chances are it won’t support the newer Windows releases, because they need considerably more power and storage. Your favorite XP applications may or may not work on the newer Windowses, if you even still have the original installation media, and peripherals such as scanners and printers may not be supported. So the most likely scenario is buying a whole new computer, and possibly new applications and peripherals. You can still get Win 7 PCs, though that option is slowly evaporating.

Try Linux

Any option other than keeping your existing Windows XP system is going to cost money, hassles, or both. So why not give Linux a try? It is a mature, rock-solid professional computing platform you can rely on. You can download it for free, copy it to a USB stick or DVD, and try it without installing it to your hard drive. If there is enough room on your hard drive, you can install Linux alongside XP and choose the one you want to run at boot. If your XP computer is powerful enough and you have your original installation media, you can run XP inside a virtual machine on Linux. Yes, you can have it all.

Let’s run through the pros and cons of switching to Linux. First the good parts:

  • Immune to Windows malware, and you don’t need anti-malware software
  • Offers both free of cost and supported options
  • Runs great on older, less-powerful hardware
  • No insane license restrictions
  • No artificially crippled versions to justify multiple price points
  • No phoning home to the mothership for permission to use your own computer the way you want to
  • Flexible and configurable
  • Easy one-click software installation and removal, from secure sources
  • Great hardware support, without having to hunt down drivers
  • A giant world of great software for free, and lots of great commercial software
  • Maintained by an open, global community of first-rate developers and contributors
  • All Linux software is available on the Internet, so you never lose it.

There are also some downsides you must take into account. Your Windows applications won’t run on Linux, unless they also have Linux versions. For example, Web browsers such as Firefox, Opera, and Chrome run on Windows and Linux. Productivity apps like Moneydance (personal finance), LibreOffice (office suite), Thunderbird (email) and a lot of games run on Windows and Linux. Windows apps like Outlook, Internet Explorer and MS Office do not run on Linux. So you’ll need to make an inventory of the apps you need and see if they have Linux versions, or if there is an equivalent you can use. I’ll be surprised if you can’t find equivalent or better alternatives.

You can make Linux look like Windows. You’re still going to have to learn some new ways of doing thing, but as it’s all just pointy-clicky it’s no big deal. Windows 7 is different from XP, and Windows 8.1 is radically different, so any change means you’ll have to learn some new things.

Buying a Linux Computer

Installing Linux is pretty easy, but if you’d rather buy a good computer with Linux already installed there are a lot of great independent Linux computer vendors. They are skilled specialists, and you’ll get good hardware and great service. The typical low-budget Windows PC is specced to the micro-penny, and built with the cheapest possible components. Linux shops like System76 and ZaReason engineer their computers with reliable, good-quality components, and they stand behind their products.

Which Linux?

Another Linux advantage is hundreds of variants called distributions, or distros for short. Every one is tailored a little bit differently. Ubuntu Linux is very popular, and offers both free-of-cost downloads, and commercial support options. Linux Mint is a popular Ubuntu variant. openSUSE and Fedora Linux are great distros for advanced users who like to stay on top of new technologies. Mageia Linux is a wonderful desktop Linux for beginners to advanced users. Please visit the Resources section (below) for pointers to all kinds of helpful information.

The Myth That Must Die

I am not a Windows fan. I’ve worked exclusively in Linux since the early 2000s, except for occasional forays into Windows to keep up with new developments. I’ve written books, hundreds of how-to articles, done Web development, and all of my multimedia production on Linux. You’d think the richest software company on the planet would be able to make a bulletproof, secure, easy-to-use operating system. They have failed at this, and are still failing. One of my biggest peeves is that Microsoft’s marketing created the false illusion that personal computers are easy to use, and require no special training. This is not true. It has never been true. A personal computer is an extremely complex and sophisticated power tool. Just owning a computer does not magically bestow all manner of skills on you. It does not make you into an accountant, publisher, artist, musician, big data analyst, security expert, writer, scientist, or anything at all. Except perhaps befuddled a lot. Windows is not easy. Linux is many times easier to operate and maintain, and many times less restrictive.

You Might Want Android

If all you really need is a nice little portable device for Web surfing, social media, email, reading books, listening to music, playing games, and watching movies then get an Android tablet. Android is a Linux variant, but stripped-down and simplified. You literally poke it with a finger to operate it. ZaReason has a really nice 9.7″ tablet, the ZaTab, that is completely open, and not locked down like so many Android devices. Android is also coming to laptops and desktops, so keep an eye on the market to watch for something that might work for you.

The bottom line is that any change away from Windows XP is going to involve expense and a learning curve, so why not consider leaving Windows-land, and investing your time and money in the solid, reliable Linux world?

Resources

Weekend Project: Linux For Beginners
Ubuntu Unleashed is the best Linux book for beginners
Ubuntu Linux
Linux Mint
Mageia Linux
Fedora Linux
openSUSE
Cynthia Harvey has a large and excellent body of articles on Linux and open source replacements for Windows applications.

lcamtuf's blog: Messing around with <a download>

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Not long ago, the HTML5 specification has extended the semantics for <a href=…> links by adding the download attribute. In a nutshell, the markup allows you to specify that an outgoing link should be always treated as a download, even if the hosting site does not serve the file with Content-Disposition: attachment:

<a href="http://i.imgur.com/b7sajuK.jpg" download>What a cute kitty!</a>

I am unconvinced that this feature scratches any real itch for HTTP links, but it’s already supported in Firefox, Chrome, and Opera.

Of course, there are some kinks: in absence of the Content-Disposition header, the browser needs to figure out the correct file name for the download. In practice, this is always done based on the path seen in the URL. That’s not great, because a good majority of web frameworks will tolerate trailing garbage in the path segment; indeed, so does imgur.com. Let’s try it out:

<a href="http://i.imgur.com/b7sajuK.jpg/KittyViewer.exe" download>What a cute kitty!</a>

But we shouldn’t dwell on this, because the download syntax makes it easy for the originating page to simply override that logic and pick any file name and extension it likes:

<a href="http://i.imgur.com/b7sajuK.jpg" download="KittyViewer.exe">What a cute kitty!</a>

That’s odd – and keep in mind that the image we are seeing is at least partly user-controlled. A location like this can be found on any major destination on the Internet: if not an image, you can always find a JSON API or a HTML page that echoes something back.

It also helps to remember that it’s usually pretty trivial to build files that are semantically valid to more than one parser, and have a different meaning to each one of them. Let’s put it all together for a trivial PoC:

<a href="http://api.bing.com/qsonhs.aspx?q=%22%26notepad%26"
  download="AltavistaToolbar.bat">Download Bing toolbar from bing.com</a>

That’s pretty creepy: if you download the file on Windows and click “open”, the payload will execute and invoke notepad.exe. Still, is it a security bug? Well… the answer to that is not very clear.

For one, there is a temptation to trust the tooltip you see when you hover over a download link. But if you do that, you are in serious trouble, even in absence of that whole download bit: JavaScript code can intercept the onclick event and take you somewhere else. Luckily, most browsers provide you with a real security indicator later on: the download UI in Internet Explorer, Firefox, and Safari prominently shows the origin from which the document is being retrieved. And that’s where the problem becomes fairly evident: bing.com never really meant to serve you with an attacker-controlled AltavistaToolbar.bat, but the browser says otherwise.

The story gets even more complicated when you consider that some browsers don’t show the origin of the download in the UI at all; this is the case for Chrome and Opera. In such a design, you simply have to put all your faith in the origin from which you initiated the download. In principle, it’s not a completely unreasonable notion, although I am not sure it aligns with user expectations particularly well. Sadly, there are other idiosyncrasies of the browser environment that mean the download you are seeing on a trusted page might have been initiated from another, unrelated document. Oops.

So, yes, browsers are messy. Over the past few years, I have repeatedly argued against <a download> on the standards mailing lists (most recently in 2013), simply because I think that nothing good comes out of suddenly taking the control over how documents are interpreted by the browser away from the hosting site. I don’t think that my arguments were particularly persuasive, in part because nobody seemed to have a clear vision for the overall trust model around downloads on the Web.

PS. Interestingly, Firefox decided against the added exposure and implemented the semantics in a constrained way: the download attribute is honored only if the final download location is same-origin with the referring URL.

SANS Internet Storm Center, InfoCON: green: Identification and authentication are hard … finding out intention is even harder, (Thu, Mar 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

While the drama about the lost airplane in Malaysia is still continuing, our hearts of course go out to the families of the missing. This ISC diary though is not about airplanes, or terrorism, it is rather about the related discovery that at least two passengers on the plane were using fake passports. Equally startling was the comment by Interpol that this is "common". What is the point of maintaining, for example, a no-fly list, if those listed on it anyway travel with stolen documents, and if the security checkpoint apparently fails to determine that a 19yr old doesn't look like a 40yr old, and that Italians who don't speak at least rudimentary Italian are, well, somewhat rare?

If we translate this to the virtual world, it turns into an everyday problem. How do we know that Joe using Joe's password is actually Joe, and not Jane? I probably should call them "Bob" and "Alice" to make this worthy of a scientific paper :), but the problem still stands: identification and authentication are hard, and finding out intentions is even harder. If we take from the airport physical security playbook, then it is "behavior" that makes the difference. The security checkpoint guys are (supposedly) trained to look for "clues" like nervousness, and carry-on baggage that is leaking 1,2,3-trinitroxypropane. Inevitably, there are numerous software products that claim to identify the "unusual" as well. Joe connecting from Connecticut, even though he lives in Idaho? Alert! Joe using Chrome even though he used Firefox last time? Alert! Joe typing his password faster than usual? Alert!

But like in the physical world, this kind of profiling only works well if you have a pretty homogenous and static "good guy" population, and a pretty well defined adversary. The real world, unfortunately, tends to be more diverse and complex than that. Which is why login fraud detection, just as airport security, often drowns in the "false positives", and as a result, de-tunes the sensitivity to the point where real fraud has stellar odds to just slip by. This is a fundamental issue with many security measures. Statisticians call this "base rate fallacy". If there are many many! more good guys than bad guys, finding the bad guys with a test that has a high error rate is pretty much: moot.

Checking the passports against the Interpol list of stolen passports .. wouldn't hurt though. Not doing this is akin to letting someone log in to an account that is suspended, or log in with a password that was valid two years ago.
 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, Microsoft Push Security Updates

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late.

crackedwinMicrosoft’s five bulletins address 23 distinct security weaknesses in Microsoft Windows, Internet Explorer and Silverlight. The Internet Explorer patch is rated critical for virtually all supported versions of IE, and plugs at least 18 security holes, including a severe weakness in IE 9 and 10 that is already being exploited in targeted attacks.

Microsoft notes that the exploits targeting the IE bug seen so far appear to perform a check for the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET); according to Microsoft, the exploits fail to proceed if EMET is detected. I’ve recommended EMET on several occasions, and would encourage any Windows users who haven’t yet deployed this tool to spend a few minutes reading this post and consider taking advantage of it to further harden their systems. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform. For those of you who don’t mind beta-testing software, Microsoft has released a preview version of the next generation of EMET — EMET 5.0 Technical Preview.

This month’s updates include a fix for another dangerous bug – deep within the operating system on just about every major version of Windows  – that also was publicly disclosed prior to today’s patches. Microsoft’s Technet Blog has more details on these and other bulletins released today.

Readers still using Windows XP should remember that after next month, Microsoft will stop releasing security updates for that version of Windows. Microsoft recently announced that it will make available for free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself.

In any case, using Windows XP beyond next month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

FLASH UPDATE

brokenflash-aAdobe’s Flash update brings the media player to  v. 12.0.0.77 on Windows and Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome (on either Windows, Mac or Linux) is not yet updated to v. 12.0.0.77you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.). Adobe does not appear to have released any updates for AIR as it often does when pushing new Flash patches.

As always, please drop a note in the comments section if you experience any issues with the updates released today.

adobeupdate3-14

SANS Internet Storm Center, InfoCON: green: Adobe Updates: Flash Player, (Tue, Mar 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.

 

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Apple iOS 7.1, (Mon, Mar 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Here is detailed information on today's Apple releases – both iOS and Apple TV were updated

APPLE-SA-2014-03-10-1 iOS 7.1

iOS 7.1 is now available and addresses the following:

Backup
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A maliciously crafted backup can alter the filesystem
Description:  A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs

Certificate Trust Policy
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Root certificates have been updated
Description:  Several certificates were added to or removed from the
list of system roots.

Configuration Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Profile expiration dates were not honored
Description:  Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267

CoreCapture
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application can cause an unexpected system
termination
Description:  A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella

Crash Reporting
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to change permissions on arbitrary
files
Description:  CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs

dyld
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Code signing requirements may be bypassed
Description:  Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs

FaceTime
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description:  FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description:  An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski

IOKit HID Event
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may monitor on user actions in other
apps
Description:  An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye

iTunes Store
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description:  An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description:  An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs

Office Viewer
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description:  A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team

Photos Backend
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Deleted images may still appear in the Photos app underneath
transparent images
Description:  Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington

Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A configuration profile may be hidden from the user
Description:  A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  User credentials may be disclosed to an unexpected site via
autofill
Description:  Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB

Settings – Accounts
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description:  A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284

Springboard
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description:  An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99

SpringBoard Lock Screen
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A remote attacker may be able to cause the lock screen to
become unresponsive
Description:  A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net

TelephonyUI Framework
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A webpage could trigger a FaceTime audio call without user
interaction
Description:  Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross

USB Host
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description:  A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group

Video Driver
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description:  A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: SeriesGuide Turns Chrome Browser Into a TV Torrent TiVo

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

It’s no secret that many people catch up with their favorite TV-shows via BitTorrent. Popular shows such as Game of Thrones and The Walking Dead are downloaded millions of times by people from all over the world.

While downloading and/or sharing copyrighted material is against the law in many countries, there are plenty of tools around to help people’s TV-torrenting habits. The new Chrome extension ‘SeriesGuide’ falls into this category.

SeriesGuide keeps track of people’s favorite TV-shows, which are then displayed in a calendar format, so users know when to tune in. In addition, it offers Pirate Bay download links for each episode, ranked by the number of seeders and leechers.

SeriesGuide Overview

TF caught up with SeriesGuide’s developer who goes by the nickname SchizoDuckie. The developer says he coded the extension to fix a recurring problem he faced.

“I’m developing this mostly because it’s a solution to a problem I have myself. I’m following loads of series that air at separate intervals and you keep having to take the same steps manually: Figure out when something has aired, wait for a download to appear, go to The Pirate Bay, search for a torrent, sort it by most seeds, weed out the crap, and download.”

While he has a Netflix account, SchizoDuckie says most TV-shows take weeks or months to become available in Europe where he’s located.

“We don’t even have the final half of Breaking Bad yet. So then you resort back to piracy,” he says, adding that many other people are probably facing a similar problem.

Right now SeriesGuide is in beta stage, but SchizoDuckie says that many more features will be added in the near future. This will include automatic notifications when new episodes are released, automatic downloads, plus support for seedboxes and remote downloading.

SeriesGuide Downloads

SeriesGuide is free of charge and available in the Chrome Store. It currently comes in two flavors; one that opens the extension in the same tab, and one that launches it in a separate tab.

There’s very little doubt that the TV-companies wont be amused by SeriesGuide. However, SchizoDuckie believes that the extension is perfectly legal and there’s no lawsuit on the horizon.

“I’m not really worried. First off, I’m in Europe, I don’t have to worry about gazillions of dollars of lawyer fees if I cough in the wrong direction. Secondly, I’m not distributing anything illegal, I’m merely connecting pieces of data that are freely available on the web and presenting them in another interface,” he says.

“This is exactly what Google and The Pirate Bay does too, and this is exactly what a human does if he operates this same procedure manually. If there’s a law against that somehow, then I don’t want to live on this planet anymore.”

That said, Google is known to boot torrent related extensions from the Chrome Store over “piracy concerns“, so there is a chance that SeriesGuide will not be available there forever. According to SchizoDuckie, this isn’t really a major problem.

“If somehow the whole thing does get taken down, then the source code is still out there, since it’s an open source project. The genie is out of the bottle,” he concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.