Posts tagged ‘chrome’

Krebs on Security: Microsoft, Adobe Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited.

brokenwindowsFour of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.

Another critical patch plugs two vulnerabilities in Microsoft Word and Office Web Apps (including Office for Mac 2011). There are actually three patches this month that address Microsoft Office vulnerabilities, including MS14-082 and MS-14-083, both of which are rated “important.” A full breakdown of these and other patches released by Microsoft today is here.

Adobe’s Flash Player update brings the player to v. 16.0.0.235 for Windows and Mac users, and fixes at least six critical bugs in the software. Adobe said an exploit for one of the flaws, CVE-2014-9163, already exists in the wild.

“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” the company said in its advisory.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Adobe Acrobat and Adobe Reader users will need to apply a critical update that fixes at least 20 critical security in these programs. See Adobe’s Reader advisory for more details on that. The latest updates live here.

Linux How-Tos and Linux Tutorials: 11 Things to Do After You Install Fedora 21

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

Fedora 21 was announced yesterday and it turned out to be a great release. Fedora comes pre-installed with a lot of applications. Users can start working as soon as they boot into Fedora. However, like most operating systems Fedora also needs some work to prepare it to handle your workload.

Update your system

The first thing to do after installing Fedora is to update the system. Open the terminal and run the following command as sudo:

sudo yum update

If you forgot to add yourself (the default user) to the administrative group during install you won’t be able to use the sudo command. Open the Gnome System Settings then go to users. Unlock the window and change the Account Type to ‘Administrator’. Now you will be able to perform administrative tasks as sudo.

fedora user

Install extra repositories

Fedora doesn’t provide a lot of software through the official repository due to patent and licensing issues. Like any other Linux-based operating system such packages are offered through third party repositories. You can easily add RPMFusion repository to install such applications.

There are two repositories within RPMFusion. First you need to enable the free repository and then the non-free one.

Install both repositories from RPMFusion (if you don’t see repositories for 21 yet, wait for a few days or add Rawhide repos).

Install VLC

VLC is like a swiss knife for video playback. It can play virtually any video format. A lesser known but quite powerful feature of VLC is to convert media formats; you can also extract audio from video files. Another even lesser known feature is VLC’s ability to play online videos from services like YouTube.

Install VLC by running this command:

 sudo yum install vlc

How to play MP3 files in Fedora

You need mp3 codecs to play such files in Fedora. Open the terminal and install gstreamer plugins:

yum install gstreamer-plugins-ugly

I like the Clementine music player so I went ahead and installed it from the terminal. It’s plays mp3’s without any hassle.

Install Chrome browser

Fedora has made a surprise move and replaced Gnome’s own Epiphany web browser with Firefox. However if you want Google Chrome, you can install it by downloading the binaries from the respective websites.

Go to the Chrome download page and grab the .rpm binaries for your architecture (32 bit or 64v bit whichever you installed on your system). Linux binaries can be installed just the way .exe files are installed on Windows. Just double click on them or right click and choose ‘Open with Software Install’ and follow instructions.

Ride high on cloud

The only cloud I trust is the one that I own and run. I am a heavy ownCloud user. If you are running ownCloud on your server you can install the ownCloud client for Fedora:

sudo yum install owncloud-client

If you are a dropbox user you can get the executable images from their sites and install them the way you installed Chrome.

Get started with online accounts

Gnome has made it extremely easy to set up the default email, calendar, and chat clients. Open Online Accounts and choose the service you want to integrate with the system. If you chose Gmail, it will automatically configure Evolution and Contacts for that account. It’s very easy, just follow the on-screen instructions.

online accounts

Install Gnome Tweak Tool and install extensions

Gnome Tweak Tool is the most important tool for a great Gnome experience. I wonder why Fedora didn’t include it in the ISO image. You can easily install the tool from Software.

Once the tool is installed you can customize the system to your liking. I always enable the window minimize button; you can call me old school.

I also install a couple of extensions from the Gnome Extensions site. Open the site in Firefox, allow the pop-up and search for the desired extensions. Some of my favorite extensions are: Windows List, Dash To Dock, User Themes, Application Menu, Advanced settings in user menu, etc.

Installing non-free drivers for Nvidia and ATI

Fedora will work out of the box using open source drivers. But if you experience video tearing or if you play video games you may need proprietary drivers to get the most out of your GPU. Installing graphics drivers is a tricky area in Fedora. Installing the wrong drivers may break your system. I previously broke my Fedora installs so I don’t bother with non-free graphics drivers anymore. If you do want to install non-free drivers, follow the guide by RPMFusion.

Setting up printers

Setting up printers is a breeze in Fedora. Just open the Printers from Dash and click on the Add Printer button, Fedora will scan and detect the printers connected to the system physically or available over the local network. Select the printer from the list, click on the ‘Add’ button and you are all set.

fedora printer

How to change themes or icons

Even if Gnome aims to offer an easy-to-use desktop, customizing it is not that elegant. Go to Gnome Look site and download the desired Gtk3 or icon theme. Extract the content of the downloaded files.

Go to home folder and enable ‘show hidden and system folder’. If you don’t see .icons and .themes folder, create them. Now copy the extracted folders to appropriate directories: themes go in .themes directory and icons go in .icons directory.

Open the Gnome Tweak Tool and you will see the themes that you just downloaded.

These are just a few things I do after installing Fedora. It’s Linux so there are endless possibilities of personalizing and optimizing your system! Let us know if you have some cool tricks for Fedora up your sleeve.

TorrentFreak: Google Removes Pirate Bay Apps From Play Store

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayFacing harsh criticism from copyright holders, Google is gradually changing its attitudes towards sites and services that are often associated with piracy.

A few weeks ago the company implemented a major change to its search algorithm, aimed at downranking sites that often link to copyright infringing material.

Another drastic move came today when Google began removing many Pirate Bay related apps from its Play store. The apps in question include “The Pirate Bay Proxy,” “The Pirate Bay Premium,” “The Pirate Bay Mirror” and “PirateApp.”

The apps targeted by Google offer mobile optimized web-browsers for The Pirate Bay. In addition, many of them used proxy sites so users could easily circumvent local ISP blockades.

The apps appear to have been removed proactively as there is no mention of a DMCA takedown notice. According to an email sent to the developers, the apps in question are violating the intellectual property provisions of Google’s content policy.

“REASON FOR REMOVAL: Violation of the intellectual property and impersonation or deceptive behavior provisions of the Content Policy. Please refer to the IP infringement and impersonation policy help article for more information,” the email reads.

piratebaygoogleplay

The developers are further informed that they received a “policy strike” which may lead to the termination of their accounts, if similar problems arise in the future.

TF spoke with Gavin, the developer of “The Pirate Bay Proxy” app, which has 900,000 downloads and 45,000 active users per day. He is disappointed with Google’s decision and has filed an appeal hoping to get his software reinstated.

According to Gavin, his app doesn’t do anything different than other browsers, Google Chrome included. It simply points people to a working proxy site and then acts as any other browser.

“The app is no different from Firefox or Chrome in that it’s a tool which provides access to TPB or any other web address,” Gavin says.

Gavin originally developed the app as a simple tool to bypass court-ordered ISP blockades. However, the app itself is now being censored as well, which is somewhat ironic.

“The removal has a sense of irony as the app is described as an anti-censorship tool,” Gavin notes.

Those who have already downloaded the apps can continue to use them, for now. New downloads from the Google Play Store are no longer allowed, but a copy of “The Pirate Bay Proxy” is available on the app’s website.

Alternatively, people can still use Google and the Chrome browser as these points of access remain uncensored for now.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Adobe Pushes Critical Flash Patch

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one).

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

adobeflash11-14

Linux How-Tos and Linux Tutorials: How to Easily Install Ubuntu on Chromebook with Crouton

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

installing kubuntu

I am a huge fan of Chromebooks and so is Linus Torvalds. He believes that “…Chromebooks are the kind of things that will make the year of the desktop more possible.”

I love Chromebooks not only because they run the Linux-based operating system Chrome OS, but also because they are inexpensive and the app ecosystem around the OS is evolving rapidly. The device needs zero maintenance. It has ended the ‘paid’ OS upgrade model used by some companies and ensures that you don’t have to be a rocket scientist to run a PC. I was surprised to see the drop in support calls I used to get from my wife when she was on Windows or Mac, because Chrome OS is extremely simple to use and there is virtually nothing that one can break.

However, as a Linux user, I cringe to run a ‘full-blown’ desktop on my Chromebook (even if I don’t need one). There are many ways to install a Linux-based OS on your Chromebook. For this tutorial I have chosen Crouton (aka Chromium OS Universal Chroot Environment), which is a set of scripts that bundle up into an easy-to-use, Chromium OS-centric chroot generator. The scripts are hosted on GitHub and currently support only Ubuntu and Debian. It offers various desktop environments including Xfce, Unity, and KDE. Unity can be quite heavy for your Chromebook, depending on your hardware, and I don’t find Xfce to be enough eye candy, so I am going to try KDE and see how it works.

Some of the advantages of Crouton are that unlike other methods, you don’t have to reboot your machine to switch operating systems; you can switch between them using keyboard shortcuts as if you are switching between two apps. I tested it on a Samsung Chromebook.

How to Install Ubuntu

#Step 1: Back up your data 

Before we start poking around, please ensure that you have a back-up of your data. Since all of your data is synced to Google Server, you actually don’t have to worry about losing any data. The only data that you must make a back-up of is the ‘Download’ folder because the content of this folder is not synced. Once you have taken the back-up, it’s also a fail-safe plan to create a restore USB of ChromeOS, in case something goes wrong and you need to re-install ChromeOS.

#Step 2: Create a restore image for Chrome OS 

Since Crouton is not going to wipe your Chrome OS, there is no risk of corrupting your Chrome OS. It’s always a good idea to keep a restore image of your OS.

Install Chromebook recovery utility from the Chrome web store. Open the app and follow the instructions to create the recovery drive. It’s an easy three-step, click next process. All you need is working Internet and a USB drive with at least 4GB space.

recovery

Once the recovery disk is created, unplug it and follow the following steps.

#Step 3: Enable developer mode 

In order to install your own operating system on Chromebooks, you have to enable the developer mode. It’s extremely easy to do and is very well documented by Google. The latest Chromebooks use a combination of keys to enter the developer mode, whereas older devices have a
physical switch. Different devices have different locations for the switch, so please Google your device to find the location of the switch and flip it. If you are on the latest Chromebook then you can enable the developer mode by holding Esc + Refresh keys and then push the ‘power’ button. The recovery screen will show a scary warning. Just ignore it and let Chrome OS wipe your data. The process can take up to 15 minutes, so don’t turn off your Chromebook.

dev mode warning

Also keep in mind that once Chrome OS is reinstalled you will continue to see this warning every time you boot your system, as long as the developer mode is enabled. However, it won’t wipe the data every time. You can simply hit Ctrl+d to quickly boot into Chrome OS (don’t do it this time while Chrome OS is preparing your system for developer mode).

Step #4: Let’s install Crouton 

1- Log into your Chromebook and open the GitHub page of Crouton and download the latest script.

Check the download folder to see if crouton is downloaded.

2- Open the terminal in Chromebook (yes, there is now a terminal in Chromebook! by hitting Alt+Ctrl+t 

3 -Type this command to open shell: shell

enter shell

4- Now we are going to install Ubuntu. There are several desktop environments available including KDE Plasma, Unity and Xfce. Unity can be quite heavy for Chromebook hardware and xfce is way too plain for my taste, so I am going to install KDE Plasma.

sudo sh ~/Downloads/crouton -t kde

(If you don’t want KDE, then you can replace kde with xfce, or unity )

For example:

sudo sh ~/Downloads/crouton -t xfce

We have not encrypted the chroot, if you want to encrypt it then add -e parameter to the command above:

sudo sh -e ~/Downloads/crouton -t kde

If you are installing it on a Chromebook with touchscreen then also add the ‘touch’ parameter:

sudo sh -e ~/Downloads/crouton -t touch,kde

Since the script will download Ubuntu from the Internet, depending on your broadband speed, it may take a while, so go and grab some Indian chai or coffee. With my 150Mbps download speed it took me around 18 minutes. Once the install is finished Crouton will ask you to enter the user-name and UNIX password for it – which will be used to perform administrative tasks in Kubuntu.

user-name

Now you can start Plasma by running the following command in shell:

sudo startkde

If you installed xfce then run:

sudo startxfce4

You will be greeted by the KDE greeter.

kubuntu chromebook

Fine tune Ubuntu 

The install will be bare-minimum and won’t come with the applications that are packed by distributions, but you can easily install applications from Konsole / terminal. It’s also a good idea to update the system.

sudo apt-get update sudo apt-get upgrade sudo apt-get install

I installed all that I needed – LibreOffice, Sublime Text, Chrome browser (so I can watch Netflix), GIMP, VLC, etc.

How to switch between Chrome OS and Ubuntu? 

To go back to Chrome OS, and keep KDE running, use this key combination Alt+Ctrl+Shift+Back. To come back to Kubuntu from Chrome OS, use this combination:Alt+Ctrl+Shift+Forward. You can find the back/forward keys on the top row of the keyboard.

When you log out of KDE, it exits you from Chroot and you will have to again run the sudo startkde command to start Plasma or the desktop that you have installed.

Chrome OS Linux vs Ubuntu Linux? 

You might need a full blown desktop Linux, like Ubuntu, on your Chromebook, or not. It depends heavily upon what you do on your computer. I use the appropriate platform for that particular task so I don’t struggle to do something on a platform which it’s not meant to do. I am a heavy Chromebook user; my wife is a full-time Chromebook user. I can do pretty much everything in Chromebook that I do on my openSUSE or Arch Linux box, excluding professional image and audio/video editing. As I writer, I can live within Chromebook and would not need anything – all the needed tools are there.

A majority of these apps work in offline mode, so you don’t have to worry about Internet connectivity no matter what Microsoft tells you in their Pawn Star ad campaign. You don’t have to give all of your data to Google to be able to work using Chromebook. Just grab the apps which support offline mode, go offline, insert a good capacity USB drive and start working – nothing will leave your network.

However, at times you may need some tools which are not yet available for Chrome OS and that’s where you may need a full-blown Linux desktop.

Chromebook vs PC 

There is no doubt that installing your favorite Linux distribution onto a Chromebook is not as comfortable as it is on a regular PC, and considering the small onboard storage, it may not seem to be as appealing as a PC with 500GB HDD. But keep in mind that Chromebooks have SSDs which are much faster and durable than hard drives. On top of that, Chromebooks are extremely affordable – you can get one for just under $200; it’s better to set-them up and give to your verification offkids and employees rather than buying expensive $500+ PCs.

To my surprise, I found Kubuntu to be much faster on my Chromebook than on a Windows netbook. There is virtually no driver issue on Chromebook, which can be a big problem on many Windows PCs which use proprietary hardware. I never keep any of my data on my laptop, it’s always on my ownCloud server or on my hard drives so on-board storage has never been an issue for me – which can be a big factor for many others. If I am looking for inexpensive hardware to mostly do online work, I would prefer a Chromebook over a Windows PC.

I must admit that I live my life on the Internet. The browser is the first app that I open after booting into my system. I spend 90% of my time inside a browser – in Chrome, to be precise – so I don’t really mind Chrome OS and would not bother with installing some other Linux on it. If I do need to install Linux, then Crouton is my favorite method. The advantage of Crouton is that you don’t give up on one system to use the other; you run them simultaneously. Since it shares the ‘Downloads’ folder between the two operating system so you can easily share data – create some work in KDE and it’s already there in Chrome OS.

If you want to get rid of Linux and go back to the ‘verified’ Chrome OS, hit the space bar when your Chromebook reboots to re-activate verification. On older hardware, you will need to flip the physical switch and Chrome OS will restore to verified state. If something goes wrong, use the restore drive that we created in the beginning to restore the OS.

As they say, “Best of both worlds!”

TorrentFreak: The Pirate Beacon Pimps TPB With Movie Trailers and Info

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayMany Pirate Bay users are avid movie fans, who use their favorite torrent site to discover and download fresh content.

Since not all titles immediately ring a bell, they often use third-party sites and services such as IMDb to find more info. In fact, nearly 2% of all IMDb visitors browsed The Pirate Bay before coming to the site, and vice versa.

To save these users a few clicks there is now a new browser extension that pulls up movie information automatically. The Pirate Beacon, as it’s called, shows users descriptions, IMDb ratings and trailers when users hover over Pirate Bay link.

We reached out to Jordan, the developer of Pirate Beacon, who tells us that the idea actually came from a friend who made a mockup of the discovery tool last year. After working on it for a while the project was shelved, but last Saturday he picked it up again.

A few hours of coding later The Pirate Beacon was online.

The extension uses IMDb links to gather movie info, so it’s only available for torrents that have this listed. The trailers are then pulled from trailersapi.com and when this fails a movie poster is displayed instead.

“It works pretty good for newer movies but doesn’t do so well for older ones. So if I can’t find a trailer, I fall back to the IMDb posters api to grab a movie poster for it,” Jordan says.


tpb-afk-beacon

Jordan explains that the addon will help people to gather info about movies without having to leave the site, which can be quite cumbersome at times.

“I think it is most useful for discovery purposes. If you’ve ever spent any time browsing TPB you will know that it’s somewhat annoying to see a movie that you’ve not heard of then have to go find it. This just takes that annoyance away,” Jordan.

The idea appeals to a lot of fellow Pirate Bay users as it has immediately started to gain traction. After an initial Chrome release it’s now available for Firefox too. Additionally, support for many TPB proxies has been added as well.

Jordan says he will continue to work on the project. Support for the Opera browser is one of the next items on the todo list, and he also wants to add support for more torrent sites, starting with KickassTorrents.

“I am planning to expand it to other torrent sites as well. People have been requesting it to work with some other sites. It’s now available on Firefox and Chrome and soon to be available on Opera,” he notes.

The Pirate Beacon’s source code is available on GitHub and the Chrome and Firefox extensions are up on the official site.

The MPAA, meanwhile, is trying to steer people away from The Pirate Bay. The movie group launched its own search engine earlier this week.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues.

brokenwindowsMicrosoft announced 16 bulletins, but curiously two of those are listed as pending. Topping the list of critical updates from Microsoft is a fix for a zero-day vulnerability disclosed last month that hackers have been using in targeted cyber espionage attacks. Another critical patch targets 17 weaknesses in Internet Explorer, including a remotely exploitable vulnerability in all supported versions of Windows that earned a CVSS score of 9.3 (meaning it is highly likely to be exploited in drive-by attacks, and probably soon).

That flaw is a rare “unicorn-like” bug according to IBM X-Force, which discovered and reported the issue privately to Microsoft. In a blog post published today, IBM researchers described how the vulnerability can be used to sidestep the Enhanced Protected Mode sandbox in IE11, as well as Microsoft’s EMET anti-exploitation tool that Microsoft offers for free.

“In this case, the buggy code is at least 19 years old, and has been remotely exploitable for the past 18 years,” writes IBM researcher Robert Freeman. “Looking at the original release code of Windows 95, the problem is present. In some respects this vulnerability has been sitting in plain sight for a long time, despite many other bugs being discovered and patched in the same Windows library (OleAut32).”

Freeman said while unpatched Internet Explorer users are most at risk from this bug, the vulnerability also could be exploited through Microsoft Office files. “The other attack vectors this vulnerability could work with are Microsoft Office with script macros, for example in Excel documents,” Freeman told KrebsOnSecurity. “Most versions of Office (since about 2003) have macros disabled by default so the user would have to enable them (which can be a fairly mindless YES click at the top of the screen). Or if a user is using an old enough version of Office, the macros will be enabled by default.”

macrosms

According to Shavlik, the two pending patches, MS14-068 and MS14-075, are both listed on the bulletin summary page as “release date to be determined,” which apparently is an anomaly we haven’t seen before. “Typically, a pulled patch is removed from the list entirely,” wrote Chris Goettl, product manager at Shavlik. “This could mean it may still come this month, but not today. These two patches were likely an OS and the Exchange patch based on the advanced notification list,” That is at least one less major product admins will need to be concerned about this Patch Tuesday, although the date to be determined could come at any time.”

As I’ve noted in previous posts, the few times I’ve experienced troubles after applying Microsoft updates have almost all included a fix for Microsoft’s widely-installed .NET platform. If you have .NET installed, it’s probably a good idea to install this one separately after applying the other updates and rebooting.

Adobe’s update addresses a whopping 18 security holes in Flash Player and Adobe AIR. Updates are available for Windows, Mac and Linux versions of Flash. Adobe says Adobe Flash Player users should update the program to the version 15.0.0.223. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.356 for Windows, Mac, and Android.

adobeflash15-0-0-223

SANS Internet Storm Center, InfoCON: green: POODLE: Turning off SSLv3 for various servers and client. , (Wed, Oct 15th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Before you start: While adjusting your SSL configuration, you should also check for various other SSL related configuration options. A good outline can be found at http://bettercrypto.org as well as at http://ssllabs.com (for web servers in particular)

Here are some configuration directives to turn off SSLv3 support on servers:

Apache: Add -SSLv3 to the SSLProtocol line. It should already contain -SSLv2 unless you list specific protocols.

nginx: list specific allowed protocols in the ssl_protocols line. Make sure SSLv2

Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols =!SSLv2 !SSLv3

HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)

puppet:seehttps://github.com/stephenrjohnson/puppetmodule/commit/1adb73f9a400cb5e91c4ece1c6166fd63004f448 for instructions

For clients, turning off SSLv3 can be a bit more tricky, or just impossible.

Google Chrome: you need to start Google Chrome with the –ssl-version-min=tls1 option.

Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog.

Firefox: check the security.tls.version.min setting in about:config and set it to 1. Oddly enough, in our testing, the default setting of 0 will allow SSLv3 connections, but refuses to connect to our SSLv3 only server.

For Microsoft Windows, you can use group policies. For details see Microsofts advisory:https://technet.microsoft.com/en-us/library/security/3009008.aspx

To test, continue to use our POODLE Test page at https://poodletest.com or the QualysSSLLabs page at https://ssllabs.com

To detect the use of SSLv3, you can try the following filters:

tshark/wireshark display filters:ssl.handshake.version==0x0300

tcpdump filter: (1) accounting for variable TCP header length:tcp[((tcp[12]4)*4)+9:2]=0x0300
(2) assuming TCP header length is 20:tcp[29:2]=0x0300

We will also have a special webcast at 3pm ET. For details see

https://www.sans.org/webcasts/about-poodle-99032

the webcast will probably last 20-30 minutes and summarize the highlights of what we know so far.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Microsoft, Adobe Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.

brokenwindowsEarlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today (CVE-2014-4114). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is apparently present in every supported version of Windows. The New York Times carried a story today about the extent of the attacks against this flaw.

In its advisory on the zero-day vulnerability, Microsoft said the bug could allow remote code execution if a user opens a specially crafted malicious Microsoft Office document. According to iSight, the flaw was used in targeted email attacks that targeted NATO, Ukrainian and Western government organizations, and firms in the energy sector.

More than half of the other vulnerabilities fixed in this month’s patch batch address flaws in Internet Explorer. Additional details about the individual Microsoft patches released today is available at this link.

brokenflash-aSeparately, Adobe issued its usual round of updates for its Flash Player and AIR products. The patches plug at least three distinct security holes in these products. Adobe says it’s not aware of any active attacks against these vulnerabilities. Updates are available for Windows, Mac and Linux versions of Flash.

Adobe says users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 15.0.0.189. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 15.0.0.152 (with no outstanding updates available, and no word yet from Chrome about when the fix might be available).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.293 for Windows, Mac, and Android.

Finally, Oracle is releasing an update for its Java software today that corrects more than two-dozen security flaws in the software. Oracle says 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Java SE 8 updates are available here; the latest version of Java SE 7 is here.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. I don’t have an installation of Java handy on the machine I’m using to compose this post, but keep in mind that updating via the control panel may auto-select the installation of third-party software, so de-select that if you don’t want the added crapware.

javamessOtherwise, seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework, which also received updates today from Microsoft).

SANS Internet Storm Center, InfoCON: green: Content Security Policy (CSP) is Growing Up., (Wed, Sep 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

We have talked here about Content Security Policy (CSP) in the past. CSP is trying to tackle a pretty difficult problem. When it comes to cross-site-scripting (XSS), the browser and the user is usually the victim, not so much the server that is susceptible to XSS. As a result, it makes a lot of sense to add protections to the browser to prevent XSS. This isn’t easy, because the browser has no idea what Javascript (or other content) to expect from a particular site. Microsoft implemented a simple filter in IE 8 and later, matching content submitted by the user to content reflected back by the site, but this approach is quite limited.

CSP is an attempt to define a policy informing the browser about what content to expect from a site. Initially, only Firfox supported CSP. But lately, CSP has evolved into a standard, and other browsers started to implement it [1]. The very granular langauge defined by CSP allows sites to specify exactly what content is “legal” on a particular site.

Implementing CSP on a new site isn’t terrible hard, and may actually lead to a cleaner site. But the difficult part is to implement CSP on existing sites (like this site). Sites grow “organically” over the years, and it is difficult to come back later and define a policy. You are bound to run into false positives, or your policy is relaxed to the point where it becomes meaningless.

Luckily, CSP has a mechanism to help us. You are able to define a “Report URL”, and browsers will report any errors they encounter to said URLs. The reports are reasonably easy to read JSON snippets including the page that caused the problem, the policy they violated, and even an excerpt from the part of the page that caused the problem.

Recently, a few nice tools have cropped up to make it easier to parse these reports and build CSPs. For example Stuart Larsen implemented “CASPR” [2], a plugin for Chrome that was built to create CSPs and to analyze the reports. Tools like this make implementing CSPs a lot easier. 

Any other tools or resources you like to help implementing CSPs?

Update: We got a couple of additional resources in via Twitter:

Using “Virtual Patching” to implement CSP on your Web Application Firewall
Twitter account focusing on CSP: http://twitter.com/SeeEssPee

Thanks to @imeleven for pointing out that Firefox was the first browser to support CSP. He also pointed to this slide deck: http://www.slideshare.net/imelven/evolving-web-security-model-v11-portland-owasp-may-29-2014

​

 

[1] http://www.w3.org/TR/CSP/
[2] http://caspr.io

 


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Critical Fixes for Adobe, Microsoft Software

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today released updates to fix at least a dozen critical security problems in its Flash Player and AIR software. Separately, Microsoft pushed four update bundles to address at least 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework. If you use any of these, it’s time to update!

winiconMost of the flaws Microsoft fixed today (37 of them) are in addressed in an Internet Explorer update — the only patch this month to earn Microsoft’s most-dire “critical” label. A critical update wins that rating if the vulnerabilities fixed in the update could be exploited with little to no action on the part of users, save for perhaps visiting a hacked or malicious Web site with IE.

I’ve experienced troubles installing Patch Tuesday packages along with .NET updates, so I make every effort to update .NET separately. To avoid any complications, I would recommend that Windows users install all other available recommended patches except for the .NET bundle; after installing those updates, restart Windows and then install any pending .NET fixes). Your mileage may vary.

For more information on the rest of the updates released today, see this post at the Microsoft Security Response Center Blog.

brokenflash-aAdobe’s critical update for Flash Player fixes at least 12 security holes in the program. Adobe is urging Windows and Macintosh update to Adobe Flash Player v. 15.0.0.152 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. If you’d rather not be bothered with downloaders and software “extras” like antivirus scanners, you’re probably best off getting the appropriate update for your operating system from this link.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15 for Windows, Mac, and Android.

Adobe had also been scheduled to release updates today for Adobe Reader and Acrobat, but the company said it was pushing that release date back to Sept. 15 to address some issues that popped up during testing of the patches.

As always, if you experience any issues updating these products, please leave a note about your troubles in the comments below.

SANS Internet Storm Center, InfoCON: green: Dodging Browser Zero Days – Changing your Org’s Default Browser Centrally, (Mon, Sep 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In a recent story about “what’s a sysadmin to do?“, we suggested that since our browsers seem to take turns with zero days lately, that system administrator should have processes in place to prepare for when their corporate standard browser has a major vulnerability that doesn’t yet have a patch.  Administrators should be able to “push” out a change for their user community’s default browser within a few minutes of a zero day being confirmed.

So – How exactly would you do this in an Active Directory Domain?

First of all, have a desktop or start menu shortcut that uses http:// or https:// – usually pointed to one or more corporate applications.  It’s not uncommon to also see corporate web apps in the start menu.   Be sure that none of these links point to the programs themselves, just the URI’s.  This gets folks in the habit of punching that shortcut every morning (or or having it auto-start for them), starting them off on the right foot – with the browser you’ve selected for them.  Having people start their browser by the actual link to the executable defeats the purpose of setting the defaults.

It turns out that the default browser can be changed by updating just 5 registry keys – the prefered application for htm and html files, as well as the prefered application for the ftp, http and https protocols.

 

============ Registry keys for Firefox  – reg-ff.reg ==============

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htmUserChoice]
“Progid”=”FirefoxHTML”

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htmlUserChoice]
“Progid”=”FirefoxHTML”

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationsftpUserChoice]
“Progid”=”FirefoxURL”

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice]
“Progid”=”FirefoxURL”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice]
“Progid”=”FirefoxURL”

============  Registry keys for Internet Explorer – reg-ie.reg ==============

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htmUserChoice]
“Progid”=”IE.AssocFile.HTM”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htmlUserChoice]
“Progid”=”IE.AssocFile.HTM”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationsftpUserChoice]
“Progid”=”IE.FTP”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice]
“Progid”=”IE.HTTP”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice]
“Progid”=”IE.HTTPS”

============  Registry keys for Chrome – reg-goo.reg ==============

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htmUserChoice]
“Progid”=”ChromeHTML”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htmlUserChoice]
“Progid”=”ChromeHTML”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationsftpUserChoice]
“Progid”=”ChromeHTML”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice]
“Progid”=”ChromeHTML”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice]
“Progid”=”ChromeHTML”

===================================================

You can dig and find lots of other registry keys that will influence the browser, but these 5 will nail most things in a hurry – which is the goal.  You can also find more reg keys that will change the default browser, but these are the keys set by control panel (in Windows 7 anyway), so for me they’re likely the safest keys – the ones that, for today at least, will be most likely to work most reliably for most environments.

So, what’s the easiest way to push these settings out?   There are a few ways to go.  First, save the above into 3 different text based REG files

The easiest way in my book is to update everyone’s startup – in a Group Policy, add the following to User Configuration / Windows Settings / Scripts (Logon/Logoff)

registry /s browser-chrome.reg  (or whichever REG is your target).

The trick then is to get folks to logout and login – hopefully you are forcing folks to logout each day by setting a hard logout time (a good thing to consider if you’re not doing that today), so if you get your change in before folks typically start, they’ll get your update.

If you need to push this out with GPO in mid-stream, you can set registry keys directly in Group Policy, under GPO > User Configuration > Preferences > Windows Settings > Registry

Microsoft publishes a “right way” to set the default browser on a few different pages, but it typically involves importing settings from a known correct station ( http://social.technet.microsoft.com/Forums/windowsserver/en-US/e63fe81b-1ad8-4303-ad1d-e2f6e3d8cb0a/default-browser-via-group-policy ).  This can be a problem if you’ve got multiple operating systems or want a more script-controlled approach.

There are certainly many other ways to push settings out using Group Policy (using ADM/ADMX files for instance), or by scripting using sysinternals or powershell commands.  The sysinternals approach has a lot of appeal because many admins already have a sysinternals “go fix it” approach already in their toolbelt.  Powershell appeals because it’s the whiz-bang-shiny new tool, but lots of admins are still learning this language, so it might not fall into the “get it done quick” bucket so neatly.  ADMs will absolutely do the job nicely – I didn’t have the time to cobble together and ADM or ADMX file for this, but will give it a shot over the next few days (unless one of our readers beats me to it that is!)

Once set, each browser can be configured using group policy using a vendor-supplied or open-source ADM or ADMX file.  Import the vendor file ADM(X) into GPO, and you’ll be able to configure or restrict 3rd party browsers just as easily as you do IE.

This article was meant more as set of a “quick and dirty” ways to make this change for a large number of your user community in a hurry.  If you’ve got a neat script or an ADM file that does this job in a more elegant way than I’ve described, please, share using our comment form!

 

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: How to Install the Netflix Streaming Client On Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

netflix-client-screen

Netflix is one of the biggest video streaming services on the planet. You’ll find movies, television, documentaries, and more streamed to mobile devices, televisions, laptops, desktops, and much more. What you won’t find, however, is an official Linux client for the service. This is odd, considering Netflix so heavily relies upon FreeBSD.

This is Linux, though, so as always the adage ‘Where there’s a will, there’s a way’ very much applies. With just a few quick steps, you can have a Netflix client on your desktop. This client does require the installation of the following extras:

  • Wine

  • Mono

  • msttcorefonts

  • Gecko

I will walk you through the installation of this on a Ubuntu 14.04 desktop. I have also tested this same installation on both Linux Mint and Deepin – all with the same success. If you like living on the bleeding edge, you can get the full Netflix experience, without having to go through the steps I outline here. For that, you must be running the latest developer or beta release of Google Chrome with the Ubuntu 14.04 distribution. NOTE: You will also have to upgrade libnss3 (32 bit or 64 bit). Once you’ve installed all of that, you then have to modify the user-agent string of the browser so Netflix thinks you are accessing its services with a supported browser. The easiest way to do this is to install the User Agent Switcher Extension. The information you’ll need for the HTTP string is:

  • Name: Netflix Linux

  • String: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2114.2 Safari/537.36

  • Group: (is filled in automatically)

  • Append?: Select ‘Replace’

  • Flag: IE

If dealing with bleeding edge software and user agent strings isn’t for you, the method below works like a champ. The majority of this installation will happen through the command line, so be prepared to either type or cut and paste. Let’s begin.

Installing the repository prepare apt-get

The first thing you must do is open up a terminal window. Once that is opened, issue the following comands to add the correct repository, update apt-get, and install the software.

  • sudo apt-add-repository ppa:ehoover/compholio

  • sudo apt-get update

Now, you’re ready to start installing software. There are two pieces of software to be installed. The first is the actual Netflix Desktop app. The second is the msttcorefonts package that cannot be installed by the Netflix Desktop client (all other dependencies are installed through the Netflix Desktop client). The two commands you need to issue are:

  • sudo apt-get install netflix-desktop

  • sudo apt-get install msttcorefonts

The installation of the netflix-desktop package will take some time (as there are a number of dependencies it must first install). Once that installation completes, install the msttcorefonts package and you’re ready to continue.

First run

You’re ready to fire up the Netflix Desktop Client. To do this (in Ubuntu), open up the Dash and type netflix. When you see the launcher appear, click on it to start the client. When you first run the Netflix Desktop Client you will be required to first install Mono. Wine will take care of this for you, but you do have to okay the installer. When prompted, click Install (Figure 1) and the Wine installer will take care of the rest.

wine mono installer

You will also be prompted to allow Wine to install Gecko as well. When prompted, click Install for this action to complete.

At this point, all you have to do is sign in to Netflix and enjoy streaming content on your Linux desktop. You will notice that the client opens in full screen mode. To switch this to window mode, hit F11 and the client will appear in a window.

Although this isn’t an ideal situation, and there may be those that balk at installing Mono, by following these steps, you can have Netflix streaming video service on your Linux desktop. It works perfectly and you won’t miss a single feature (you can enjoy profiles, searching, rating, and much more).

Linux is an incredible desktop that offers everything the competition has and more. Give this installation of Netflix a go and see if you’re one step closer to dropping the other platforms from your desktop or laptop for good.

Darknet - The Darkside: Twitter Patents Technique To Detect Mobile Malware

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So it was discovered that Twitter has been granted a patent which covers detection of mobile malware on websites to protect its user base. The patent was filed back in 2012, but well – as we know these things take time. The method is something like the technology Google uses in Chrome to warn you […]

The post Twitter Patents Technique To…

Read the full post at darknet.org.uk

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each independently released security updates to fix critical problems with their products. Adobe issued patches for Adobe Reader/Acrobat, Flash Player and AIR, while Microsoft pushed nine security updates to address at least 37 security holes in Windows and related software.

Microsoft's recommended patch deployment priority for enterprises, Aug. 2014.

Microsoft’s recommended patch deployment priority for enterprises, Aug. 2014.

Two of the seven update bundles Microsoft released today earned the company’s most-dire “critical” label, meaning the vulnerabilities fixed in the updates can be exploited by bad guys or malware without any help from users. A critical update for Internet Explorer accounts for the bulk of flaws addressed this month, including one that was actively being exploited by attackers prior to today, and another that was already publicly disclosed, according to Microsoft.

Other Microsoft products fixed in today’s release include Windows Media Center, One Note, SQL Server and SharePoint. Check out the Technet roundup here and the Microsoft Bulletin Summary Web page at this link.

There are a couple other important changes from Microsoft this month: The company announced that it will soon begin blocking out-of-date ActiveX controls for Internet Explorer users, and that it will support only the most recent versions of the .NET Framework and IE for each supported operating system (.NET is a programming platform required by a great many third-party Windows applications and is therefore broadly installed).

These changes are both worth mentioning because this month’s patch batch also includes Flash fixes (an ActiveX plugin on IE) and another .NET update. I’ve had difficulties installing large Patch Tuesday packages along with .NET updates, so I try to update them separately. To avoid any complications, I would recommend that Windows users install all other available recommended patches except for the .NET bundle; after installing those updates, restart Windows and then install any pending .NET fixes).

Finally, I should note that Microsoft released a major new version (version 5) of its Enhanced Mitigation Experience Toolkit (EMET), a set of tools designed to protect Windows systems even before new and undiscovered threats against the operating system and third-party software are formally addressed by security updates and antimalware software. I’ll have more on EMET 5.0 in an upcoming blog post (my review of EMET 4 is here) but this is a great tool that can definitely help harden Windows systems from attacks. If you already have EMET installed, you’ll want to remove the previous version and reboot before upgrading to 5.0.

ADOBE

Adobe’s critical update for Flash Player fixes at least seven security holes in the program. Which version of Flash you should have on your system in order to get the protection from these latest fixes depends on which operating system and which browser you use, so consult the (admittedly complex) chart below for your appropriate version number.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.145 (with no outstanding updates available, and no word yet from Chrome about when the fix might be available).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

adobeFlash-AirAug2014

Adobe said it is not aware of any exploits in the wild that target any of the issues addressed in this month’s Flash update. However, the company says there are signs that attackers are are already targeting the lone bug fixed in an update released today for Windows versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat for Apple’s OS X are not affected).

reader-acrobat-aug2014

Experience technical issues during or after applying any of these updates, or with the instructions above? Please feel free to sound off in the comments below.

lcamtuf's blog: A bit more about american fuzzy lop

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Fuzzing is one of the most powerful strategies for identifying security issues in real-world software. Unfortunately, it also offers fairly shallow coverage: it is impractical to exhaustively cycle through all possible inputs, so even something as simple as setting three separate bytes to a specific value to reach a chunk of unsafe code can be an insurmountable obstacle to a typical fuzzer.

There have been numerous attempts to solve this problem by augmenting the process with additional information about the behavior of the tested code. These techniques can be divided into three broad groups:

  • Simple coverage maximization. This approach boils down to trying to isolate initial test cases that offer diverse code coverage in the targeted application – and them fuzzing them using conventional techniques.

  • Control flow analysis. A more sophisticated technique that leverages instrumented binaries to focus the fuzzing efforts on mutations that generate distinctive sequences of conditional branches within the instrumented binary.

  • Static analysis. An approach that attempts to reason about potentially interesting states within the tested program and then make educated guesses about the input values that could possibly trigger them.

The first technique is surprisingly powerful when used to pre-select initial test cases from a massive corpus of valid data – say, the result of a large-scale web crawl. Unfortunately, coverage measurements provide only a very simplistic view of the internal state of the program, making them less suited for creatively guiding the fuzzing process later on.

The latter two techniques are extremely promising in experimental settings. That said, in real-world applications, they are not only very slow, but frequently lead to irreducible complexity: most of the high-value targets will have a vast number of internal states and possible execution paths, and deciding which ones are interesting and substantially different from the rest is an extremely difficult challenge that, if not solved, usually causes the “smart” fuzzer to perform no better than a traditional one.

American fuzzy lop tries to find a reasonable middle ground between sophistication and practical utility. In essence, it’s a fuzzer that relies on a form of edge coverage measurements to detect subtle, local-scale changes to program control flow without having to perform complex global-scale comparisons between series of long and winding execution traces – a common failure point for similar tools.

In almost-plain English, the fuzzer does this by instrumenting every effective line of C or C++ code (or any other GCC-supported language) to record a tuple in the following format:

[ID of current code location], [ID of previously-executed code location]

The ordering information for tuples is discarded; the primary signal used by the fuzzer is the appearance of a previously-unseen tuple in the output dataset; this is also coupled with coarse magnitude count for tuple hit rate. This method combines the self-limiting nature of simple coverage measurements with the sensitivity of control flow analysis. It detects both explicit conditional branches, and indirect variations in the behavior of the tested app.

The output from this instrumentation is used as a part of a simple, vaguely “genetic” algorithm:

  1. Load user-supplied initial test cases into the queue,

  2. Take input file from the queue,

  3. Repeatedly mutate the file using a balanced variety of traditional fuzzing strategies (see later),

  4. If any of the generated mutations resulted in a new tuple being recorded by the instrumentation, add mutated output as a new entry in the queue.

  5. Go to 2.

The discovered test cases are also periodically culled to eliminate ones that have been made obsolete by more inclusive finds discovered later in the fuzzing process. Because of this, the fuzzer is useful not only for identifying crashes, but is exceptionally effective at turning a single valid input file into a reasonably-sized corpus of interesting test cases that can be manually investigated for non-crashing problems, handed over to valgrind, or used to stress-test applications that are harder to instrument or too slow to fuzz efficiently. In particular, it can be extremely useful for generating small test sets that may be programatically or manually examined for anomalies in a browser environment.

(For a quick partial demo, click here.)

Of course, there are countless “smart” fuzzer designs that look good on paper, but fail in real-world applications. I tried to make sure that this is not the case here: for example, afl can easily tackle security-relevant and tough targets such as gzip, xz, lzo, libjpeg, libpng, giflib, libtiff, or webp – all with absolutely no fine-tuning and while running at blazing speeds. The control flow information is also extremely useful for accurately de-duping crashes, so the tool does that for you.

In fact, I spent some time running it on a single machine against libjpeg, giflib, and libpng – some of the most robust best-tested image parsing libraries out there. So far, the tool found:

  • CVE-2013-6629: JPEG SOS component uninitialized memory disclosure in jpeg6b and libjpeg-turbo,

  • CVE-2013-6630: JPEG DHT uninitialized memory disclosure in libjpeg-turbo,

  • MSRC 0380191: A separate JPEG DHT uninitialized memory disclosure in Internet Explorer,

  • CVE-2014-1564: Uninitialized memory disclosure via GIF images in Firefox,

  • CVE-2014-1580: Uninitialized memory disclosure via <canvas> in Firefox,

  • Chromium bug #398235, Mozilla bug #1050342: Probable library-related JPEG security issues in Chrome and Firefox (pending),

  • PNG zlib API misuse bug in MSIE (DoS-only),

  • Several browser-crashing images in WebKit browsers (DoS-only).

More is probably to come. In other words, you should probably try it out. The most significant limitation today is that the current fuzzing strategies are optimized for binary files; the fuzzer does:

  • Walking bitflips – 1, 2, and 4 bits,

  • Walking byte flips – 1, 2, and 4 bytes,

  • Walking addition and subtraction of small integers – byte, word, dword (both endians),

  • Walking insertion of interesting integers (-1, MAX_INT, etc) – byte, word, dword (both endians),

  • Random stacked flips, arithmetics, block cloning, insertion, deletion, etc,

  • Random splicing of synthetized test cases – pretty unique!

All these strategies have been specifically selected for an optimal balance between fuzzing cost and yields measured in terms of the number of discovered execution paths with binary formats; for highly-redundant text-based formats such as HTML or XML, syntax-aware strategies (template- or ABNF-based) will obviously yield better results. Plugging them into AFL would not be hard, but requires work.

TorrentFreak: Chrome Extension Turns Amazon Into a Pirate eBook Site

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

amazon-pirate-logoAs one of the largest online retailers, Amazon is the go-to store for many people.

Amazon became big by selling books and in recent years eBooks have become some of the fastest selling items. However, pirates are now directly targeting the company’s successful business model.

With a new Chrome extension pirates are entering Amazon, effectively transforming it into a pirate ‘store.’

When the LibGen extension is installed, it adds a new row on top of the Amazon product page of books that are also available through unauthorized sources.

The plugin uses data from the Libgen.org search engine which lists over a million books. Below is a screenshot of an Amazon book page, with a new row on the top linking to pirated downloads of the same title.


pirate-ebook

LibGen, short for Library Genesis, lists a wide variety of pirate sources for most books, including direct downloads, torrents and magnet links. It appears to work well, although there are occasional mismatches where links to books with similar titles are listed.

Needless to say book publishers are not going to be pleased with Amazon’s unofficial feature. Whether Amazon plans to take any action to stop the extension has yet to be seen.

The idea to transform Amazon into a pirate site is not entirely new. A few years ago a Firefox plugin integrated Pirate Bay download links into the site, which also worked for music and movies. This plugin was quickly taken offline quickly after the news was picked up by the mainstream media.

There are still other extensions floating around with the same functionality. Torrent This, for example, enhances Amazon with links to Pirate Bay download pages for all sorts of media, much like the “Pirates of the Amazon” plugin did.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How To Install And Use The Chrome Remote Desktop Sharing Feature In Ubuntu

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Falko Timme. Original post: at Linux How-Tos and Linux Tutorials

Chrome Remote Desktop Sharing feature in Ubuntu

In this tutorial I will introduce you with the Chrome remote Desktop sharing feature. This is an alternate as similar to team-viewer type property for sharing the screen with remote clients. It seems to be very useful for remote desktop control features. I will install the webplugin in Ubuntu 14.04.

Read more at HowtoForge

TorrentFreak: Chrome Blocks uTorrent as Malicious and Harmful Software

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

maliciousutorrWith millions of new downloads per month uTorrent is without a doubt the most used BitTorrent client around.

However, since this weekend the number of installs must have dropped quite a bit after Google Chrome began warning users away from the software. According to Chrome the BitTorrent client poses a serious risk.

“uTorrent.exe is malicious and Chrome has blocked it,” the browser informs those who attempt to download the latest stable release.

Chrome does give users the option to restore the file but not without another warning. The browser is convinced that the file is harmful and suggests that the uTorrent website may have been hacked.

“This file will harm your computer. Even if you have downloaded files from this website before, the website may have been hacked. Instead of recovering this file you can retry the download later.”

Blocked
malic-blocked

The first reports of Chrome’s block came in three days ago and at the time of writing the problems persist. The warnings appear for the latest stable release (3.4.2.32354) and no other releases appear to be affected.

Currently there is no indication why the software has been flagged, but a scan by more than 50 of the most popular anti-virus services reveals no active threats.

Google’s safe browsing diagnostic page claims that the uTorrent website was involved in malware distribution in recent months, but no further details on the nature of the supposed malware are provided.

“This site has hosted malicious software over the past 90 days. It infected 4 domain(s), including kioskea.net/, ziggi.uol.com.br/, majorgeeks.com/,” the diagnostics page reads.

This isn’t the first time that uTorrent has reported problems with Chrome. The same happened late last year when the malware blocking feature was still in beta. At the time uTorrent parent company BitTorrent Inc. managed to resolve the issues after several days.

Thus far, none of the developers have responded to user complaints in the uTorrent forums.

Update We discovered that uTorrent occasionally serves other versions as well, these are not blocked. The vast majority of the downloads are still blocked though.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Operate Linux Spycams With Motion

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

fig1 spycamWhen you want something a little simpler and more lightweight than Zoneminder for operating surveillance cameras, try Motion.

Motion is a nice lightweight, yet capable application for operating surveillance cameras on Linux. It works with any Linux-supported video camera, including all V4L Webcams, many IP cameras, Axis cameras, and it controls pan and tilt functions. Motion records movies and snapshots in JPEG, PPM, and MPEG formats, and you can view these remotely in a Web browser thanks to Motion’s built-in HTTP server. It stores image files in a directory of your choosing, and it does not require a database, though it supports MySQL and PostgreSQL if you do want to use one.

First let’s look at how to get an IP camera working with Motion using my trusty Foscam FI8905W (figure 1), and then we’ll add a USB Webcam.

Installation is easy on Debian and Debian derivatives, because Motion is included in the standard software repositories. So all you need to do is run apt-get install motion. You also need libav-tools, which is a fork of ffmpeg. Many moons ago, Debian dropped ffmpeg and replaced it with libav-tools (See Is FFmpeg missing from the official repositories in 14.04? to learn the gory details, and how to get ffmpeg itself if that’s what you really want). On other distros, check the downloads page and installation guide for instructions. Most other distros still include ffmpeg.

The installer should create a motion group and user, and add the motion user to the video group. If it doesn’t, then you must create them yourself. Add yourself to the video group as well, to get around permissions hassles.

Now run motion to see if it works:

$ sudo motion
[0] Processing thread 0 - config file /etc/motion/motion.conf
[0] Motion 3.2.12 Started
[0] ffmpeg LIBAVCODEC_BUILD 3547904 LIBAVFORMAT_BUILD 3544067
[0] Thread 1 is from /etc/motion/motion.conf
[1] Thread 1 started
[0] motion-httpd/3.2.12 running, accepting connections
[1] Failed to open video device /dev/video0: No such file or directory
[0] motion-httpd: waiting for data on port TCP 8080
[1] Could not fetch initial image from camera
[1] Motion continues using width and height from config file(s)
[1] Resizing pre_capture buffer to 1 items
[1] Started stream webcam server in port 8081
[...]

It will go on for many more lines, until you see:

[1] Failed to open video device /dev/video0: No such file or directory
[1] Video signal lost - Adding grey image

Point your Web browser to localhost:8081 and you will see a gray image:

fig2 gray image

This is good, as it means Motion is installed correctly, and all you have to do is configure it. Press Ctrl+C to stop it. Then create a .motion directory in your home directory, copy the default configuration file into it, and change ownership to you:

~$ mkdir .motion
~$ sudo cp /etc/motion/motion.conf .motion/
~$ sudo chown carla:carla .motion/motion.conf

You also need a directory to store images captured by motion:

~$ mkdir motion-images

When you start Motion it looks for a configuration file in the current directory, then in ~/.motion, and finally /etc/motion. Now edit your ~/.motion/motion.conf file– this example includes basic configurations, and the lines relevant to my Foscam IP camera:

# Start in daemon (background) mode and release terminal (default: off)
daemon on
# Output 'normal' pictures when motion is detected (default: on)
[...]
output_normal off
# File to store the process ID, also called pid file. (default: not defined)
process_id_file /var/run/motion/motion.pid 
# Image width (pixels). Valid range: Camera dependent, default: 352
width 640
# Image height (pixels). Valid range: Camera dependent, default: 288
height 480
# Maximum number of frames to be captured per second.
# Valid range: 2-100. Default: 100 (almost no limit).
framerate 7
# URL to use if you are using a network camera, size will be autodetected (incl http:// ftp:// or file:///)
# Must be a URL that returns single jpeg pictures or a raw mjpeg stream. Default: Not defined
netcam_url value http://http://192.168.10.250:8080/videostream.cgi
# Username and password for network camera (only if required). Default: not defined
# Syntax is user:password
netcam_userpass admin:mypassword
# Target base directory for pictures and films
# Recommended to use absolute path. (Default: current working directory)
target_dir /home/carla/motion-images
# Codec to used by ffmpeg for the video compression.
[...]
ffmpeg_video_codec mpeg4

You need to create the directory for storing the PID file, as it says in motion.conf:

$ sudo mkdir /var/run/motion

Now try starting it up again:

$ sudo motion
[0] Processing thread 0 - config file /home/carla/.motion/motion.conf
[0] Motion 3.2.12 Started
[0] Motion going to daemon mode

Good so far, now try localhost:8081 again:

fig3 driveway

Well look, there is my driveway. Now I will have plenty of warning when visitors come, so I can loose the moat monsters. Run around in front of your camera to trigger motion detection, and when you come back your images directory should have some .avi movies in it. You should also find a simple Motion control panel at localhost:8080.

IP Camera Settings

How to Operate Your Spycams with ZoneMinder on Linux (part 1) goes into some detail on setting up your camera. You must follow the vendor’s instructions for the initial setup, such as assigning a login and password, and setting the IP address. You may have other options as well, such as frame size, motion sensitivity, and color depth or black and white.

Getting the correct netcam_url is sometimes a hassle. For my Foscam I brought up its control panel in Firefox, right-clicked on the image (figure 4), then left-clicked View Image Info. This opens a screen like figure 5, which shows the exact URL of the videostream. In the Chrome browser use “Inspect element.”

fig4 control panel

fig5 foscam

Fine-tuning Configuration Values

You can make all kinds of adjustments in your configuration file such as image size, image quality, frame rate, sensitivity to movement, greater sensitivity in selected areas of the frame, file paths, HTTP server settings, and time stamp formats. Motion Guide – Alphabetical Option Reference Manual gives detailed information on each option. Remember to harmonize your Motion settings with the settings in your camera’s control panel, if it has one.

USB Cameras

Any V4l-supported USB Webcam should work with little fuss. The video device will be /dev/video0/dev/video0 will be present only when a video camera is connected directory to your computer. This is a basic example configuration for my Logitech Webcam:

videodevice /dev/video0
width 640
height 480
framerate 24
output_normal off
ffmpeg_video_codec mpeg4
target_dir /home/carla/motion

And again, remember that settings such as frame rate and size are dependent on what your camera supports.

Daemonizing Motion

Once you have everything working, make Motion run as a daemon by editing /etc/default/motion, and changing start_motion_daemon=no to start_motion_daemon=yes. Now Motion will start automatically when you start your computer, and you can start and stop it like any other daemon.

Controlling Multiple Cameras

Motion manages multiple cameras with ease — all you do is give each camera its own configuration file, named thread1.confthread1.conf, and so on. You still need your main motion.conf for common options such as daemon on and filepaths. Then each “thread” file has configurations specific to each camera.

Krebs on Security: Microsoft, Adobe Push Critical Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

brokenwindowsMost of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.

The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).

More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blog, Qualys’s site, and the SANS Internet Storm Center.

Adobe’s Flash Player update brings Flash to version 14.0.0.145 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.125.

brokenflash-aFlash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

flash-14-0-0-125

Errata Security: Products endorsed by cybersec experts

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The idea came up in Twitter, so I thought I’d write a quick blog post answering the question: “What products do cybersec experts endorse as being secure?”

The answer, of course, is none. It’s a fallacy, because perfect security is impossible. If you want your computer data to be perfectly secure, then smash your device to pieces, run them through a blender, and drop the bits into volcanic lava.
With that said, we cybersec experts do use stuff. From this you can derive some sort of implicit endorsement. I use Windows, iPhone, and GMail, from which you can assume they are probably “secure enough”.
I use an iPhone because it has excellent security. For all I criticize Apple’s security, the fact is that they have very smart people solving the toughest problems. For example, their most recent operating system will randomize MAC addresses when looking for WiFi in order to avoid disclosing your identity. This is a security problem I’ve blogged about for years, and it’s gratifying that Apple is the first company to tackle this problem.
If you do the right thing, such as locking your iPhone with a complex code, you are likely safe enough. If a thief steals your phone, they will likely not get your private secrets from it.
On the other hand, if you don’t lock your iPhone, then the thief can steal everything from your phone, including things your phone has access to, like your email. That’s the problem with “security endorsements”: I as an expert can’t help if you don’t help yourself. Your biggest threat isn’t the products you use, but you yourself. Your top threats you are getting easily tricked by “phishing emails”, drive-by downloads, lack of patches, and using the same password across many websites. Choosing greater or lesser secure product doesn’t really much matter in the face of bad decisions you make with those products.
With that said, there are some recommendations I can make. Public wifi, such as at Starbucks or the airport, is very very bad. Among the things I’m known for is demonstrating just had bad this can be (“sidejacking”). The safest thing is not to use it — tether through your phone instead. But, if you have to use it, use a VPN. This encrypts your data to a remote site across the Internet, so that local people near you can’t decrypt it. There are lots of free/cheap VPN providers. Another option is “Tor”, which acts like a VPN, but also anonimizes your identity. These are a little bit technical and hard to use, but can make using public WiFi secure.

We in the security industry know that some things are exceptionally bad. Browser apps using Java and ActiveX, the thing found in most corporate environments, are very bad. Adobe products Flash and PDF are likewise insecure in the browser. These technologies aren’t bad in of themselves, but only bad when hackers have direct access to them via the web browser. What you want instead is a browser like Chrome using JavaScript applets, HTML5 replacing Flash, and built-in viewers for PDF rather than Adobe’s viewer.

We experts know that the standard way of building web apps on the backend using the “LAMP” stack is inherently insecure. PHP, in particular, is a nightmare. Pasting strings together to form SQL queries is bad. Not whitelisting output characters is bad. If programmers just heeded these last three sentences, they’d stop 99% of the ways hackers break into websites.
Microsoft, Apple, and Google care about cybersecurity. They are really the only companies I can point to that really do care. Their problems stem from the fact that they are also popular, and therefore, the top targets of hackers. Their problems also stem from the fact that security is a tradeoff: caring too much about security makes products unusable.
Tradeoffs is why Android is less secure than iPhone. Apple limits apps to only those they’ve approved, whereas Android allows apps to be downloaded from anywhere. Android’s policy is better, it gives control over the phone to the user rather than than the fascist control Apple has over their phones. But the price is additional risk, as users frequently download apps from dodgy websites that “infect” their phone with a “virus”. Thus, if you want a secure phone, choose iPhone, but if you want a phone that you can control yourself, choose Android. Note that Microsoft makes technically excellent phones, but nobody cares, because they don’t have the apps, so I don’t mention them in the comparison :).
I use GMail. Google’s web apps have the best track record of security, being the first to adopt SSL everywhere all the time. There are still problems, of course, but their track record is better than others.
As an operating system, I currently use Win7, Mac OS X, and Ubuntu (using Windows the majority of the time). I use them with full disk encryption. They are all equally secure as far as I’m concerned. I use Microsoft’s Office, on both Windows and Mac, as well as their cloud apps.
Finally, I want to discuss the security community’s historic dislike of Microsoft. It’s not valid. It’s always been a political dislike of Microsoft’s monopolistic control over the desktop, and an elitist preference for things like Linux that aren’t useable by mainstream. I point this out because I can’t endorse the advice form security experts — their advise is more often going to be political rather than technical.

The Hacker Factor Blog: Not So Bright

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

There’s a feature that I’ve wanted to enable at FotoForensics for quite a while: brightness control. Some pictures are just too dark, and some analysis algorithms generate dark results that could benefit from a little brightening. (Not ELA, where dark means “low quality”. But other algorithms could use some brightness control.)

The one thing I don’t want to do is use the server to manage minor color alterations. That would just be too high of a load and consume far too much disk space with temporary files. (If I permit increments of 10%, then that’s 11 potential brightness renderings per picture. And there may be dozens of pictures: original, ELA, full-size, scaled, etc.)

Fortunately, FotoForensics requires HTML5. That means JavaScript, CSS filters, and other fun options to offset this work to the client’s browser and not task the server.

Unfortunately, I’m still hitting some problems…

Problem #1: Browser Support

CSS and CSS3 have a huge amount of support. To paraphrase Visa’s slogan: CSS3 is everywhere I want to be. And most CSS3 filters have support on most browsers. Filters like rotation, translation, and skewing are very common.

Unfortunately, the brightness filter lacks widespread support. The web site caniuse.com maintains a great list of HTML and CSS features and their support across most web browsers. For brightness, only Chrome and Opera really have full support. Safari supports it as of 6.0, but if you have an older version of Safari then you’re out of luck. (All of my Macs are too old, so none of them support CSS3 brightness.) And unless you have the most recent mobile device, you probably don’t support it. (People who use Firefox or Internet Explorer are out of luck.)

Since I consider brightness to be a “nice to have” feature and not a mandatory requirement, I’ve built a little JavaScript code to detect if it is supported. If the browser supports it, then it is enabled. But if it isn’t supported, then the user never sees the option.

I have similar conditional JavaScript checks for the rotation and flip buttons. You only see the buttons if your browser supports the feature. But unlike brightness, rotate and flip are almost universally supported.

Problem #2: Brightness Parameters

According to the CSS3 specifications, brightness takes one parameter in one of two formats. You can either specify a percentage or a fraction. Code like img.style['-webkit-filter']="brightness(110%)"; will make the picture brighter. The values range from 0% (black) to 200% (white) with 100% being “no adjustment”. When using fractions, the values range from -1 (black) to +1 (white) with 0 being unaltered.

This seems simple enough… except that the implementation seems inconsistent. Older Chrome browsers (those with version numbers in the 20s) only support the numerical values. Newer Chrome browsers only consistently support the percentages. As far as I can tell, brightness is a “work in progress” on Chrome, and different versions support different parameters.

The nice thing about JavaScript is that unsupported styles are never added to the element. I ended up making a complicated JavaScript detector that checks if the browser supports brightness and identifies which parameters to use. It works by adding various styles and checks to see if they were actually added:

var properties = [ '-webkit-filter' ];
var p;
var BrightnessVal=-100; // undesirable value
var BrightnessMin=100;
var BrightnessMax=100;
var BrightnessStep=10;
var BrightnessChar='';
while((BrightnessVal==-100) && (p = properties.shift()))
{
// My properties are currently only -webkit-filter.
// Check if the browser supports -webkit-filter.
if (p in document.body.style)
{
// create a temporary image element to test with
el = document.createElement('img');
// See if it supports the percent parameters
el.style[p]='brightness(200%)'; // set value
if (el.style[p]=='brightness(200%)') // check value
{
// Supported! Set the range and notations
BrightnessMin=0;
BrightnessVal=100;
BrightnessMax=200;
BrightnessStep=10;
BrightnessChar='%';
}
else
{
// No percent support? Check for fractions!
el.style[p]='brightness(0.5)';
if (el.style[p]=='brightness(0.5)')
{
// Supports fractions! Set the range and notations
BrightnessMin=-1;
BrightnessVal=0;
BrightnessMax=1;
BrightnessStep=0.1;
BrightnessChar='';
}
}
delete el;
}
}
// Now see if it is supported...
if (BrightnessVal > -100)
{
// it's supported, so add the user controls
}

With this code, I know if the browser supports the brightness parameter as well as the minimum and maximum values and whether to include the “%” character. This means that I can support Chrome, Opera, and some versions of Safari.

Problem #3: Fractions

JavaScript has made huge strides over the last decade. It used to be a huge security risk and really slowed down the computer. But with better compiler designs and implementation decisions, it really isn’t the same huge security risk that it previously was. And as far as speed goes: wow — I can do most tasks in real time and with minimal computer resources.

So it really makes me shake my head when I hit a really bad, fundamental problem with JavaScript. JavaScript sucks at fractions.

I created two buttons. One increases the brightness by 10%, and the other decreases it by 10%. My basic test is to click on each button 3 times. When using the integer range (0% – 200%): 100% + 10% + 10% + 10% – 10% – 10% – 10% = 100%. There is no floating point error. This works fine.

However, I hit a problem when I use the fractional range (-1 to +1): 0 + 0.1 + 0.1 + 0.1 – 0.1 – 0.1 – 0.1 = 0.0000000000004. Different browsers generate different values for the floating point error. But seriously, why am I seeing any floating point error when I’m adding and subtracting tenths??? At this point, I have two options. I can either do everything as integers (10 times all values and just divide by 10 before use), or I can call Math.round(val×10)/10 to strip the error out after each addition and subtraction. (I went with the latter option since it mitigates long-term error accumulation.)

Back in college, I collected buttons. I have a button that says “2+2=5 for sufficiently large quantities of 2″. I fear that this is really the case with JavaScript.

Update: Stuart and Justin left great comments about why this happens. I still think JavaScript could take steps to mitigate the issue, but at least it is understandable.

Problem #4: Applying Brightness

In computer graphics, there are two common ways to brighten up an image. The first way scales the RGB values. For example, I can multiply every value by 1.1 and achieve a 10% increase in brightness. The value “1” becomes “1.1” which rounds to 1, 2 becomes 2.2 which is 2, 3 becomes 3, but 5 becomes 5.5 which rounds to 6. 7 becomes 8, 8 becomes 9, … and 200 becomes 220. The bigger the number is, the more the number moves.

Think of this like elementary school gym class. Everyone stands in a line and then the teacher says to stand one arm’s length apart. People at the front of the line barely move. People at the end of the line have to walk a long distance in order to remain one arm’s length apart. (This always sucked for the kids who’s last names began with Z. And the kids with names that begin with “A” always wondered why this simple “spread out” task took so long…)

This scaling approach emphasizes differences in the darker regions. By moving darker colors more, minor gradient differences among the darker colors are scaled larger. Brightening up the picture permits you to see details within the darkness more clearly.

The other common approach is to convert the colors to HSV, YUV, or some other colorspace where the intensity (V or Y) is separate from the hue. The intensity is adjusted linearly and then the colors are converted back to RGB. This approach typically brightens the image but mutes details a little since differences that are only in the chrominance (the color and not the intensity) are unchanged.

However… there is a method for brightening images that I have only seen used on the web — real graphics applications never use this approach and I don’t think it is taught in any graphics courses. It’s a fake brightening algorithm because it doesn’t “brighten” so much as “wash out” the image. Here’s how the algorithm works: apply a completely white image as a transparency over the image. The amount of transparency controls the brightness. That’s right: it combines the picture with “white”.

Using this pseudo-brightness approach, big numbers barely change while little numbers change a lot. For example, at 10% brighter, the value 200 gets combined with a white (255) transparency: 10%×255 + 90%×200 = 205.5 and rounds to 206, so it moves 6 values in intensity. The value 2 becomes 10%×255 + 90%×2 = 27.3 and rounds to 27, so it moves 25 values in intensity. This makes dark values look lighter, but it removes details because the gradients between adjacent dark values is reduced. The result is a “brighter” picture but with less detail. If the purpose of brightening the image is to see minor differences in the dark regions, then this brightness function won’t help you.

Other Options

At this point, we have a “brightness” function that is not widely supported, has inconsistent parameters, and is poorly implemented. As a result, I have no desire to release this as an option at FotoForensics. It is rarely supported and doesn’t do the job when it is supported.

I’ve seen a couple of forums where people have tried to do workarounds. The most common suggestion is to use a white background and to adjust the image’s transparency. Every HTML5 browser seems to support transparencies, so this is a functionally applicable option. However, this is the same pseudo-brightness algorithm that mutes details rather than actually brightening the image. This is not a practical solution.

A better option is to use an HTML5 canvas object. Canvas is widely supported and gives me (the developer) full control over every pixel. I can easily implement the scaling RGB function. However, this introduces another problem… Some pictures can be very large, and not every browser implementation supports HTML5 with OpenGL functions. (OpenGL provides speed to graphical rendering.) As a result, increasing the brightness may be very slow. I have a few sample pictures where each click on the “increase brightness by 10%” button takes 2-3 seconds. (Longer if you’re on a mobile device.) This speed issue hinders usability, so I’ve ruled it out as an option.

(JavaScript libraries like Raphaël and jquery are dependent on the canvas object, so they have the exact same speed limitations.)

I’m still looking for alternative methods to implement a real ‘brightness’ function in JavaScript. However, it looks like I will have to wait for JavaScript to grow up a little more. Right now, I’m out of bright ideas.

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products.

winiconThe vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month (MS14-035) shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.

Most of the vulnerabilities Microsoft fixed today earned its “critical” rating, meaning malware or bad guys could exploit the flaws to seize control over vulnerable systems without any help from users, save perhaps for having the Windows or IE user visit a hacked or booby-trapped Web site. For more details on the individual patches, see this roundup at the Microsoft Technet blog.

Adobe’s update for Flash Player fixes at least a half-dozen bugs in the widely-used browser plugin. The Flash update brings the media player to v. 14.0.0.125 on Windows and Mac systems, and v. 11.2.202.378 for Linux users. To see which version of Flash you have installed, check this link.

brokenflash-aIE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. Chrome version 35.0.1916.153  includes this Flash update; to see which version of Chrome you’re running, click the 3-bars icon to the right of the address bar and select “About Google Chrome.”

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.110 for Windows, Mac, and Android.

flash14-0-0-125

LWN.net: Making end-to-end encryption easier to use (Google Online Security Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser.
While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.

However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)”