Posts tagged ‘flash’ Starting in September, Chrome will stop auto-playing Flash ads

This post was syndicated from: and was written by: n8willis. Original post: at

Google has announced
that, beginning September 1, Chrome will no longer auto-play
Flash-based ads in the company’s popular AdWords program. The post
frames this as a move to improve browsing performance for users, and
notes that most Flash ads are automatically converted to HTML5
already. Commenting on the news, The Register notes
that the change should also offer some additional protection against
malware delivered via Flash. Chrome will continue to auto-play Flash
content in the main body of pages, however. The Register‘s story says
the change is, in fact, just a modification of the default setting for
plugin behavior, which already supports
an option to disable plugin content not deemed “important.” Mozilla,
of course, blacklisted the Flash
plugin in July, although that action only disabled the then-current,
vulnerable release—which was subsequently updated.

Linux How-Tos and Linux Tutorials: Live Booting Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

jack1-live-1“I’d like to give Linux a try, but I’m not sure how.”

I’ve heard that statement so many times over the years. During that period, my pat response has changed from something akin to “It’s worth the effort” to “It’s incredibly easy.” Linux is, actually, the single most easy operating system to “try out.” How is that possible? Two words… live booting.

For those of you who are familiar with Linux, this is not only old news, it’s also very basic:

  1. Download an ISO

  2. Burn the ISO to disk

  3. Boot your computer with the newly burned disk

  4. Try out the live distribution

For those not so familiar with Linux—but very much interested in giving the platform a try—I want to introduce you to the concept of live booting. Because most new machines don’t ship with optical drives, you will also learn how to create a bootable live USB flash drive (so you can carry Linux with you all the time).

What Is Live Booting

The concept of live booting is actually quite simple. With a live Linux distribution (not all distributions come in “live” flavors), you can boot your machine from either a CD/DVD disk or from a USB flash drive and choose to try out the operating system without making any changes to your hard drive.

How this works is by running the entire system from volatile memory (RAM). The operating system and all programs are usable, but run from memory. Because of this, you can boot the live system, test/use it for as long as you need, and then reboot the system (remembering to remove the live media) to return to your original system.

Live distributions can be used for several purposes:

  • Testing a Linux distribution: This is the best way to see if Linux is for you.

  • Testing hardware: If you’re unsure if your hardware will work with a Linux distribution, run it live and find out.

  • Kiosks or cafes: If you need a machine that can be booted fresh each day, a live linux distribution might be the solution for you.

Live distributions also form a collection of very important tools that handle crucial tasks, such as:

  • Data recovery

  • System recovery

  • Rescue and repair

  • PC Forensics

  • Boot repair

As I mentioned, not all Linux distributions offer a live solution. Here is a complete list of distributions available as live releases.

What Do You Do With That Downloaded File?

This is the crux of the issue. For live booting, you will have downloaded an ISO image (the file will end in the .iso file extension). What you have to do next is burn that file to a disk. If you’re burning the disk from within Windows, all you need to do is locate the downloaded file and double-click it to begin the burning process. However, as I mentioned earlier, many newer PCs do not ship with optical drives. If that is the case, what do you do?

You turn to the tried and true USB flash drive.

Once upon a time, you would have had to manage the creation of a bootable USB flash drive with the Linux command line. Now, however, there are plenty of tools available for just that purpose. One such tool is called UNetbootin. This easy to use app can create a bootable USB flash drive from a downloaded ISO file or can even download the necessary ISO file for you. UNetbootin is available for Windows, Mac, or Linux and can, within a few short minutes, have you booting a live Linux distribution.

Creating a Bootable Live Distribution on a USB Flash Drive

Let’s walk through the process of creating a live USB flash drive with UNetbootin. Download and install the application on your platform of choice (Windows, Linux, Mac) and grab a USB flash drive large enough to hold your distribution (4GB USB flash drive should accommodate most distributions).

With everything ready, here are the steps to creating a bootable USB flash drive with UNetbootin (from a downloaded ISO file from your distribution of choice):

  1. Insert your USB flash drive

  2. Launch the software (you’ll need administrator privileges)

  3. Check the box for Diskimage (see Figure 1 above)

  4. Click the browse button (indicated with three dots)

  5. Locate the downloaded ISO images

  6. Select USB Drive from the Type drop-down

  7. Select the location of your USB drive from the Drive drop-down

  8. Click OK

  9. Allow the creation of the live USB drive to complete

  10. Click Exit (not Reboot), when the process completes

jack-live-2If you happen to have a Ubuntu system handy, you can create a bootable flash drive without installing third-party software. To do this, follow these steps:

  1. Download your desired ISO image and save it to ~/Downloads

  2. Insert your USB drive

  3. Open the Dash

  4. Type startup

  5. Open the Startup Disk Creator

  6. Select your downloaded file from the list (Figure 2)

  7. Click Make Startup Disk

  8. When prompted, enter your admin password

One of the options available on the Ubuntu Startup Disk Creator is the ability to include extra space on the USB drive. This space is used for saving files—so you don’t lose everything when the system is rebooted. By doing this, you effectively create a portable Linux system that can be carried with you wherever you go.

Booting the USB Drive

With the live USB drive complete, you now need to insert the drive into the target computer (the computer to be used to run the live image) and boot up. If your machine doesn’t automatically boot from the USB drive, you may have to go into your machine’s BIOS and set the boot order such that external devices boot first (how this is done will vary, machine to machine).

jack-live-3In most cases, you will be greeted with some form of the “Try” screen (Figure 3). To run the distribution as a live instance, click Try NAME (where NAME is the name of the distribution) and allow the desktop to load. Once the desktop is loaded, you’re ready to go.

Caveats to Running Live

One of the biggest issues people face with running live instances of Linux is insufficient RAM, which can cause the system to run slowly. Remember, this will be running completely from memory, so chances are it won’t run as smoothly as if it were installed on the hard drive. However, if your system contains 2 GB or more of RAM, you’ll find the live instance runs fairly well.

Another caveat you must understand is that the second you reboot, all is lost. Just because the system is running from memory, doesn’t mean you cannot install applications or save files. But, unless you’ve saved files to an external drive, as soon as the system is rebooted, everything you’ve saved (installed or configured) will be gone.

You now have all the power necessary to test and run Linux without making a single change to your machine’s hard drive. Linux is an incredibly powerful and flexible platform… live booting is just one way to experience and even share the flagship open source operating system. Security updates for Monday

This post was syndicated from: and was written by: jake. Original post: at

Arch Linux has updated glibc
(denial of service from 2014).

Debian-LTS has updated libidn
(information disclosure) and subversion (information disclosure).

Fedora has updated bzr (F22; F21:
denial of service from 2013), firefox (F21:
multiple vulnerabilities), and flac (F22: two vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities), icecast (denial
of service), and libgadu (three
vulnerabilities from 2013 and 2014).

openSUSE has updated firefox (13.2; 13.1:
multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).

Oracle has updated kernel 3.8.13 (OL7; OL6: two
remote denial of service flaws), kernel 2.6.39 (OL6; OL5: two
remote denial of service flaws), and kernel 2.6.32 (OL6; OL5: two
remote denial of service flaws).

Red Hat has updated glibc (RHEL5:
code execution from 2013), mysql55-mysql (RHEL5; RHSC2:
multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecified
vulnerabilities), sqlite (RHEL6:
code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).

Scientific Linux has updated sqlite (SL7: three vulnerabilities).

Slackware has updated firefox
(multiple vulnerabilities) and thunderbird
(multiple vulnerabilities).

Ubuntu has updated openssh
(15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).

Backblaze Blog | The Life of a Cloud Backup Company: A 16TB SSD: OMG

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Andy Klein. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

Samsung 16TB SSD

It was reported today by Ars Technica UK, Slash Gear and others that Samsung is introducing a 16TB SSD. The world’s largest hard drive was unveiled at the Flash Memory Summit in Santa Clara, California. What’s even more amazing is the 2.5″ form factor – it would fit in your laptop.

Before you run out (ok, log in to Amazon) to buy one, you need to know the price is expected to be between $5,000 and $7,000 each, at least initially. That price isn’t that crazy. If you were to buy (8) eight 2TB SSD drives today at $800 each it would be $6,400 and they would not all fit in your laptop.

Could Backblaze use these SSD’s to create a 720TB Storage Pod? Sure, it would cost about $220,000 for the drives and take a bit of modification to fit 2.5″ drives versus 3.5″ drives in a Storage Pod. We’ll leave the modifications up to Backblaze Labs to figure out. The real question is “would” we build a 720TB Storage Pod made from 16TB SSD drives? Let’s do the math…

  • $5,000 divided by 16TB of storage is $312.50 per TB of storage.
  • $312.50 per TB divided by 1,000 is $0.3125 per GB of storage.

Currently we pay about $0.032 per GB for traditional hard drives, a Seagate 4TB drive for example. The 16TB SSD is nearly 10 times the cost per GB. That said each 16TB SSD Storage Pod would save (3) three Storage Pod chassis using 4TB drives – that’s roughly $12,000 ($4,000 per chassis in rough numbers). That would still make a 16TB SSD Storage Pod about 9 times more expensive. Even after we put all the numbers into our spreadsheets that factor in electricity, rack space, drive failure, maintenance, etc. the 16TB solid state drives would still be 6-7 times more expensive.

I guess we’ll have wait a little longer for prices to drop before we jump on creating an SSD Storage Pod. Too bad, it would have been fun to write about a 720TB Storage Pod or better yet a 14.4 Petabyte Backblaze Vault. Still, a 16TB SSD is pretty cool, I wonder what’s next?


The post A 16TB SSD: OMG appeared first on Backblaze Blog | The Life of a Cloud Backup Company. Security updates for Thursday

This post was syndicated from: and was written by: jake. Original post: at

Debian has updated request-tracker4 (cross-site scripting).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated firefox (SLE12:
information leak), java-1_7_0-ibm
(SLE11SP3, SP2: many vulnerabilities), and kernel-rt (SLE11SP3: many vulnerabilities,
including some from 2014). Security advisories for Wednesday

This post was syndicated from: and was written by: ris. Original post: at

Arch Linux has updated firefox (multiple vulnerabilities).

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).

Debian has updated gnutls28 (denial of service), iceweasel (multiple vulnerabilities), and wordpress (multiple vulnerabilities).

Fedora has updated devscripts (F22; F21: two
vulnerabilities), kernel (F22; F21: information leak), pure-ftpd (F22: denial of service), xen
(F22; F21:
code execution), and xfsprogs (F22:
information disclosure from 2012).

Mageia has updated firefox
(MG4,5: multiple vulnerabilities), flash-player-plugin (MG4,5: multiple
vulnerabilities), and qemu (MG4,5: multiple vulnerabilities).

openSUSE has updated gnutls
(13.2, 13.1: denial of service).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated firefox
(RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.5: use-after-free flaw).

Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).

SUSE has updated flash-player (SLE12; SLED11SP4,SP3: multiple vulnerabilities).

Ubuntu has updated firefox
(15.04, 14.04, 12.04: multiple vulnerabilities) and ubufox (15.04, 14.04, 12.04: multiple vulnerabilities).

Krebs on Security: Adobe, MS Push Patches, Oracle Drops Drama

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system. Not to be left out of Patch Tuesday, Oracle‘s chief security officer lobbed something of a conversational hand grenade into the security research community, which responded in kind and prompted Oracle to back down.

brokenflash-aAdobe’s latest patch for Flash (it has issued more than a dozen this year alone) fixes at least 34 separate security vulnerabilities in Flash and Adobe AIR. Mercifully, Adobe said this time around it is not aware of malicious hackers actively exploiting any of the flaws addressed in this release.

Adobe recommends users of Adobe Flash Player on Windows and Macintosh update to Adobe Flash Player Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player on Windows and Macintosh, and version for Linux and Chrome OS.

However, I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)


Microsoft may have just released Windows 10 as a free upgrade to Windows 7 and 8 customers, but some 40 percent of the patches released today apply to the new flagship OS, according to a tally by security firm Qualys. There is even an update for Microsoft Edge, the browser that Microsoft wants to replace Internet Explorer.

win10Nevertheless, IE gets its own critical update (MS15-089), which addresses at least 13 flaws — most of which can be exploited remotely without any help from the user, save from perhaps just visiting a hacked or malicious site.

Another notable update plugs scary-looking flaws in Microsoft Office (MS15-081). Qualys says it appears the worst of the flaws fixed in the Office patch could be triggered automatically — possibly through the Outlook e-mail preview pane, for example.

According to security firm Shavlik, there are two flaws fixed in today’s release from Microsoft that are being actively exploited in the wild: One fixed in the Office Patch (CVE-2015-1642) and another in Windows itself (CVE-2015-1769). Several other vulnerabilities fixed today were publicly disclosed prior to today, increasing the risk that we could see public exploitation of these bugs soon.

If you run Windows, take some time soon to back up your data and update your system. As ever, if you experience any issues as a result of applying any of these updates, please leave a note about your experience in the comments section.


I’ve received questions from readers about a rumored software update for Java (Java 8, Update 60); I have no idea where this is coming from, but this should not be security-related patch. Generally speaking, even-numbered Java updates are non-security related. More importantly, Oracle has moved to releasing security updates for Java on a quarterly patch cycle, except for extreme emergencies (and I’m unaware of a dire problem with Java right now, aside perhaps from having this massively buggy and insecure program installed in the first place).

Alas, not to be left out of the vulnerability madness, Oracle’s Chief Security Officer Mary Ann Davidson published a provocative blog post titled “Don’t, Just Don’t” that stirred up quite a tempestuous response from the security community today.

Davidson basically said security researchers who try to reverse engineer the company’s code to find software flaws are violating the legal agreement they acknowledged when installing the software. She also chastised researchers for spreading “a pile of steaming FUD” (a.k.a. Fear, Uncertainty and Doubt).

Oracle later unpublished the post (it is still available in Google’s cache here), but not before Davidson’s rant was lampooned endlessly on Twitter and called out by numerous security firms. My favorite so far came from Twitter user small_data, who said: “The City of Rome’s EULA stipulates Visigoths cannot recruit consultants who know about some hidden gate to gain entry.”

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

SANS Internet Storm Center, InfoCON: green: More patch tuesday: adobe released security update for adobe flash player, (Tue, Aug 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released today bulletin APSB15-19, which address the following vulnerabilities found in Adobe Flash Player: CVE-2015-3107, CVE-2015-5124, CVE-2015-5125, CVE-2015-5127, CVE-2015-5128, CVE-2015-5129, CVE-2015-5130, CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5541, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5550, CVE-2015-5551, CVE-2015-5552, CVE-2015-5553, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5557, CVE-2015-5558, CVE-2015-5559, CVE-2015-5560, CVE-2015-5561, CVE-2015-5562 and CVE-2015-5563.

As of today, latest Adobe Flash Player version is For Linux, current version is”>Manuel Humberto Santander Pelez
SANS Internet Storm Center – Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Nuclear EK traffic patterns in August 2015, (Wed, Aug 5th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green


About two weeks ago, Nuclear exploit kit (EK)changed its URL patterns. Now it looks a bit likeAngler EK. Kafeine originally announced the change on 2015-07-21 [1], and we collected examples the next day.

Heres how Nuclear EK looked on” />

Here” />

Now that were into August 2015,URL patterns for Nuclear EK have altered again. These changes are similar to whatweve seen withAngler EK since June 2015 [3]. Theyre not the same URL patternsas Angler, but the changes are similar.

In todays diary, weexamine Nuclear EKtraffic as of Tuesday, 2015-08-04. In this example, the EK delivered Troldesh ransomware, which is similar to a previous infection I publishedearlier this year in April 2015[4].

First, lets see how the 2015-08-04 traffic from a compromised website led to Nuclear EK.

From a compromised web site to the EK

I viewed the compromised website by getting to it through a Bing search, which is my preferred method for generating EK traffic. Google had already identified the site as potentially malicious and wouldn” />

Malicious javascript was injected in at least 4 places when I visited the sites index page. The script is obfuscated, so you wont see any obvious URLs. I” />

Whats the easiestway to deobfuscate the script? Copy and paste the script into its own HTML file, make sure you” />

Open the resulting web page in a browser, and you should see an alert showing the deobfuscated script. From the aboveexample, we finda hidden iframe that goes to” />

With any EK, this all happens behind the scenes. The average user wont know what happened until its too late. With ransomware, users will realize something” />
Shown above: The infected hosts desktop after the Troldesh ransomware infection.

A look at theNuclear EK traffic

On 2015-07-21 when Nuclear changed, each GET request from the EK started with search?q=. URL patterns remained that way through at least 2015-07-30 [5]. A few days later, the landing page URL still containssearch?q=. However, other URLs for the Flash exploit and payload use different words.They also follow a differentpattern after the question mark (?) up to the equal sign (=). Below shows our example of” />

In the 2015-08-04 traffic,Nuclear EKs landing page has some text before the initialHTML tag. This is something wehadn” />

Except for the change in the URL pattern, this HTTP GETrequest for the EKs Flash exploit is similar to what we” />

Nuclear EK still uses an ASCII string to XOR the payload binary. This started with Nuclears previous change of URL patterns back in December 2014 [6], and it remains the EK” />

Review the infection traffic using Security Onion with the EmergingThreats signature set, and youll find” />

Additional information from the infected host

Filtering the traffic in Wireshark, we see SSL activity to over port 443 and over port 995. Although this traffic is related to the Troldesh ransomware,those IP addressesarenot inherently malicious. ” />

The README text files fromthe desktop were identical. ” />

Hey,Google. Someone is using Gmail accounts for nefarious purposes. Bet you havent seen that before! Ah, free services… A cyber-criminals delight!

Final words

In recent months, weve seen a lot of ransomware from EK traffic. This has been primarily (but not limited to)Angler, Magnitude, and NuclearEK. Most of the ransomware has been CryptoWall 3.0 [7], but every once in a while, well see something like AlpaCrypt/TeslaCrypt[8]or Toldesh [4]. Well continue to monitor EK traffic andpost any significant changes.

A pcap of the 2015-08-04 Nuclear EK infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email and ask.

Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: – Twitter: @malware_traffic



(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Angler’s best friends, (Mon, Jul 27th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Nope, not the kind of angler whose best friends are rubber boots, strings tied into flies, or a tape measure that starts with 5inches where others have a zero. This is about the Angler Exploit Kit, which currently makes rampant use of the recent Adobe Flash zero-days to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.

Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to test the waters at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the main Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.

Amazingly, they seem to get away with this – staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their Cloud, including the ability to spin up your image in any of our 20 data centers around the globe within a matter of seconds, this isnt really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the fast flux domain name switcheroo, but now increasingly were getting fast instance, where the exploit hosting site itself moves every hour or two.

The statistics from this month also look like it takes the average hoster/provider about a week to catch on that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data – it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.

Without further ado, heres an excerpt from the list of Angler hosting sites that weve observed recently.

July 1148.251.167.57Hetzner Online AG, GermanyJuly 1 Online AG, GermanyJuly 8 Online AG, GermanyJuly 9 Online AG, GermanyJuly 10 Online AG, GermanyJuly 12 Online AG, GermanyJuly 14206.190.134.189Westhost Salt Lake City, USAJuly 15, NetherlandsJuly 16 Salt Lake City, USAJuly 16 Salt Lake City, USAJuly 17 Networks, Dallas, USAJuly 19 Networks, Dallas, USAJuly 20 Networks, Dallas, USAJuly 20, Netherlands and Czech RepublicJuly 21 Networks, Dallas, USAJuly 23 Networks, USA and NtherlandsJuly 23 Networks, Dallas, USAJuly 23 Networks, Dallas, USAJuly 24216.245.213.138Limestone Networks, USA and NtherlandsJuly 24, Netherlands and Czech RepublicJuly 25, Netherlands and Czech Republic

Now, of course, Im not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:

– checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
– correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?

Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the from_server flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?

Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road…), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License. Security updates for Monday

This post was syndicated from: and was written by: ris. Original post: at

Arch Linux has updated apache (multiple vulnerabilities).

Debian has updated freexl (denial of service), mariadb-10.0 (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), and tidy (two vulnerabilities).

Debian-LTS has updated groovy (code execution), inspircd (denial of service), libidn (information disclosure), ruby1.9.1 (denial of service), and tidy (two vulnerabilities).

Fedora has updated bind (F22:
denial of service), condor (F21: code
execution), cups-filters (F21: code
execution), drupal7-migrate (F22; F21: cross-site scripting),
drupal7-views_bulk_operations (F22;
F21: permission bypass), openstack-cinder (F21: file disclosure), pcre (F21: two vulnerabilities), python-keystonemiddleware (F22: certificate
verification botch), rawstudio (F22;
F21: two vulnerabilities), redis (F22; F21: code
execution), squashfs-tools (F22: two
vulnerabilities), thunderbird (F22;
F21: multiple vulnerabilities), webkitgtk4 (F22: denial of service), and xen (F22; F21: privilege escalation).

Gentoo has updated postgresql (multiple vulnerabilities).

openSUSE has updated flash-player
(11.4: two vulnerabilities), libcryptopp
(13.2, 13.1: information disclosure), libidn (13.2, 13.1: information disclosure),
firefox, thunderbird (11.4: multiple
vulnerabilities), rubygem-jquery-rails
(13.2, 13.1: CSRF vulnerability), rubygem-rack (13.2, 13.1: denial of service),
rubygem-rack-1_3 (13.2, 13.1: denial of
service), and rubygem-rack-1_4 (13.2, 13.1:
denial of service).

Slackware has updated httpd (multiple vulnerabilities) and php (multiple vulnerabilities).

SUSE has updated firefox, nspr, nss (SLE12; SLES11SP4; SLE11SP3: multiple vulnerabilities) and PHP (SLE11SP3: multiple vulnerabilities).

Linux How-Tos and Linux Tutorials: Which Linux Chrome OS Clone is Right For You?

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Solus desktop

When the Chromebook first arrived on the scene, most people thought they’d go the way of the netbook. Maybe the little laptops that could would hang around for a brief period and, once the novelty of the price tag wore off, they’d go away to make room for the devices that do the real work. 

Thing is, said real work (from an end-user perspective) tends to be 90 percent browser based. So the Chromebook hung around and eventually became one of the hottest selling devices on the market. Beyond price, one of the reasons for the incredible popularity of the Chromebook is its simplicity. Across the landscape of the PC-verse, it doesn’t get much easier than ChromeOS. However, because Chrome OS is a proprietary solution, owned by Google, you cannot simply download the platform and install it on common x86/64 hardware. To get around that, there are approximations available that can be installed on off-the-shelf hardware that recreate the Chrome OS experience. 

With that in mind, it makes perfect sense that a handful of Chrome OS-like Linux distributions would appear. In theory, it’s a perfect amalgamation of simplicity and power. You get the ease of use found with ChromeOS and the added power of the full-blown Linux platform. 

But if you’re looking to get such elegant simplicity with the added power, where do you turn? A handful of Linux distributions have popped up over the last few years that do an outstanding job of re-creating ChromeOS. Which of these do the best job of mimicking Chrome OS and which manage to retain all that which makes Linux an outstanding platform?

Here are my top contenders for this title.


Solus started out as Evolve OS and is, to date, one of the finest Linux distributions to take a swing at the Chrome OS platform. The developers of Solus promise a “no scope-creep” platform that will provide a modern desktop-focused Linux distribution. Under the hood, Solus is pure Linux. In this case, it’s what’s on top that counts… that being the Budgie desktop (Figure 1).

This is a singular desktop environment created to almost perfectly mimic the Chrome OS experience. Budgie does integrate with the GNOME stack, so there is not only the familiar minimalism of Chrome OS, but the power of GNOME underneath. Another unique feature of Solus is the package manager. Forked from Pardus Linux, the package manager offers the same level of simplicity found in Budgie (Figure 2).

budgie desktop

What is most impressive about Solus is that this is a fairly new project and is already enjoying an amazing level of stability. Once installed, you’d think you were using a distribution that’s been around the block a few times. Consider this—Solus started out as Evolve OS and the beta of the initial release was only just available January 2015. Now dubbed Solus, the platform is already a production-ready desktop. Another very impressive aspect of Solus is how much thought was put into the overall design. Each and every tool was perfectly themed to retain the look and feel of Solus throughout.

If you’re looking for the one distribution that best fits the Chrome OS mode, and adds just enough Linux to make it more flexible than the official release, Solus is what you’re looking for.


Chromixium is next in line for the title of best in breed for ChromeOS clone. This particular take on Chrome OS is based on Ubuntu Linux, so it already has quite a lot going for it. But the bits and pieces of Ubuntu are mostly under the hood. It’s what’s on top of the hood that will interest most Linux users. The Chromixium distribution uses an old-school approach with the help of the Openbox Window Manager (a derivation of the original Blackbox WM).

What sets Chromixium apart from Solus is the menu system. If you look on the desktop (Figure 3), you’ll find the ChromeOS-looking menu button that you can click to gain access to all the Googly-goodness the desktop has to offer. 

Chromixium google menu

If, however you right-click anywhere on the desktop, you’ll find an Openbox menu ready to give you access to all of the Linux-goodness the desktop has to offer (Figure 4). 

Figure 4: The Chromixium “Linux” menu.

At first, this might seem like a clunky means to handle the desktop menu system. However having the Google bits isolated from everything else does make for an efficient means of isolating searches (as you can search Google from the Chromixium desktop menu).

If you’re looking for a ChromeOS-like Linux distribution that offers a nod to a bit of old-school Linux, give Chromixium a go.

Chromium OS

Chromium OS is an open source project that forms the base of Google’s Chrome OS. This means you can expect a fairly pure form of Chrome OS on your standard hardware. Of course, getting ChromiumOS up and running isn’t nearly as simple as that of either Solus or Chromixium. For ChromiumOS, you either run the platform from a USB flash drive or from a virtual image (with the help of VirtualBox) and then install the platform. This fact does make ChromiumOS a bit of a challenge for the average user, but if you’re interested, you can follow these steps to get ChromiumOS ready to run from a USB drive: 

  1. Download the appropriate image (according to your architecture)

  2. Insert a flash drive

  3. Extract the downloaded file

  4. Open a terminal window

  5. Change into the directory containing the newly extracted image file

  6. Issue the command (using admin rights—so either by su’ing to root or using sudo) dd if=ChromeOS.img of=/dev/sdX bs=4M (Where ChromeOS.img is the full name of the image file and sdX is the location of your flash drive*)

  7. Allow the command to finish

  8. You should now have a bootable Chromium OS USB drive.

* To find out the location of the mounted flash drive, you can issue the command mount and check for the exact location of the drive.

NOTE: If the above instructions fail to produce a working bootable USB drive, you can try using the Win32 Image Writer instead (you’ll need a working copy of Windows for this).

Once you have Chromium OS up and running, you can install the operating system to your hard drive but it will erase your entire drive (You can dual boot but you must install the other OS first and it’s not nearly as easy as dual booting with a standard Linux OS). Also, just to be safe, unplug any external or internal drives that contain data you do not want erased. For information on the actual installation of Chromium OS, check out the official how-tos here and here.

As you might expect, Chromium OS is that which Chrome OS is built upon, so you won’t find any extra Linux goodness within the menu. But, if you’re looking for a pure Chrome OS experience on your non-chromebook hardware, this is the way to go.

Which ChromeOS clone is best?

Which route you take to Chrome OS depends on your needs. If you’re looking for Pure Chrome OS, you’ll want to go with Chromium OS. If you’re looking for a nearly-identical Chrome OS experience, with an additional boost from the Linux desktop, go with Solus. If you want the best of both worlds, give Chromixium a try.

One way or another, you’ll have the look and feel of Chrome OS working on your non-Chromebook hardware. Friday’s security updates

This post was syndicated from: and was written by: n8willis. Original post: at

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).

Mageia has updated flash-player-plugin (M4, M5: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (O5: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5, 6: multiple
vulnerabilities), java-1.6.0-sun (RHEL
5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiple
vulnerabilities), and java-1.8.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities).

SUSE has updated flash-player (SLE11; SLE12: multiple vulnerabilities) and php5 (SLE12: multiple vulnerabilities).

SANS Internet Storm Center, InfoCON: green: After Flash, what will exploit kits focus on next?, (Thu, Jul 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green


Adobe has received some bad publicity regarding zero-day Flash player exploits due to the recent Hacking Team compromise [1,2]. This certainly isnt the first time Adobe hashadsuch issues[3]. With HTML5 video as an alternative to Flash player, one might wonder how long Flash player will be relevant. Google has announced the next stable version of Chrome will block auto-playing Flash elements [4], and Firefox started blacklisting Flash player plugins earlier this week [5]. With people like Facebooks chief security officer calling for Adobe to announce an end-of-life date for Flash [6], Ive been wondering about the future of Flash player.

More specifically, Ive been wondering what exploit kit (EK) authors will turn to, once Flash player is no longer relevant.

In recent months, most EK traffic Ive generated used a Flash exploit to infect vulnerable Windows hosts. The situation with Flash player today is much like the situation with the Javathat Irememberback in 2013 and most of 2014. However, in the fall of 2014, most EKs dropped Java exploits from their arsenal and started relying on Flash player as a vehicle for their most up-to-date exploits.

A recent history Java exploits in EK traffic

Java exploits were prevelant when I first started blogging about EK traffic in 2013 [7]. Back then, Blackhole EK was still a player, and I commonly saw Java exploits in EK traffic.

The threat landscape altered a bit when the EKs alleged creator Paunch was arrested. Organizations that monitor EK traffic noticed a sharp reduction of Blackhole EK traffic in 2014 compared to the previous year [8]. Duringthatsame time, I started noticing moreFlash exploits in EK traffic.By September 2014 most of the remaining EKs stopped using Java.

My last documented dates for Java exploits in exploit kit traffic are below (read: exploit kit name- date Java exploit last seen).

  • Angler EK – 2014-09-16 [9]
  • FlashPack EK – 2014-08-30 [10]
  • Nuclear EK – 2014-09-08 [11]
  • Magnitude EK – 2014-08-15 [12]
  • Sweet Orange EK – 2014-09-25 [13]
  • Rig EK – 2014-09-06 [14]

Of note, FlashPack EK and Sweet Orange EK have disappeared, and they are not currently a concern. Neutrino EK was dormant from April through October of 2014, and when it came back, I didnt see it using any Java exploits.

Fiesta EK still sends several different types of exploits depending on the vulnerable client, and it still has Java exploits in its arsenal. Other lesser-seen EKs like KaiXin still use Java exploits. However, the majority of EKs gave up on Java sometime last year.

What were recently seeing with Flash exploits

Most exploit kits use the latest available Flash exploits. Angler, Neutrino, Nuclear, Magnitude, and Rig EK are all using the latest Hacking Team Flash player exploit based on CVE-2015-5122 [15]. If youhave Flash player on a Windows computer, you should be running the most recent Flash update (version as Im writing this).

Earlier I generated Angler EK traffic to infect a Windows host running Flash player on IE 11.” />
Shown above: An image of the Angler EK infection and post-infection CryptoWall 3.0 traffic in Wireshark. ” />
Shown above: Angler EK sending a Flash exploit, based on CVE-2015-5122, targeting Flash

The infected hostsbitcoin address for ransompaymentwas 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU. The address is the same one” />
Shown above: Decrypt instructions from the infected host.

Final words

Today, the majority ofEKs utilizeFlash player exploits based on the most recently knownvulnerabilities. But this situation cant last forever. If Flash is no longer relevant, what will EK authors turn to for their latest exploits? Will they go back to Java? Will they focus on browser vulnerabilities? It will be interesting to see where things stand in the next year or so.

A pcap of the 2015-07-15 Angler EK infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email and ask.

Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: – Twitter: @malware_traffic



(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: The Darkode Cybercrime Forum, Up Close

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law enforcement takedown of Darkode[dot]me, an English-language cybercrime forum that served as a breeding ground for botnets, malware and just about every other form of virtual badness. This post is an attempt to distill several years’ worth of lurking on this forum into a narrative that hopefully sheds light on the individuals apprehended in this sting and the cybercrime forum scene in general.

To tell this tale completely would take a book the size of The Bible, but it’s useful to note that the history of Darkode — formerly darkode[dot]com — traces several distinct epochs that somewhat neatly track the rise and fall of the forum’s various leaders. What follows is a brief series of dossiers on those leaders, as well as a look at who these people are in real life.


Darkode began almost eight years ago as a pet project of Matjaz Skorjanc, a now-36-year-old Slovenian hacker best known under the hacker alisas “Iserdo” and “Netkairo.” Skorjanc was one of several individuals named in the complaints published today by the U.S. Justice Department.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He was arrested hours before.

Butterfly Bot customers wonder why Iserdo isn’t responding to support requests. He was arrested hours before.

Iserdo was best known as the author of the ButterFly Bot, a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global cybercrime operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. Iserdo was arrested by Slovenian authorities in 2010. According to investigators, his ButterFly Bot kit sold for prices ranging from $500 to $2,000.

In May 2010, I wrote a story titled Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm, which detailed how Skorjanc and several of his associates actually applied for jobs at Panda Security, an antivirus and security firm based in Spain. At the time, Skorjanc and his buddies were already under the watchful eye of the Spanish police.


Following Iserdo’s arrest, control of the forum fell to a hacker known variously as “Mafi,” “Crim” and “Synthet!c,” who according to the U.S. Justice Department is a 27-year-old Swedish man named Johan Anders Gudmunds. Mafi is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to build botnets. The Justice Department also alleges that Gudmunds operated his own botnet, “which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.”

Mafi was best known for creating the Crimepack exploit kit, a prepackaged bundle of commercial crimeware that attackers can use to booby-trap hacked Web sites with malicious software. Mafi’s stewardship over the forum coincided with the admittance of several high-profile Russian cybercriminals, including “Paunch,” an individual arrested in Russia in 2013 for selling a competing and far more popular exploit kit called Blackhole.

Paunch worked with another Darkode member named “J.P. Morgan,” who at one point maintained an $800,000 budget for buying so-called “zero-day vulnerabilities,” critical flaws in widely-used commercial software like Flash and Java that could be used to deploy malicious software.

Darkode admin "Mafi" explains his watermarking system.

Darkode admin “Mafi” explains his watermarking system.

Perhaps unsurprisingly, Mafi’s reign as administrator of Darkode coincided with the massive infiltration of the forum by a number of undercover law enforcement investigators, as well as several freelance security researchers (including this author).

As a result, Mafi spent much of his time devising new ways to discover which user accounts on Darkode were those used by informants, feds and researchers, and which were “legitimate” cybercriminals looking to ply their wares.

For example, in mid-2013 Mafi and his associates cooked up a scheme to create a fake sales thread for a zero-day vulnerability — all in a bid to uncover which forum participants were researchers or feds who might be lurking on the forum.

That plan, which relied on a clever watermarking scheme designed to “out” any forum members who posted screen shots of the forum online, worked well but also gave investigators key clues about the forum’s hierarchy and reporting structure.


Mafi worked quite closely with another prominent Darkode member nicknamed “Fubar,” and together the two of them advertised sales of a botnet crimeware package called Ngrbot (according to Mafi’s private messages on the forum, this was short for “Niggerbot.” Oddly enough, the password databases from several of Mafi’s accounts on hacked cybercrime forums would all include variations on the word “nigger” in some form). Mafi also advertised the sale of botnets based on “Grum” a spam botnet whose source code was leaked in 2013.


Conspicuously absent from the Justice Department’s press release on this takedown is any mention of Darkode’s most recent administrator — a hacker who goes by the handle “Sp3cialist.”

Better known to Darkode members at “Sp3c,” this individual’s principal contribution to the forum seems to have revolved around a desire to massively expand the membership of the form, as well as an obsession with purging the community of anyone who even remotely might emit a whiff of being a fed or researcher.

The personal signature of Sp3cialist.

The personal signature of Sp3cialist.

Sp3c is widely known as a core member of the Lizard Squad, a group of mostly low-skilled miscreants who specialize in launching distributed denial-of-service attacks (DDoS) aimed at knocking Web sites offline.

In late 2014, the Lizard Squad took responsibility for launching a series of high-profile DDoS attacks that knocked offline the online gaming networks of Sony and Microsoft for the majority of Christmas Day.

In the first few days of 2015, KrebsOnSecurity was taken offline by a series of large and sustained denial-of-service attacks apparently orchestrated by the Lizard Squad. As I noted ina previous story, the booter service — lizardstresser[dot]su — is hosted at an Internet provider in Bosnia that is home to a large number of malicious and hostile sites. As detailed in this story, the same botnet that took Sony and Microsoft offline was built using a global network of hacked wireless routers.

That provider happens to be on the same “bulletproof” hosting network advertised by “sp3c1alist,” the administrator of the cybercrime forum Darkode. At the time, Darkode and LizardStresser shared the same Internet address.

Another key individual named in the Justice Department’s complaint against Darkode is a hacker known only to most in the underground as “KMS.” The government says KMS is a 28-year-old from Opelousas, Louisiana named Rory Stephen Guidry, who used the Jabber instant message address “” Having interacted with this individual on numerous occasions, I’d be remiss if I didn’t at least explain why this person is at once the least culpable and perhaps most interesting of the group named in the law enforcement purge.

For the past 12 months, KMS has been involved in an effort to expose the Lizard Squad members, to varying degrees of success. To call this kid a master in social engineering is probably a disservice to the term of art itself: There are few individuals I would consider more skilled in tricking people into divulging information that is not in their best interests than this guy.

Near as I can tell, KMS has work assiduously (for his own reasons, no doubt) to expose the people behind the Lizard Squad and, by extension, the core members of Darkode. Unfortunately for KMS, his activities also appear to have ensnared him in this investigation.

To be clear, nobody is saying KMS is a saint. KMS’s best friend, a hacker from Kentucky named Ryan King (a.k.a. “Starfall” and a semi-frequent commenter on this blog), says KMS routinely had trouble seeing the lines between exposing others and involving himself in their activities. This kid was a master of social engineer, almost par none. Here’s one recording of him making a fake emergency call to the FBI,  eerily disguising his voice as that of President Obama.

For example, KMS is rumored to have played a part in exposing the Lizard Squad’s February 2015 hijack of’s domain in Vietnam. The message left behind in that crime suggested this author was somehow responsible, along with Sp3c and a Rory Andrew Godfrey, the only name that KMS was known under publicly until this week’s law enforcement action.

“As far as I know, I’m the only one who knew his real name,” said King, who described himself as a close personal friend and longtime acquaintance of Guidry. “The only botnets that he operated were those that he social engineered out of [less skilled hackers], but even those he was trying get shut down. All I know is that he and I were trying to get [root] access to Darkode and destroy it, and the feds beat us to it by about a week.”

The U.S. government sees things otherwise. Included in a heavily-redacted affidavit (PDF) related to Guidry’s case are details of a pricing structure that investigators say KMS used to sell access to hacked machines (see screenshot below)


As mentioned earlier, I could go on for volumes about the litany of cybercrimes advertised at Darkode. Instead, it’s probably best if I just leave here a living archive of screen grabs I’ve taken over the years of various discussions on the Darkode forum.

In its final days, Darkode’s true Internet address was protected from DDoS attacks and from meddlesome researchers by CloudFlare, a content distribution network that specializes in helping Web sites withstand otherwise crippling attacks. As such, it seems fitting that at least some of my personal archive of screen shots from my time on Darkode should also be hosted there. Happy hunting.

One final note: As happens with many of these takedowns, the bad guys don’t just go away: They go someplace else. In this case, that someplace else is most likely to be a Deep Web or Dark Web forum accessible only via Tor: According to chats observed from Sp3c’s public and private online accounts, the forum is getting ready to move much further underground.

Krebs on Security: Adobe, MS, Oracle Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.


Adobe’s Flash patch brings Flash to version on Windows and Mac systems. This newest release fixes two vulnerabilities that were discovered as part of the Hacking Team breach. Both flaws are exploitable via code that is already published online, so if you must use Flash please take a moment to update this program.

brokenflash-aIf you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

Please consider whether you really need Flash installed. It is a powerful program that is being massively leveraged by cybercriminals to break into systems. Monday’s post includes more information on how to remove Flash from your computer, depending on what operating system you use.

Adobe also issued security updates for Adobe Acrobat and its PDF Reader programs that fix at least 46 vulnerabilities in these products. Links to the latest versions of both programs are available in the Acrobat/Reader security advisory.

Finally, Adobe released a security update for its Shockwave Player software for Windows and Mac. This is another Adobe product that I have long urged people to uninstall, largely because most users have no need for Shockwave and it’s just as buggy as Flash but it doesn’t get updated nearly enough. In any case, links to the latest version of Shockwave are available in the advisory.


brokenwindowsWith today’s 14 patch bundles, Microsoft fixed dozens of vulnerabilities in Windows and related software. A cumulative patch for Internet Explorer corrects at least 28 flaws in the default Windows browser. Three of those IE flaws were disclosed prior to today’s patches, including one zero-day flaw uncovered in the Hacking Team breach.

Most of these IE bugs are browse-and-get-owned vulnerabilities, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site.

Another noteworthy update fixes at least eight flaws in various versions of Microsoft Office, including one (CVE-2424) that is actively being exploited by attackers.

More detailed summaries of the Microsoft patches released today can be found at Microsoft’s Security Bulletin Summary for July 2015, and at the Qualys blog.


Oracle’s patch for Java SE includes fixes for 25 security vulnerabilities, including a flaw that is already being actively exploited to break into systems running Java SE. A blog post by Trend Micro has more on the Java zero-day flaw, which was apparently used in targeted attacks in a cyber espionage campaign.

javamessThe latest version, Java 8 Update 51, is available from But if you use Java, please take a moment to consider whether you still need this program on your computer. Java is yet another program that I have long urged users to do without, for most of the same reasons I’ve urged readers to ditch Flash and Shockwave: this widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default).

The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

SANS Internet Storm Center, InfoCON: green: Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration.

the latest (patched) versions are (thanks Dave!):

– FlashPlayer
– Flash Player EST
– Reader 10.1.15
– Reader 11.0.12
– Shockwave Player”>


You can get the latest version here:

Also note that many browsers now allow you to disable Flash by default. You can re-enable it for sites that require Flash. Here is a nice page that will explain how to have your browser ask for permission before running plugins:

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: 10 Things to Do After Installing Linux Mint 17.2

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

The latest version of Linux Mint is out and it’s a major improvement over the previous releases (see my recent review). Linux Mint developers do a lot of additional work, on top of its Ubuntu base, which leaves users with comparatively less work to do after installation. For example, Linux Mint comes pre-loaded with restricted drivers and codecs. It also comes with VLC so users don’t have to worry about media playback.

That said, like any other operating system, depending on your needs, you may have to do some extra work to get your Linux Mint system ready. While some of the changes in this article are optional, a few are mandatory: such as keeping your system up-to-date.

Here are 10 things to do after you install Mint 17.2.

First of all you need to update the system

Even if you downloaded the brand new Linux Mint, from the time it was packaged and uploaded to the server and you downloaded it a lot of Open Source code has been written. The first thing you must do is run a system update before installing any new package. There are two steps involved with a system update: first, you refresh the repositories so they can pull information about the latest packages and then upgrade any package. You can do so by running this command (you must refresh your repositories before installing any package):

sudo apt-get update

Once all the info is refreshed, run the update:

sudo apt-get upgrade

I would also recommend running “sudo apt-get dist-upgrade” which can upgrade packages that the simple ‘upgrade’ command can’t (you can read more about the difference between two commands here).

sudo apt-get dist-upgrade

Install additional drivers

Ubuntu based systems have made it really easy to manage drivers (both open source and non-free) for various hardware. Open the Driver Manager tool which will scan your system and detect the supported hardware which may need non-free drivers. It will then offer appropriate drives for it and you can install the desired drivers for your hardware.

Install Google Chrome?

Looking at the vulnerabilities that Adobe’s Flash player has (one was disclosed and fixed this week), I would suggest staying away from the Flash plugin and instead use Google Chrome which comes with Flash support. You can download Google Chrome from their site and install it the way you would install any binary package, just make sure to choose the right architecture (32bit or 64bit for Ubuntu). There are additional benefits of using Chrome: it will also allow you to access services like Netflix which are not available for Firefox. On top of that, you will also gain access to the supported Chrome Apps from the Web Store

Install Cloud services

Google Drive is still not available for Linux, but there is a third-party solution called inSync which can be used to integrate Google Drive with your Linux Mint system. It’s a nifty solution which, unlike Google Drive, does have a one-time fee. You can easily install inSync by downloading either the binary or by adding its repository to the system from the official download page. I would strongly suggest to never install any software from unofficial or third-party sites.

These are not the only solutions for Linux users. Almost all major cloud services (except for Microsoft OneDrive) are available for Linux users. You can easily install Dropbox, ownCloud or Seafile on your system by downloading the binaries from the official sites.

Change search engine to Google

The Linux Mint team has commercial deals with several search providers which share revenues with the project. These search engines have been integrated with the Firefox browser, Yahoo! being the default one. That doesn’t mean you are locked into the default search engine Yahoo! which is powered by Microsoft Bing.

In my experience I found that the option to switch to Google has been buried down deep, making it a tad difficult for a new user to switch. After struggling with it for a while I settled down with an easier solution and that’s what I would recommend others. Open Firefox and visit ‘‘; you will notice a blue ribbon offering to change your search engine to Google.

lm google

Click on ‘Yes, show me’ from the ribbon. Next click on the + icon on the search box and add Google.

Adding Google as your default search in Firefox

Then click on ‘Change Search Settings’ and choose Google from the list.

Step 3 in changing your default search to google.

You may also want to un-check ‘provide search suggestions’ so that your search box is clean and clutter free.

Now all your searches belong to Google.

Sync and protect your password with Firefox

There is now a built-in feature of Firefox which can save your passwords (and much more) securely on their servers so you won’t have to write them down or remember them. Open Firefox and then click on the three bars on the right.

Open Firefox and then click on the three bars on the right.

There you will see the option ‘sign in to sync‘. Follow the instructions and you are all set. You can choose what kind of stuff you want to be synced, which includes passwords, bookmarks, Tabs, History, Addons and preferences. The good news is you won’t have to reinstall all add-ons and change preferences when you change OS or move between systems. Once you log into the Firefox account, everything will be synced across machines.

Use Thunderbird Profile

I am a heavy Thunderbird user and use it to its full potential; thanks to add-ons like calendar. One of the lesser known, but most interesting, features of Thunderbird is the ability to easily change the location of data on the system. Now the question would be: why would I need it? I multi-boot with different distributions and it’s a waste of time to set-up Thunderbird in each distro and then waste precious space on the ‘home’ of each distro, only to have multiple copies of the same data on the same system.

I keep all of my data on a separate hard drive, outside ‘home’ directories. This drive is accessible by all distros, which makes it easier to work on the same files irrespective of the OS I am currently running. And that’s where I keep my Thunderbird data; so the same data is accessible across all distros eliminating duplication.

I use the ‘Profile’ feature of Thunderbird to achieve this. It also comes in handy when you hop from one distro to another as you won’t have to reconfigure your Thunderbird on each new distro.

It’s recommended to setup profile before you run Thunderbird for the first time. To configure Thunderbird Profile, open Terminal and run this command:

thunderbird -p

You will be greeted by this window.

Linux Mint Thunderbird profile window.

Click on ‘Create Profile ‘, give it a name and then ‘Choose Folder’. This will be the directory where all of your Thunderbird data will be saved. Once done, click on ‘finish’ and you are set. Next time when you boot into another system, run the same command, create the profile and then point it to the folder you created previously. All your email accounts, settings, and add-ons will be there, automatically. If you run multiple distros, just create a profile on each distro and point it to the same directory.

Setting up Trackpad

I did find it a bit frustrating to connect the Magic Trackpad to Linux Mint 17.2. Linux Mint asks you to enter a PIN when you try to connect devices like Trackpad; a task you can’t perform from a trackpad. What you need to do is choose the PIN option and try with ‘0000’ which ‘might’ connect the device. I had to make several attempts because the moment the device was detected it would switch to the default ‘enter PIN’ option. I think Linux Mint and should make it easy to connect such devices. When I tried it on Mac OS X, it detected that it was a Trackpad and instead of offering to enter PIN defaulted to ‘0000’ and paired with the device immediately.

Configuring the trackpad

Another issue I faced with Trackpad was that scrolling was not working out of the box. To enable that, open System Settings and go to TouchPad settings and select ‘vertical Scrolling’ (it should be selected by default).

Once you enabled that, you find that it’s not working on Firefox. To get it to work, open a Firefox browser and type ‘about:config‘ in the address bar. Firefox will throw a warning at you – ignore it and proceed. Then search for ‘gesture.swipe‘ and you will come across four results. Click on each, one by one, and delete the ‘value‘ field; scrolling will start working on Firefox.

How to upgrade from the previous version

If you are still on Linux Mint 17.1, then you won’t have to re-format your system and run a fresh install of Linux Mint 17.2. Now you can easily upgrade between major releases. Before running such an upgrade make sure to back-up your data so that, in case of a failed update, you don’t lose it. Run a system update to ensure all your packages are up-to-date. If there are applications that you don’t need, uninstall them to keep your system lean and mean.

Let’s start the major upgrade: Open ‘Update Manager’, refresh it, and install all the checked packages there.

Open 'Update Manager', refresh it, and install all the checked packages there.

Once everything is up-to-date, click on the ‘Edit’ menu and choose the third option (if available) to upgrade to the next release.

 Click on the 'Edit' menu and choose the third option (if available) to upgrade to the next release.

Then just follow the instructions and enjoy the latest version of Linux Mint.

That’s pretty much all that you need to do on Linux Mint to get most out of this great Linux distribution. There used to be a long list of things ‘to do’ after installing Linux Mint, but these days most things, such as configuring printers, work out of the box.

Now it’s your turn, let us know what are the things that you do after installing Linux Mint!

Krebs on Security: Third Hacking Team Flash Zero-Day Found

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.


Google Chrome comes with its own version of Flash pre-installed, but disabling it is easy enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

Windows users can remove Flash from non-Chrome browsers from the Add/Remove Programs panel, and/or using this Flash Removal Tool. Note that you must exit out of all Web browsers before running the tool. To verify that Flash has been removed, visit this page; if it says your browser needs Flash, you’ve successfully removed it.

For Mac users, AppleInsider carries a story today that has solid instructions for nixing the program from OS X once and for all.

“Flash has become such an information security nightmare that Facebook’s Chief Security Officer called on Adobe to sunset the platform as soon as possible and ask browser vendors to forcibly kill it off,” AppleInsider’s Shane Cole writes. “Though most exploits are targeted at Windows, Mac users are not invincible.”

I removed Flash entirely more than a month ago and haven’t missed the program one bit. Unfortunately, some sites — including many government Web sites  — may prompt users to install Flash in order to view certain content. Perhaps it’s time for a petition to remove Flash Player from U.S. Government Web sites altogether? If you agree, make your voice heard here.  For more on spreading the word about Flash, see the campaign at

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Krebs on Security: Hacking Team Used Spammer Tricks to Resurrect Spy Network

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.


Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police (INMP), an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the INMP to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the INMP and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

Apparently nobody detected the BGP hijack at the time, and that action eventually allowed Hacking Team and its Italian government customer to reconnect with the Trojaned systems that once called home to their control server at Santrex. OpenDNS said it was able to review historic BGP records and verify the hijack, which at the time allowed Hacking Team and the INMP to migrate their malware control server to another network.

This case is interesting because it sheds new light on the potential dual use of cybercrime-friendly hosting providers. For example, law enforcement agencies have been known to allow malicious ISPs like Santrex to operate with impunity because the alternative — shutting the provider down or otherwise interfering with its operations –can interfere with the ability of investigators to gather sufficient evidence of wrongdoing by bad actors operating at those ISPs. Indeed, the notoriously bad and spammer-friendly ISPs McColo and Atrivo were perfect examples of this prior to their being ostracized and summarily shut down by the Internet community in 2008.

But this example shows that some Western law enforcement agencies may also seek to conceal their investigations by relying on the same techniques and hosting providers that are patronized by the very criminals they are investigating.

SANS Internet Storm Center, InfoCON: green: Another Adobe Flash Zero Day, (Sun, Jul 12th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: OS X Adobe Flash Player Web plug-in Update –, (Sat, Jul 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

———– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe To Fix Another Hacking Team Zero-Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

brokenflash-aIn an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacker Team [sic] data breach,” the advisory notes.

Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.

There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.

If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it. Friday’s security updates

This post was syndicated from: and was written by: jake. Original post: at

Arch Linux has updated openssl
(certificate verification botch).

CentOS has updated php (C6: many
vulnerabilities, some from 2014).

Debian has updated pdns (full fix
for denial of service) and pdns-recursor
(full fix for denial of service).

Gentoo has updated adobe-flash
(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, some
from 2014), perl (denial of service from
2013), portage (certificate verification
botch from 2013), pypam (code execution
from 2012), and t1utils (multiple vulnerabilities).

Mageia has updated openssl
(certificate verification botch).

openSUSE has updated MariaDB
(13.2, 13.1: many vulnerabilities, some from 2014).

Oracle has updated php (OL6: many
vulnerabilities, some from 2014).

Red Hat has updated php (RHEL6:
many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated php
(SL6: many vulnerabilities, some from 2014).

Slackware has updated openssl
(certificate verification botch).

Ubuntu has updated firefox
(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities). Security advisories for Thursday

This post was syndicated from: and was written by: jake. Original post: at

Debian has updated python-django
(two vulnerabilities).

Mageia has updated bind (denial
of service), cups-filters (two code
execution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).

openSUSE has updated flash-player
(11.4: unspecified vulnerabilities), libwmf
(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipher
downgrade), tiff (13.2, 13.1: multiple
vulnerabilities), and wireshark (13.2: two
denial of service vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated flash-player
(SLE12: many vulnerabilities).

Ubuntu has updated python-django
(two vulnerabilities).