Posts tagged ‘flash’

Linux How-Tos and Linux Tutorials: How to Fix a Mangled Partition Table on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

fig-1 boot failureWell there I was, rebuilding a router and having a good time when I accidentally damaged the partition table on my main Linux installation, which is a GUID partition table, or GPT. Figure 1 (above) shows the cheery message that greeted me at boot.

How did this happen? I was installing Voyage Linux on a compact flash card, and while I was messing around with GParted and other filesystem tools I accidentally ran some commands on/dev/sdb, my main hard disk, instead of /dev/sdc, the compact flash card. Like, oops. I don’t know exactly which operations gummed up /dev/sdb, which would be good to know. But I don’t, so let us carry on.

“Press any key to exit” landed at a blinking cursor on a black screen. Fortunately, I always foil the desires of certain distros that disable ctrl+alt+delete, or make it behave like Windows and open a services manager. I make sure that it is enabled and that it reboots the system. I booted into a different Linux installation and pondered how to make repairs. When your partition table is damaged to the point that your Linux will not boot, you have to fix it from the outside of the damaged system via bootable rescue media, or another Linux in a multi-boot installation. SystemRescueCD on a USB stick is my fave. Any *buntu live system also makes a great rescue distro, especially on a USB stick with persistent storage, because then it remembers your settings, you can install apps, and store documents.

There are no guarantees- you may be able to repair the problem, or you may have to reinstall your operating system. If the partition table is unrecoverable you may not be able to recover your data. So, as always, your first and best line of defense is good backups.


A good tool for repairing partition tables and recovering files is TestDisk. TestDisk operates on both the legacy MBR and the newfangled GPT (see Using the New GUID Partition Table in Linux (Goodbye Ancient MBR)) . TestDisk is in most Linux repos, and on SystemRescueCD. Start it up as root:

$ sudo testdisk
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER;
TestDisk is free data recovery software designed to help recover lost
partitions and/or make non-booting disks bootable again when these symptoms
are caused by faulty software, certain types of viruses or human error.
It can also be used to repair some filesystem errors.
Information gathered during TestDisk use can be recorded for later
review. If you choose to create the text file, testdisk.log , it
will contain TestDisk options, technical information and various
outputs; including any folder/file names TestDisk was used to find and
list onscreen.
Use arrow keys to select, then press Enter key:
>[ Create ] Create a new log file
 [ Append ] Append information to log file
 [ No Log ] Don't record anything

Select “create a new log file”. In the next screen select the disk you want to repair.

Select a media (use Arrow keys, then press Enter):
 Disk /dev/sda - 2000 GB / 1863 GiB - ST2000DM001-1CH164
>Disk /dev/sdb - 640 GB / 596 GiB - WDC WD6401AALS-00J7B1
 Disk /dev/sdc - 32 GB / 29 GiB - SanDisk CF  Extreme USB2
 Disk /dev/sr0 - 366 MB / 349 MiB (RO) - ATAPI   iHAS424   B
>[Proceed ]  [  Quit  ]

This example shows two hard drives, a compact flash drive, and an audio CD. /dev/sdb is the broken one. In the next screen we select the partition type:

Disk /dev/sdb - 640 GB / 596 GiB - WDC WD6401AALS-00J7B1
Please select the partition table type, press Enter when done.
 [Intel  ] Intel/PC partition
>[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
 [Humax  ] Humax partition table
 [Mac    ] Apple partition map
 [None   ] Non partitioned media
 [Sun    ] Sun Solaris partition
 [XBox   ] XBox partition
 [Return ] Return to disk selection
Hint: EFI GPT partition table type has been detected.

In the next screen, select Analyse:

Disk /dev/sdb - 640 GB / 596 GiB - WDC WD6401AALS-00J7B1
     CHS 77825 255 63 - sector size=512
>[ Analyse  ] Analyse current partition structure and search for lost partitions
 [ Advanced ] Filesystem Utils
 [ Geometry ] Change disk geometry
 [ Options  ] Modify options
 [ Quit     ] Return to disk selection

Hmm. This does not look good. Select Quick Search:

 TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER;

Disk /dev/sdb - 640 GB / 596 GiB - CHS 77825 255 63 Current partition structure: Partition Start End Size in sectors Bad GPT partition, invalid signature. Trying alternate GPT Bad GPT partition, invalid signature. P=Primary D=Deleted >[Quick Search] Try to locate partition

This can take a little time, so be patient. And hopefully TestDisk will find your partitions:

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER;

Disk /dev/sdb - 640 GB / 596 GiB - CHS 77825 255 63 Partition Start End Size in sectors > MS Data 63 89470974 89470912 MS Data 80078846 265625597 185546752 [xubunthome] P MS Data 265625600 1250263039 984637440 [data-xubuntu] Structure: Ok. Use Up/Down Arrow keys to select partition. Use Left/Right Arrow keys to CHANGE partition characteristics: P=Primary D=Deleted Keys A: add partition, L: load backup, T: change type, P: list files, Enter: to continue ext4 blocksize=4096 Large file Sparse superblock, 45 GB / 42 GiB

Hurrah, this is looking hopeful. If it doesn’t find your swap partition, or gives you a message that it won’t restore it, don’t worry about it because a swap partition doesn’t hold data and you can easily restore it later. At this point you have the option to select a partition and press P to see your files, and copy them to another storage medium like a different hard drive or a USB stick. Don’t copy them back to the same device, because if your recovery fails your copied files go with it. It did a funny thing on my system: no matter which directory I chose to copy files into, they all went into /home/carla/carla. I couldn’t find out if this is the correct behavior, but I got my files back.

When TestDisk finds a partition that it can restore, it is marked in the left column with a P, and highlighted in green. In the above example that is only the third partition. Press the return key, and then you can try writing the partition to disk, or doing a deeper search for more recoverable partitions. The deeper search can take a long time, even several hours on a big hard disk.

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER;

Disk /dev/sdb - 640 GB / 596 GiB - CHS 77825 255 63 Partition Start End Size in sectors 1 * Linux 16534 109 24 77825 70 5 984637440 [data-xubuntu] [ Quit ] >[Deeper Search] [ Write ] Try to find more partitions

Then you can select writing the recovered partitions to disk:

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER;
Write partition table, confirm ? (Y/N)
TestDisk 6.14, Data Recovery Utility, July 2013 Christophe GRENIER; You will have to reboot for the change to take effect. >[Ok]

Several things could happen: You could get a complete restoration with all of your partitions and files. You could get a partial recovery that you can mount from another system and retrieve your files. Or it could all go to that great bitbucket in the sky. Most likely you will get at least some of your files back even if you can’t restore your partition table, because stuff that is written to disk is amazingly persistent.

Please visit to learn more about TestDisk, and also PhotoRec, an excellent data recovery tool.

Krebs on Security: Wireless Live CD Alternative: ZeusGard

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I’ve long recommended that small business owners and others concerned about malware-driven bank account takeovers consider adopting a “Live CD” solution, which is a free and relatively easy way of temporarily converting your Windows PC into a Linux operating system. The trouble with many of these Live CD solutions is that they require a CD player (something many laptops no longer have) — but more importantly – they don’t play well with wireless access. Today’s post looks at an alternative that addresses both of these issues.

Zeusgard, with wireless adapter, on a Macbook Air.

Zeusgard, with wireless adapter, on a Macbook Air.

As I noted in my 2012 column, “Banking on a Live CD,” the beauty of the “Live CD” approach is that it allows you to safely bank online from any machine — even from a system that is already riddled with malware. That’s because it lets you boot your existing PC into an entirely different (read: non-Windows) operating system. [Not sure why you should consider banking online from a non-Windows PC? Check out this series].

The device I’ll be looking at today is not free, nor is the the tiny dongle that enables its ability to be used on a wireless network. Nor is it an actual CD or anything more than a stripped-down Web browser. But it is one of the safest, most easy-to-use solutions I’ve seen yet.

The device, called ZeusGard, is a small, silver USB flash drive that boots into a usable browser within about 30 seconds after starting the machine. The non-writeable drive boots directly into the browser (on top of Debian Linux), and if your system is hard-wired to your router with an Ethernet connection, you should be good to go.

Nearly all Live CD solution have one glaring weakness: They typically are not usable over a wireless connection. The Live CD solution I most frequently recommend — which is based on a version of Puppy Linux — technically can work with wireless networks, but I found that setting it up is not at all intuitive, especially for people who’ve never used anything but Windows before.

zgbox My review copy of ZeusGard came with a tiny USB wireless Wi-Fi adapter, which makes jumping on a wireless network a complete breeze. When you boot up with both ZeusGard and the adapter plugged in, ZeusGard automatically searches for available wireless networks, and asks you to choose yours from a list of those in range.

Assuming access to your wireless network is secured with WPA/WPA2  (hopefully not the weaker WEP) , click the “properties” box next to your network, and enter your network’s encryption key (if you need to see the key in plain text while you’re typing, tick the box next to “key”). Hit “OK” and then the “Connect” button. Once you’re connected, click the down arrow at the top of the dialog box and select “Exit to Browser Session.”

This is the second generation of ZeusGard, and I’m looking forward to seeing the next iteration of the device. ZeusGard is produced by Bancsec, a consulting firm that advises financial institutions on ways to beef up security (think Sneakers). Bancsec CEO J.B. Snyder said the next version should include a streamlined wireless setup, and will offer users more options inside the browser session (in the version I tested, for example, ZeusGard automatically shuts down after 30 minutes of use).

At $24.95 for the basic ZeusGard and $14.95 for the wireless adapter, this device is likely to be more appealing to small businesses than the average Internet user. But if you need or want wireless capability in a USB-based “Live CD” solution, ZeusGard is one of few easy-to-use options currently available.

To get ZeusGard working on a Mac, hold the “Option” key while booting up, and select the volume labeled “Windows” (yes, I realize this is counter-intuitive, since the whole idea behind booting into a live CD is that you’re not in Windows).


Getting ZeusGard (or any other live distribution, for that matter) working on a Windows PC may be a bit more involved. Rather than reinvent the wheel, I’ve excerpted and modified the following instructions from my Banking on a Live CD post.

We next need to make sure that the computer knows to look to the USB drive first for a bootable operating system before it checks the hard drive, otherwise ZeusGard will never be recognized by the computer (this only needs to be done once). When you start up your PC, take note of the text that flashes on the screen, and look for something that says “Press [some key] to enter setup” or “Press [some key] to enter startup.” Usually, the key you want will be F2 or the Delete or Escape (Esc) key.

A Windows BIOS screen. If you've done it right, the "removable dev" option should be listed as the 1st Boot Device.

A Windows BIOS screen. If you’ve done it right, the “removable dev” option should be listed as the 1st Boot Device.

When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse probably will not work here, so you’ll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named “Boot”. Hit the right arrow key until you’ve reached that screen listing your bootable devices, and then hit the Enter key What you want to do here is move the Removable Devices option to the top of the list (it may be listed as merely “Removable Dev”). Do this by selecting the down-arrow key until that option is highlighted, and then press the Shift and the “+” key on your keyboard until the Removable Devices option is at the top. Then hit the F10 key, and confirm “yes” when asked if you want to save changes and exit, and the computer should reboot.

Unless you know what you’re doing here, it’s important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option “Exit without saving changes.” The computer will reboot, and you can try this step again.

If you’ve done this step correctly, the computer should detect the USB drive as a bootable operating system, and boot into ZeusGard.

Krebs on Security: Beware Keyloggers at Hotel Business Centers

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

A DHS/Secret Service advisory dated July 10, 2014.

A DHS/Secret Service advisory dated July 10, 2014.

In a non-public advisory distributed to companies in the hospitality industry on July 10, the Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) warned that a task force in Texas recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort Worth areas.

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The advisory lists several basic recommendations for hotels to help secure public computers, such as limiting guest accounts to non-administrator accounts that do not have the ability to install or uninstall programs. This is a good all-purpose recommendation, but it won’t foil today’s keyloggers and malware — much of which will happily install on a regular user account just as easily as on an administrative one.

While there are a range of solutions designed to wipe a computer clean of any system changes after the completion of each user’s session (Steady State, Clean Slate, et. al), most such security approaches can be defeated if users also are allowed to insert CDs or USB-based Flash drives (and few hotel business centers would be in much demand without these features on their PCs).

Attackers with physical access to a system and the ability to reboot the computer can use CDs or USB drives to boot the machine straight into a stand-alone operating system like Linux that has the ability to add, delete or modify files on the underlying (Windows) hard drive. While some computers may have low-level “BIOS” settings that allow administrators to prevent users from booting another operating system from a USB drive or CD, not all computer support this option.

The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure. That’s why I routinely advise people not to use public computers for anything more than browsing the Web. If you’re on the road and need to print something from your email account, create a free, throwaway email address at or and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.

SANS Internet Storm Center, InfoCON: green: Apple pushes OS X update to block out of date Flash versions –, (Fri, Jul 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Adobe Says Piracy is Down, But Photoshop Still Rules Pirate Bay

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

There can be little doubt that Adobe products are a crowd pleaser among digital creatives. Designers love them, photographers and videographers do too, and Adobe’s Photoshop, Flash and Acrobat brands are recognized worldwide.

But while millions of people use Adobe’s premium products, not everyone pays for that privilege. Unauthorized Photoshop releases have been appearing on computers worldwide for 25 years and other Adobe products are regularly pirated close to their launch. Over time this has led Adobe to invest substantial sums of money on anti-piracy measures including DRM and even legal action. But there are other ways to deal with the problem.

In May last year and much to the disappoint of Adobe’s millions of pirate ‘customers’, the company announcemend that it would be changing the way it does business. Boxed products, a hangover from the last decade and earlier, would be phased out and replaced with a cloud-based subscription model.

On the one hand, many pirates heard the word “cloud” and associated that with a lack of local machine control, something that can cause issues when trying to run unlicensed software. Adobe, on the other hand, appeared to be looking at product development and the piracy problem from a different angle.

While attempts at hacking its cloud service would present another technical barrier to piracy, with its new offering the tech giant also looked towards making its product more affordable. A few dollars a month rather than $700 in one go was aimed at providing an economic reason for even the most budget-restricted not to pirate. But has the strategy worked?

According to new comments from Fabio Sambugaro, VP of Enterprise Latin America at Adobe, unauthorized use of the company’s products is definitely down since the cloud switch.

“Piracy has fallen,” Sambugaro says. “It’s hard to measure, but we’ve seen many companies seeking partnerships that in the past wouldn’t have done so.”

According to information released to investors last month, Adobe exited quarter two this year with 2,308,000 subscribers of its Creative Cloud service, an increase of 464,000 over the first quarter of 2014. The company attributed 53% of the company’s quarter two revenue to “recurring sources” such as its Creative and Marketing Cloud services.

So have the pirates given up on Adobe? In a word, no.

One only has to scour the indexes of the world’s most popular torrent sites to see that Photoshop, Photoshop Lightroom, Illustrator, Premiere, Indesign, After Effects and Acrobat Pro all take prominent places in the charts of most-popular torrents. No surprise then that on The Pirate Bay, Photoshop CS6 – the last version of Photoshop before the cloud switch – is king of the software downloads by a long way.

Also, and contrary to fears aired by pirates alongside Adobe’s original strategy change announcement, the cloud has not made it impossible to run unauthorized versions of Photoshop CC 2014, for example. Expected functional restrictions aside, torrent sites have plenty of working copies of Creative Cloud releases, but is this necessarily a bad thing?

There are those who believe that some level of piracy is useful as a try-before-you-buy option on a traditionally expensive product such as Photoshop. But what makes this notion even more interesting today is that Adobe’s switch to the cloud – and its much lower price point for entry – may see people investing a few dollars a month for increased functionality and a simple life, instead of one spent jumping through hoops with an inferior and oftentimes awkward product.

And Adobe knows it.

“I do not think people who pirate our software do it because they are bad people, or because they like to steal things. I just think that they decided that they can not afford it,” said Adobe’s David Wadhwani previously.

“And now, with the switch to subscriptions and with the ability to offer software at a cheaper price, we see that the situation is beginning to change and we’re excited.”

Richard Atkinson, Corporate Director of Worldwide Anti-Piracy, admitted last year that the company would move away from “enforcement-led anti piracy” to a “business-focused pirate-to-pay conversion program.”

If the company is to be believed, that is now paying off.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player patches:, (Wed, Jul 9th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Microsoft, Adobe Push Critical Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

brokenwindowsMost of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.

The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).

More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blog, Qualys’s site, and the SANS Internet Storm Center.

Adobe’s Flash Player update brings Flash to version on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v.

brokenflash-aFlash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. for Windows, Mac, and Android.


Matthew Garrett: Self-signing custom Android ROMs

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

The security model on the Google Nexus devices is pretty straightforward. The OS is (nominally) secure and prevents anything from accessing the raw MTD devices. The bootloader will only allow the user to write to partitions if it’s unlocked. The recovery image will only permit you to install images that are signed with a trusted key. In combination, these facts mean that it’s impossible for an attacker to modify the OS image without unlocking the bootloader[1], and unlocking the bootloader wipes all your data. You’ll probably notice that.

The problem comes when you want to run something other than the stock Google images. Step number one for basically all of these is “Unlock your bootloader”, which is fair enough. Step number two is “Install a new recovery image”, which is also reasonable in that the key database is stored in the recovery image and so there’s no way to update it without doing so. Except, unfortunately, basically every third party Android image is either unsigned or is signed with the (publicly available) Android test keys, so this new recovery image will flash anything. Feel free to relock your bootloader – the recovery image will still happily overwrite your OS.

This is unfortunate. Even if you’ve encrypted your phone, anyone with physical access can simply reboot into recovery and reflash /system with something that’ll stash your encryption key and mail your data to the NSA. Surely there’s a better way of doing this?

Thankfully, there is. Kind of. It’s annoying and involves a bunch of manual processes and you’ll need to re-sign every update yourself. But it is possible to configure Nexus devices in such a way that you retain the same level of security you had when you were using the Google keys without losing the freedom to run whatever you want. Here’s how.

Note: This is not straightforward. If you’re not an experienced developer, you shouldn’t attempt this. I’m documenting this so people can create more user-friendly approaches.

First: Unlock your bootloader. /data will be wiped.
Second: Get a copy of the stock recovery.img for your device. You can get it from the factory images available here
Third: Grab mkbootimg from here and build it. Run unpackbootimg against recovery.img.
Fourth: Generate some keys. Get this script and run it.
Fifth: zcat recovery.img-ramdisk.gz | cpio -id to extract your recovery image ramdisk. Do this in an otherwise empty directory.
Sixth: Get from here and run it against the .x509.pem file generated in step 4. Replace /res/keys from the recover image ramdisk with the output. Include the “v2″ bit at the beginning.
Seventh: Repack the ramdisk image (find . | cpio -o -H newc | gzip > ../recovery.img-ramdisk.gz) and rebuild recovery.img with mkbootimg.
Eighth: Write the new recovery image to your device
Ninth: Get signapk from here and build it. Run it against the ROM you want to sign, using the keys you generated earlier. Make sure you use the -w option to sign the whole zip rather than signing individual files.
Tenth: Relock your bootloader
Eleventh: Boot into recovery mode and sideload your newly signed image.

At this point you’ll want to set a reasonable security policy on the image (eg, if it grants root access, ensure that it requires a PIN or something), but otherwise you’re set – the recovery image can’t be overwritten without unlocking the bootloader and wiping all your data, and the recovery image will only write images that are signed with your key. For obvious reasons, keep the key safe.

This, well. It’s obviously an excessively convoluted workflow. A *lot* of it could be avoided by providing a standardised mechanism for key management. One approach would be to add a new fastboot command for modifying the key database, and only permit this to be run when the bootloader is unlocked. The workflow would then be something like

  • Unlock bootloader
  • Generate keys
  • Install new key
  • Lock bootloader
  • Sign image
  • Install image

which seems more straightforward. Long term, individual projects could do the signing themselves and distribute their public keys, resulting in the install process becoming as easy as

  • Unlock bootloader
  • Install ROM key
  • Lock bootloader
  • Install ROM

which is actually easier than the current requirement to install an entirely new recovery image.

I’d actually previously criticised Google on the grounds that using custom keys wasn’t possible on Android devices. I was wrong. It is, it’s just that (as far as I can tell) nobody’s actually documented it before. It’s important that users not be forced into treating security and freedom as mutually exclusive, and it’s great that Google have made that possible.

[1] This model fails if it’s possible to gain root on the device. Thankfully this would never hold on what’s that over there is that a distraction?

comment count unavailable comments

Raspberry Pi: Compute Module development kits now available!

This post was syndicated from: Raspberry Pi and was written by: James Adams. Original post: at Raspberry Pi

Fuelled by Welsh cakes and a lot of sunshine, the team at Sony Pencoed have finished building the first batch of Compute Modules (CM) and Compute Module IO Boards (CMIO). These are available today to buy from RS and Element14 in the form of Compute Module Development Kits. The MRP is $200.

In each kit you get a Compute Module, an IO Board, adaptors to convert the CMIO board camera and display interfaces to use the official Raspberry Pi Camera (and display when available later this year), 5V power supply and a micro USB cable for flashing the eMMC from a host PC.


Compute Module Development Kit (also includes 5V PSU and USB cable, not shown)

As of today the only operating system that is officially ‘Compute Module Aware’ is the very latest Raspbian (as of the 20/6/2014), so you’ll need to grab that and only that to flash on to the Compute Module. The remaining OSes will be updated shortly. Right now using NOOBS or any of the other OSes will (probably) not work properly, but YMMV.

We are working as we speak to improve the software stack to make it much easier to develop with the Compute Module. For example we are working on a new system to easily make the GPIOs controlled by the closed source drivers able to be remapped easily and also working to enable dual cameras. However these things aren’t ready quite yet. So a word to the early adopters – if you can do it with a Pi today, it will work. If you need more GPIO, it will work, if you need dual cameras or screens or any of the interfaces that are not working on a Pi then today it won’t work or might be more tricky than it eventually will be. We are working hard to get these improvements out just as soon as we can.

To get started with your Compute Module Development Kit please head on over to the official Raspberry Pi Compute Module documentation. Also feel free to post questions on the forum, and we will do our best to answer them.

Needless to say we are very excited to finally have the Compute Module winging its way into the hands of developers – we look forward to seeing what happens next!

Errata Security: Products endorsed by cybersec experts

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The idea came up in Twitter, so I thought I’d write a quick blog post answering the question: “What products do cybersec experts endorse as being secure?”

The answer, of course, is none. It’s a fallacy, because perfect security is impossible. If you want your computer data to be perfectly secure, then smash your device to pieces, run them through a blender, and drop the bits into volcanic lava.
With that said, we cybersec experts do use stuff. From this you can derive some sort of implicit endorsement. I use Windows, iPhone, and GMail, from which you can assume they are probably “secure enough”.
I use an iPhone because it has excellent security. For all I criticize Apple’s security, the fact is that they have very smart people solving the toughest problems. For example, their most recent operating system will randomize MAC addresses when looking for WiFi in order to avoid disclosing your identity. This is a security problem I’ve blogged about for years, and it’s gratifying that Apple is the first company to tackle this problem.
If you do the right thing, such as locking your iPhone with a complex code, you are likely safe enough. If a thief steals your phone, they will likely not get your private secrets from it.
On the other hand, if you don’t lock your iPhone, then the thief can steal everything from your phone, including things your phone has access to, like your email. That’s the problem with “security endorsements”: I as an expert can’t help if you don’t help yourself. Your biggest threat isn’t the products you use, but you yourself. Your top threats you are getting easily tricked by “phishing emails”, drive-by downloads, lack of patches, and using the same password across many websites. Choosing greater or lesser secure product doesn’t really much matter in the face of bad decisions you make with those products.
With that said, there are some recommendations I can make. Public wifi, such as at Starbucks or the airport, is very very bad. Among the things I’m known for is demonstrating just had bad this can be (“sidejacking”). The safest thing is not to use it — tether through your phone instead. But, if you have to use it, use a VPN. This encrypts your data to a remote site across the Internet, so that local people near you can’t decrypt it. There are lots of free/cheap VPN providers. Another option is “Tor”, which acts like a VPN, but also anonimizes your identity. These are a little bit technical and hard to use, but can make using public WiFi secure.

We in the security industry know that some things are exceptionally bad. Browser apps using Java and ActiveX, the thing found in most corporate environments, are very bad. Adobe products Flash and PDF are likewise insecure in the browser. These technologies aren’t bad in of themselves, but only bad when hackers have direct access to them via the web browser. What you want instead is a browser like Chrome using JavaScript applets, HTML5 replacing Flash, and built-in viewers for PDF rather than Adobe’s viewer.

We experts know that the standard way of building web apps on the backend using the “LAMP” stack is inherently insecure. PHP, in particular, is a nightmare. Pasting strings together to form SQL queries is bad. Not whitelisting output characters is bad. If programmers just heeded these last three sentences, they’d stop 99% of the ways hackers break into websites.
Microsoft, Apple, and Google care about cybersecurity. They are really the only companies I can point to that really do care. Their problems stem from the fact that they are also popular, and therefore, the top targets of hackers. Their problems also stem from the fact that security is a tradeoff: caring too much about security makes products unusable.
Tradeoffs is why Android is less secure than iPhone. Apple limits apps to only those they’ve approved, whereas Android allows apps to be downloaded from anywhere. Android’s policy is better, it gives control over the phone to the user rather than than the fascist control Apple has over their phones. But the price is additional risk, as users frequently download apps from dodgy websites that “infect” their phone with a “virus”. Thus, if you want a secure phone, choose iPhone, but if you want a phone that you can control yourself, choose Android. Note that Microsoft makes technically excellent phones, but nobody cares, because they don’t have the apps, so I don’t mention them in the comparison :).
I use GMail. Google’s web apps have the best track record of security, being the first to adopt SSL everywhere all the time. There are still problems, of course, but their track record is better than others.
As an operating system, I currently use Win7, Mac OS X, and Ubuntu (using Windows the majority of the time). I use them with full disk encryption. They are all equally secure as far as I’m concerned. I use Microsoft’s Office, on both Windows and Mac, as well as their cloud apps.
Finally, I want to discuss the security community’s historic dislike of Microsoft. It’s not valid. It’s always been a political dislike of Microsoft’s monopolistic control over the desktop, and an elitist preference for things like Linux that aren’t useable by mainstream. I point this out because I can’t endorse the advice form security experts — their advise is more often going to be political rather than technical.

Raspberry Pi: Art Showcase: Binaudios

This post was syndicated from: Raspberry Pi and was written by: Rachel Rayns. Original post: at Raspberry Pi

Hey all – Rachel here!

I have spent the last year talking with lots of artists who are making amazing things with Raspberry Pis. Every day my inbox is PINGing with exciting progress news. So I’m going to start showcasing some of these projects on the blog. I find them incredibly inspiring – I hope you do too!

I’m going to kick off with a piece from one of my favourite artists: Dominic Wilcox. I bet you’ve seen some of his work kicking around the internet – He made the GPS shoes which guided you home and did some narrative sculptures inside watch faces.


This time he’s partnered up with Creative Technologist James Rutherford to produce Binaudios; a device that enables the user to listen to the sounds of the city – at the moment it’s installed in the Sage Gateshead music discovery centre.


Taking tourist binoculars as inspiration, the Binaudios can be pointed at over 40 different locations, seen out of the Sage Gateshead windows. Turn the giant listening cones toward the football stadium to hear the crowd chanting or to the Tyne Bridge to hear King George V’s speech when he opened the bridge in 1928. Point it toward the park to listen to sounds such as skateboarders and local tennis players.

As the Binaudios are rotated the stereo sounds move from one ear to the other creating a real feeling of listening to the city across the river.


I’ve met loads of ‘Creative Technologists’ on my travels. They believe creativity and art are the driving forces behind the technology they make.

James describes his work as “somewhere between code and art”. He mainly creates software; developing visualisations, data tools or games.


Binaudios was his first Raspberry Pi project AND first go with Python! Just for you guys, he has very kindly written up how Binaudio is put together:

How Binaudios works:

Although Binaudios was developed to look like an analogue device, there’s a small selection of electronics concealed within the central wooden box. A USB lead runs up the central column, powering a Raspberry Pi. This is connected to speakers within the metal cones and a USB hub. The hub adds some extra flash memory and has a couple of ports for attaching a keyboard and mouse for debugging.

Dominic recorded a selection of sounds from across Newcastle. I load these when the device boots. There are around 40 of them, spread across the 180 degree range of movement provided by the ear-cones.

The Pi has a PiBorg XLoBorg sensor attached to the GPIO port. The XLoBorg returns a 3-axis reading of the magnetic field at a point. The Python script very roughly converts this into a compass heading (to do this properly is extremely complicated- so this is a bit of a hack). I spread this heading into two angles a couple of degrees apart to fake some left/right ear separation, pick the sound clips within a small range of these and assign some volumes. The volume profile drops-off over a few degrees which produces a naturalistic ‘telescope’ focus effect. The left/right separation also enhances this as the unit is turned.

The rest is all about smoothing. I debounce the output of the XLoBorg (it has a slight natural waver), ensure volume levels are adjusted gently (audio buffering can cause the sound to chop otherwise, which is very unnatural) and keep the sounds playing even when they are a few degrees out of audio range (this means that sounds don’t necessarily need to restart from the beginning when they are back in ‘view’).


The XLoBorg is a sensitive bit of kit, and magnetic fields are complicated (who knew!?). I needed to spend some time calibrating and recalibrating. Slight vertical misalignment seems to shift the compass heading much more than I first anticipated. It’s a very intriguing bit of hardware and I look forward to playing with it some more!

My test set of samples worked wonderfully, but the program failed critically when I got the real clips- some of the sounds would work, but the rest would make a single pop, or a loud, painful high-pitched wave. I never fully figured out why, but I think I was maxing out Pygame’s audio channels. Originally I was playing all of the sounds simultaneously and just shifting the volumes around (so that all but a few were zero), but I switched this to just trigger those within a small angle range – so it now plays maybe four or five at the same time. There was no failure response from the code, so I spent a manic day trying to squash, re-encode and generally poke the samples about without error reports to work on. Thankfully, the fix seems reliable.

This was my first physical project, first Pi project, and first slice of Python charming!

You can see them in action in this video or you can go and visit in person!

Binaudios was commissioned by the awesome Suzy O’Hara at Thinking Digital Arts.

Linux How-Tos and Linux Tutorials: How to Control a Servo Motor from a BeagleBone Black on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Ben Martin. Original post: at Linux How-Tos and Linux Tutorials

servocity gearboxServo motors can rotate to a specified angle and hold that angle against a resistive force. This makes Servos great for creating a DIY pan-and-tilt camera system, for moving panels through a limited distance in a model aircraft where the wind might provide resistance to that movement, and in many cases in robotics where you might need to rotate something to a specific angle. In this tutorial, we’ll cover how to connect and control a servo motor with a BeagleBone black running Linux.

Higher torque servos can run at a higher voltage than a BeagleBone Black will supply, so you might need to bring an external power source into the mix. To make things interesting, the servo for this article needs at least 6 Volts and is mounted into a gearbox to trade some RPM for even more torque.

Using an external power source means you only need two pins from the BeagleBone Black, a PWM pin (the white wire in the figure, above) to control the Servo and a ground pin to ensure that both power sources have a common ground (green wire) to operate from.

The BeagleBone Black is a small 1 Gigahertz (Ghz) ARM machine with 512 Megabytes (MB) of RAM, 2 Gigabytes (GB) of on-board flash memory, and most importantly, two headers each with two rows of pin sockets ready for your next embedded project. In this series on the BeagleBone Black we have seen how to use the Linux interface allowing us to access chips over SPI and receive interrupts when the voltage on a pin changes.

Anatomy of a Servo Motor

Inside a servo motor you will find the motor itself, a feedback mechanism, and a little curcuit to control things. Many servos offer a limited range of motion, for example 90, 180, or 360 degrees of motion. Because of the range of motion, a servo is controlled by telling it what angle you would like the motor to hold. That said, some servos have no restriction and offer continuous rotation. The feedback mechanism inside a servo might be a potentiometer which allows the servo to know what angle it is currently holding. This way you can tell the servo to move to 120 degrees and it will make adjustments itself to move the motor to that angle and then continue to hold that angle.

There are normally three wires for a servo: power, ground, and a signal wire. This article uses an Hitec HS-5685MH servo. For this Hitec servo the power wire is red, ground is black, and the signal wire is yellow. This servo offers a good amount of torque and can run on 6 to 7.4 Volts (V) of power. It is interesting to note that the lock/stall power requirements of the Hitec HS-5685MH is 2 Amps when you are powering it at 6 V.

Because of the high power requirements of this servo, trying to run it directly off the Arduino or BeagleBone Black power output ports is a bad idea. So I powered it off a power source external to the BeagleBone Black or Arduino and connected the ground on the BeagleBone Black/Arduino to the ground on the external servo power curcuit to establish a common ground. I found that the servo didn’t want to operate at 5 V –no surprise as this is out of the servo’s spec. At 6 V the servo moved smoothly. The maximum voltage of the servo at 7.4 V should allow many battery options to provide the best torque the servo can offer.

The signal wire uses Pulse Width Modulation (PWM) to allow you to tell the servo the angle you would like it to rotate to. When using PWM to control a servo, time is divided into 20 millisecond (ms) blocks. Inside a block if the voltage is high for 1.5 ms and then low for the remainder of the block, the servo will sit at about the middle of its range, at least for the Hitec servos uses in this article. If the signal is high for only 1 ms of the 20 ms block of time then the servo will move to a smaller angle than its middle. Likewise holding the signal high for 2 ms will cause the servo to move to a larger angle than its mid-point.

Some servos are available allowing motion through many different ranges of angles. For this article the Hitec HS-5685MH was configured for motion through about 400 degrees. The block of time (20 ms in this case) is called the period of the signal and the time the voltage is high (1-2 ms) is the duty cycle.

Even with a high torque servo you might want to trade some of your RPM for an increase in torque. The image above shows the servo mounted in a ready-made Servo Gearbox which is then mounted inside some Actobotics aluminum channel. One little catch here is that the brass servo gear will have to rotate many times in order for the larger alloy gear to rotate once.

To help keep servo control simple, the feedback mechanism in the servo is removed from the servo and attached to the larger alloy gear. This way a servo that was going to offer a 360-degree maximum rotation will spin many times in order to provide a 360-degree rotation of the larger alloy gear. Of course, you have to use a servo that can fully rotate many times. Some servos have physical stoppers within them that do not permit full rotation. By moving the feedback mechanism you can directly control the angle the alloy gear is holding using the same PWM range that the servo can understand.

Kicking the tires with Arduino

As I have done in the past, I first started out by interacting with the hardware using an Arduino and then moved to replace the Arduino with a BeagleBone Black. Thinking in milliseconds made the numbers in the above discussion easier, but in a program it can be more convenient to use microseconds (µs) throughout to avoid mixing milliseconds and microseconds. The following program sweeps the Hitec HS-5685MH servo through about 360 degrees of rotation. The first 20 ms (20,000 µs) block of time will only have a high voltage for 800 µs of time. This will steadily increase up to being high 2400 µs of the 20,000 µs time block.

void setup()
    pinMode(5, OUTPUT);
    digitalWrite(5, LOW);
int periodTimeSlice = 20 * 1000;
int minPulseTimeSlice = 800;
int maxPulseTimeSlice = 2400;
int TimeDelta = 1;
void loop()
    int c = minPulseTimeSlice;
    for( c = minPulseTimeSlice; c <= maxPulseTimeSlice; c += TimeDelta )
        digitalWrite(5, HIGH);
        delayMicroseconds( c );
        digitalWrite(5, LOW);
        delayMicroseconds( periodTimeSlice - c );
    for( c = maxPulseTimeSlice; c >= minPulseTimeSlice; c -= TimeDelta )
        digitalWrite(5, HIGH);
        delayMicroseconds( c );
        digitalWrite(5, LOW);
        delayMicroseconds( periodTimeSlice - c );

The Arduino servo library provides a much more convenient interface to controlling servo motors. The above code was deliberately written at a low level without using any specific PWM hardware so that the PWM output is explicit.

Moving to Linux and the BeagleBone Black

I started testing using an HS-422 servo and the BeagleBone Black. Given the the lower power requirements of the HS-422 I decided to run it directly from the 5 V output on the BeagleBone Black. At first I started tinkering around in the promising looking /sys/class/pwm directory tree which is documented in the Linux kernel documentation files. After a while with no success using /sys/class/pwm I moved on to using the device tree overlays in /lib/firmware.

One little trick here is that if you enable two PWM outputs which are driven by the same chip then you cannot change the period of the PWM. You get something like “write error: Invalid argument” when you try to write to the period file. If you get the write error, try disabling other PWM overlays so that there is only one use of the PWM chip. An example of removing an overlay is shown at the end of the article. The default period is 500000 nanoseconds, or half a millisecond which is too short for servo control.

My initial plan was to use pin 22 on header 9 which is the first PWM chip. That overlay failed to load because there was a conflict with the SPI bus overlay, shown below. So the device tree overlays protected a potential conflicted use of some pins! The PWM on P9_16 was able to load without conflict.

A word of caution before you enable a PWM output, for me they always started with default values and one of these is to start in a running state. So you will want to move to the pwm_test_P9_16 directory fairly quickly and disable the PWM output. I tried changing the dts file to tell the Linux kernel that I wanted the PWM interface to be started in a non-running mode and without inverted output. Unfortunately my many attempts did not result in any change from the default values when setting up the slot.

root@beaglebone:/lib/firmware# uname -a
Linux beaglebone 3.8.13 #1 SMP Thu Sep 12 10:27:06 CEST 2013 armv7l GNU/Linux
root@beaglebone:/lib/firmware# echo bone_pwm_P9_22 > /sys/devices/bone_capemgr*/slots
-bash: echo: write error: File exists
root@beaglebone:/lib/firmware# dmesg | tail
[ 4510.813900] bone-capemgr bone_capemgr.9: part_number 'bone_pwm_P9_22', version 'N/A'
[ 4510.814095] bone-capemgr bone_capemgr.9: slot #30: generic override
[ 4510.814353] bone-capemgr bone_capemgr.9: bone: Using override eeprom data at slot 30
[ 4510.814412] bone-capemgr bone_capemgr.9: slot #30: 'Override Board Name,00A0,Override Manuf,bone_pwm_P9_22'
[ 4510.818521] bone-capemgr bone_capemgr.9: slot #30: Requesting part number/version based 'bone_pwm_P9_22-00A0.dtbo
[ 4510.818589] bone-capemgr bone_capemgr.9: slot #30: Requesting firmware 'bone_pwm_P9_22-00A0.dtbo' for board-name 'Override Board Name', version '00A0'
[ 4510.818654] bone-capemgr bone_capemgr.9: slot #30: dtbo 'bone_pwm_P9_22-00A0.dtbo' loaded; converting to live tree
[ 4510.819308] bone-capemgr bone_capemgr.9: slot #30: bone_pwm_P9_22 conflict P9.22 (#9:BB-SPIDEV0)
[ 4510.828819] bone-capemgr bone_capemgr.9: slot #30: Failed verification
root@beaglebone:/lib/firmware# echo bone_pwm_P9_16 > /sys/devices/bone_capemgr*/slots
# cat /sys/devices/bone_capemgr*/slots    
 0: 54:PF--- 
 1: 55:PF--- 
 2: 56:PF--- 
 3: 57:PF--- 
 4: ff:P-O-L Bone-LT-eMMC-2G,00A0,Texas Instrument,BB-BONE-EMMC-2G
 5: ff:P-O-- Bone-Black-HDMI,00A0,Texas Instrument,BB-BONELT-HDMI
 6: ff:P-O-- Bone-Black-HDMIN,00A0,Texas Instrument,BB-BONELT-HDMIN
 7: ff:P-O-L Override Board Name,00A0,Override Manuf,cape-bone-iio
 8: ff:P-O-L Override Board Name,00A0,Override Manuf,am33xx_pwm
 9: ff:P-O-L Override Board Name,00A0,Override Manuf,BB-SPIDEV0
10: ff:P-O-L Override Board Name,00A0,Override Manuf,gpio-P9.12
11: ff:P-O-L Override Board Name,00A0,Override Manuf,gpio-P9.15
12: ff:P-O-L Override Board Name,00A0,Override Manuf,gpio-P9.23
14: ff:P-O-L Override Board Name,00A0,Override Manuf,gpio-P9.26
15: ff:P-O-L Override Board Name,00A0,Override Manuf,gpio-P9.27
29: ff:P-O-L Override Board Name,00A0,Override Manuf,bone_pwm_P9_16

Once the pwm_test_P9_16 directory exists you’ll want to move to it and set run to 0 to disable output while you configure the PWM. Below, I set the period to 20 ms and a starting duty of 1 ms, after enabling output again the servo will swing to left of its central position. After echoing 2 ms into the duty the servo should move to right of its center.

root@beaglebone:# cd /sys/devices/ocp.3/pwm_test_P9_16.*
# echo 0 >run
# cat period 
# cat duty 
# cat polarity 
# echo 0 > polarity 
# echo 20000000 > period 
# echo 1000000 > duty 
# echo 1 >run
# echo 2000000 > duty 
# echo 0 >run

Replacing the HS-422 servo with the channel mount Servo Gearbox I again ran the Servo from an external 6 V power source and connected the ground pin to the ground of the external power supply used for the servo. I found the range of 360 degree movement could almost be achieved using a range of 1 to 2 ms pulse. The minimal useful pulse was about 880,000 ns up to about 2,200,000 ns. Writing a value outside that range caused the servo to continually rotate instead of settling at any specific angle.

If you want to remove an overlay for a PWM output simply view the slots file, see the slot number of what you want to remove and write -1 * slot-number back to the slots file as shown below.

root@beaglebone:/lib/firmware# echo bone_pwm_P9_16 > /sys/devices/bone_capemgr*/slots
# cat /sys/devices/bone_capemgr*/slots    
 0: 54:PF--- 
 1: 55:PF--- 
 2: 56:PF--- 
 3: 57:PF--- 
 4: ff:P-O-L Bone-LT-eMMC-2G,00A0,Texas Instrument,BB-BONE-EMMC-2G
 5: ff:P-O-- Bone-Black-HDMI,00A0,Texas Instrument,BB-BONELT-HDMI
 6: ff:P-O-- Bone-Black-HDMIN,00A0,Texas Instrument,BB-BONELT-HDMIN
 7: ff:P-O-L Override Board Name,00A0,Override Manuf,cape-bone-iio
 8: ff:P-O-L Override Board Name,00A0,Override Manuf,am33xx_pwm
15: ff:P-O-L Override Board Name,00A0,Override Manuf,gpio-P9.27
29: ff:P-O-L Override Board Name,00A0,Override Manuf,bone_pwm_P9_16
root@beaglebone:/lib/firmware# echo -29 > /sys/devices/bone_capemgr*/slots

It seems that device tree overlays play a key role in accessing much of the hardware on the BeagleBone Black. With a SoC that can use its pins for many different purposes depending on how it is configured, the device overlays can save you from trying to accidentally reuse some pins which might be already reserved for other purposes. Once a PWM directory is setup in /sys/devices/ocp.3 controlling a servo from the BeagleBone Black is as simple as writing a number to a file. Tune in next time when we'll control some gearmotors to move a robot base around using Bonescript.

We would like to thank ServoCity for supplying the gearbox and servo used in this article.

SANS Internet Storm Center, InfoCON: green: Pay attention to Cryptowall!, (Wed, Jun 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

CryptoLocker might be pretty much off the radar. But Cryptowall is alive and kicking, and making the bad guys a ton of money. It mainly spreads by poisoned advertisements and hacked benign websites, and then sneaks its way onto the PCs of unsuspecting users by means of Silverlight, Flash and Java Exploits.

Somewhat unexpectedly, Java is NOT the most prominent for a change. It looks like the Silverlight sploits are currently the most successful.

If you’re “had”, Cryptowall encrypts all the files that you possible could want to keep (images, documents, etc), and then asks for a 500$ ransom. If you don’t pay up quick, the ransom doubles. And after a while of not paying, well, the suckers delete the key. As far as we know, there is not way yet to recover the encrypted data, because the private key is not really present on the infected machine. I hope you have a recent backup.

Last week’s batch of infections for example had “” as a prominent source. As far as I can tell, they are cleaned up by now, but we have several samples in the database that show pages like[dot]com/recipe/pan-fried-broccoli-226105,[dot]com/recipe/barefoot-contessas-panzanella-salad-135723, etc, as the last referer before the exploit triggered.

The domains last week were following the pattern [a-f0-9]{6,8}\.pw and [a-f0-9]{6,8}\.eu, but this is obviously changing all the time. Still, it probably doesn’t hurt to check your DNS or proxy logs for the presence of (especially) .pw domains. Yes, I had to look it up as well … .pw is Palau. A bunch of islands in the South Pacific. It is safe to assume that most of the web sites with this extension are not actually about or in Palau.

More info: Ronnie has an outstanding write-up at . Cisco’s blog has a lot of IOCs:


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products.

winiconThe vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month (MS14-035) shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.

Most of the vulnerabilities Microsoft fixed today earned its “critical” rating, meaning malware or bad guys could exploit the flaws to seize control over vulnerable systems without any help from users, save perhaps for having the Windows or IE user visit a hacked or booby-trapped Web site. For more details on the individual patches, see this roundup at the Microsoft Technet blog.

Adobe’s update for Flash Player fixes at least a half-dozen bugs in the widely-used browser plugin. The Flash update brings the media player to v. on Windows and Mac systems, and v. for Linux users. To see which version of Flash you have installed, check this link.

brokenflash-aIE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. Chrome version 35.0.1916.153  includes this Flash update; to see which version of Chrome you’re running, click the 3-bars icon to the right of the address bar and select “About Google Chrome.”

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. for Windows, Mac, and Android.


Delian's Tech blog: RTMP Api for Node.JS to ease the implementation of RTMP servers and clients

This post was syndicated from: Delian's Tech blog and was written by: Delian Delchev. Original post: at Delian's Tech blog

Hello to all,
As I mentioned before, I needed to implement a RTMP streaming server in Node.JS. All of the available modules for implementation of RTMP in Node’s NPM repository were incomplete, incorrect or unusable. Not only that but the librtmp used by libav tools like avconv and avplay was incorrect and incomplete.
The same with most of the implementation I’ve checked (covering perl, python, others). I’ve tried to fix few of them but at the end I had to write one on my own.
This is my library of RTMP related tools and API for Node.JS. It is named node-rtmpapi and is available in the npm repository. Also you can get it here –
It works well for me, and it has been tested with MistServer, OrbanEncoders and librtmp (from libav).
That does not mean it will work for you, though :)
RTMP is quite badly documented protocol and extremely badly implemented.
During my tests I have seen issues like crash of libraries (including the Adobe’s original one) if the upper layer commands has been sent in unexpected order (although this is allowed by the RTMP protocol and the order of the upper layer commands is not documented at all). Also I have seen (within Adobe’s rtmp library) incorrect implementation of the setPeerBandwidth command.
Generally, each different RTMP implementation is on its own and the only way to make it work is to adjust and tune it according to the software you communicate with.
Therefore I separated my code in utils that allows me to write my own RTMP server relatively easy and to adjust it according to my needs.
The current library supports only TCP as a transport (although TLS and HTTP/HTTPS is easy to be implemented, I haven’t focused on it yet).
It provides separate code that implements streaming (readQueue), the chunk layer of the protocol (rtmpChunk), the upper layer messaging (assembling and disassembling of message over chunks, rtmpMessage), stream processing (rtmpStream) and basic server implementation without the business logic (rtmpServer).
Simplified documentation is provided at the git-hub repository.
The current library uses callbacks for each upper layer command it receives. I am planning to migrate the code to use node streams and to trigger events per command, instead of callbacks. This will extremely simplify the usage and the understanding of the library for a node programmer. However, this is the future and in order to preserve compatibility, I will probably name it something different (like node-streams-rtmpapi)

Delian's Tech blog: AMF0/3 encoding/decoding in Node.JS

This post was syndicated from: Delian's Tech blog and was written by: Delian Delchev. Original post: at Delian's Tech blog

I am writing my own RTMP restreamer (RTMP is Adobe’s dying streaming protocol widely used with Flash) in Node.JS.
Although, there are quite of few RTMP modules, no one is complete, nor operates with Node.JS buffers, nor support fully ether AMF0 or AMF3 encoding and decoding.
So I had to write one on my own.
The first module is the AMF0/AMF3 utils that allow me to encode or decode AMF data. AMF is a binary encoding used in Adobe’s protocols, very similar to BER (used in ITU’s protocols) but supporting complex objects. In general the goal of AMF is to encode ActiveScript objects into binary. As ActiveScript is a language belonging to the JavaScript’s familly, basically the ActiveScript’s objects are javascript objects (with the exception of some simplified arrays).
My module is named node-amfutils and is now available in the public NPM repository as well as here
It is not fully completed nor very well tested as I have very limited environment to do the tests. However, it works for me and provides the best AMF0 and AMF3 support currently available for Node.JS - 
  • It can encode/decode all the objects defined in both AMF0 and AMF3 (the other AMF modules in the npm repository supports partial AMF0 or partial AMF3)
  • It uses Node.JS buffers (it is not necessary to do string to buffer to string conversion, as you have to do with the other modules)

It is easy to use this module. You just have to do something like this:

var amfUtils = require('node-amfutils');
var buffer = amfUtils.amf0Encode([{ a: "xxx"},b: null]);

TorrentFreak: Could Bitcoin Miners Help Pay For Pirated Games?

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

bitcoinWhile it’s no secret that some pirate games releases contain malware, during the past few days a more unusual story has been doing the rounds.

According to a GameCrastinate report, this week thousands of BitTorrent users inadvertently became infected with Bitcoin-mining malware.

The problem apparently stemmed back to a leaked PC version of the much-anticipated game Watch Dogs from Ubisoft Montreal. While there was never any suggestion that the company had anything to do with it, the assumption has been that whoever leaked the game thought they could make a few dollars by installing the trojan on pirates’ machines.

While there appears to be very little hard proof that the trojan ever existed or indeed spread on the suggested scale, the idea that tens or even hundreds of thousands of computers could be hijacked to generate mountains of dollars for a third-party gained a lot of traction in the press.

The idea of a sneaky trojan install is likely to annoy just about everyone, but what if a similar process could be put to a more creative and authorized use? What if a developer allowed his game to be shared online for free but in return installed a Bitcoin miner on downloaders’ machines to generate revenue to pay for the software?

That question was emailed to TorrentFreak this week and while we had our doubts over the idea’s viability, it could be pretty cool if it somehow came to pass. We promised to find out whether this was a crazy idea or a flash of genius.

Last year, Ars Technica bought a dedicated miner for $274 capable of magically churning out around $20 in bitcoin every day. Sure it gobbled up $100 a year in electricity, but as a financial prospect it was a pretty safe bet.

Gamers tend not to own dedicated mining hardware, but people playing a game like Watch Dogs more often that not will have rather juicy graphics cards on board which could be coaxed into a bit of mining. Question is, would they be up to the task?

Roger Ver, an angel investor in several Bitcoin startups including, BitcoinStore and BitPay, has been referred to in the press as the Bitcoin Jesus. In his opinion, could the “Watch Dog hackers” who sparked this story make much money with their illegal trojan?

“It depends a lot on the hardware of the machines, but to the hacker, it is all profit since he doesn’t have to pay for any of the hardware or electricity costs,” Ver told TF.

So with free money for the hackers established, we come back to the key question: could a Bitcoin miner installed with the permission of the downloader generate enough fractions of a single bitcoin on a single machine to keep the developer happy, in Watch Dogs’ case, to the tune of around $60? Ver was quick to disappoint.

“This isn’t viable any longer,” he told us. “There are so many people mining bitcoins using specialized ASIC hardware that a home computer isn’t very effective any more.”

So the idea of mining Bitcoin in order to generate revenue from people who can’t or won’t pay for their games is a no-go? It appears so.

“A few years ago, was trying to do this, but I don’t think this is practical any more due to the difficulty in mining bitcoin,” Ver concludes.

Back to the drawing board then….

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Backblaze Blog: Introducing: Flash Drive Restore Boxes

This post was syndicated from: Backblaze Blog and was written by: Yev. Original post: at Backblaze Blog

We’re excited to announce that our 128GB USB flash drives will now be shipped in tiny little restore boxes that will come to your door with all your lost data eagerly awaiting to return home. To some of us in the office, these little restore boxes look like tiny flash drive coffins, with the USB […]

Linux How-Tos and Linux Tutorials: Radxa: The $100 Quad-Core ARM Raspberry Pi Alternative

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Ben Martin. Original post: at Linux How-Tos and Linux Tutorials

radxaMany will think of the Raspberry Pi or BeagleBone Black when considering a DIY project running Linux. But if you want to do some CPU-heavy work in your DIY project, like running some opencv code to give your project some vision, the Radxa Rock might be the right choice. Even if you’re not looking at a DIY project, this machine makes for a nice little Linux server. 

The Radxa offers 80 pins to interface with other electronics and offers a much faster quad core CPU, up to 2 Gigabytes (GB) of RAM, 8 GB of on-board flash storage and bluetooth for $100. The Radxa also has on-board wifi with an antenna to provide a good wireless link, and comes with a clear, friction fit case. 

The Radxa is built around the Rockchip RK3188 Quad core SoC, which it runs at 1.6Ghz. There are two configurations depending on how much RAM, on-board flash storage, and Bluetooth you want. The less expensive Radxa Rock Lite model goes for $80 and has 1GB of RAM, 4GB of flash, and no Bluetooth. Both boards include the quad core CPU, 100-Megabit ethernet, wifi-n, an infrared receiver, HDMI, SPDIF, and headphone output jacks and two blocks of two rows of headers to help connect your DIY project.

The Radxa Lite might give the most bang for your buck. The BeagleBone Black revision C has a single core ARM with 1GB of RAM and 4GB of flash and is offered at $55. The extra $25 for the cheaper Radxa gets you a quad core which is at a higher clock speed, a Mali-400 GPU, wifi-n, audio output ports, a second USB port, and infrared input.

If you are intending to run Linux on a mobile platform, the Radxa’s built-in wifi antenna will help untether your project. You could add a cheap ($20) device running openWRT to give the BeagleBone Black a wifi access point. Though this brings the price of the Radxa ($80-$100 depending on model) and BeagleBone Black Rev C and access point combination ($75) setups closer. The Radxa’s two USB ports also gives it a bit more breathing room, relative to the one on the BeagleBone Black. And the IR receiver on the Radxa should give you a cheap and immediate way to control your DIY code.

Updating the Software

The Radxa has operating system images to run Android Jelly Bean 4.2.2, Linaro 13.11, or an image that can dual boot to either.

The default image that comes with the Radxa is version 4.2.2 of Android. The status bar at the bottom of the screen includes soft keys for volume up and down, a power-off button, and a button to hide the bottom status bar. The status bar can be brought back by clicking at the bottom of the screen, dragging upwards and then releasing the mouse button.

There are a few apps installed by default including ES File Explorer, SuperSU, WifiDisplay, an RKGameController tool, and BootUbuntu. Selecting BootUbuntu opens up a superuser request dialog for an interactive shell. After granting privileges you will see another dialog asking if you want to reboot into Ubunutu. Then after a while you should see a desktop running Linaro version 13.08. As the latest Linaro offered is version 13.11 the first order of business was to update the software.

There are many methods to flash new software onto the Radxa including a closed source tool from Rockchip and an open source tool with a GUI. Unfortunately it seems the open source rkflashkit can not flash the update.img file which is used to update the complete installation. So it seems, for now at least, you are left having to use a closed source tool in order to flash an updated operating system image to the Radxa. The instructions mention running the closed source tool as root on your desktop Linux machine. Instead of this you might like to add a minimal privileged user account and allow all accounts full access to the Radxa OTG interface by adding the following rules to your desktop Linux machine by placing them in “/etc/udev/rules.d/50-radxa.rules”.

$ cat /etc/udev/rules.d/49-radxa.rules 
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2207", ATTRS{idProduct}=="310b", MODE:="0666"

With the above in place you can reconnect the USB link from your desktop machine to the OTG port of your Radxa and upgrade your Radxa using any user account on the desktop machine. No need to give root access to the closed source upgrade_tool. First put your Radxa into recovery mode by holding down the recovery button on the Radxa and connect its OTG port to any USB port on the desktop Linux machine. The recovery button is on the opposite side of the Radxa board to the power button. If in doubt choose the side button that is not near the OTG port.

[ norights@desktop ]$ ./upgrade_tool  uf /tmp/radxa_rock_ubuntu_desktop_140318_update.img 
Loading firmware...
Support Type:RK31       FW Ver:1.0.00   FW Time:2014-03-18 16:22:24
Loader ver:2.08 Loader Time:2013-12-02 18:58:57
Upgrade firmware ok.

The /etc/release files showed version 13.09 of Linux after the reflashing. I found that the wired ethernet was not automatically brought up so had to enable that from the panel first. Then I changed the root password. To login as root, open a local XTerm and type “sudo su -l”, I found that no password was required for that. Then the root password can be changed as desired.

I found that the ubuntu_desktop_140318 had neither NFS client or server support. While I could install the nfs-kernel-server package there was no kernel module to support it. To get around that you may have to download a matching updated modules file and expand that into /lib/modules. After I did this I had NFS support and could mount a filesystem from the Radxa using the below:

[root@desktop mnt]# mount \
  -o soft,intr,tcp,bg,noatime,nodiratime,rsize=32768,wsize=32768,async \
  radxa:/tmp /mnt/tmp

Getting at those 80 pins

Just as one would expect, the GPIO interface is exposed at /sys/class/gpio by the Linux kernel.

root@radxa:/sys/class/gpio# ls -l 
total 0
--w------- 1 root root 4096 Jan  1 12:00 export
lrwxrwxrwx 1 root root    0 Jan  1 12:00 gpiochip160 -> ../../devices/virtual/gpio/gpiochip160
lrwxrwxrwx 1 root root    0 Jan  1 12:00 gpiochip192 -> ../../devices/virtual/gpio/gpiochip192
lrwxrwxrwx 1 root root    0 Jan  1 12:00 gpiochip224 -> ../../devices/virtual/gpio/gpiochip224
lrwxrwxrwx 1 root root    0 Jan  1 12:00 gpiochip256 -> ../../devices/virtual/gpio/gpiochip256
--w------- 1 root root 4096 Jan  1 12:00 unexport

The TWI interfaces are exposed in /dev as well, though SPI is not exposed by default.

# ls -l /dev/i2c*
crw------- 1 root root 89,  0 Jan  1 12:00 /dev/i2c-0
crw------- 1 root root 89,  1 Jan  1 12:00 /dev/i2c-1
crw------- 1 root root 89,  2 Jan  1 12:00 /dev/i2c-2
crw------- 1 root root 89,  3 Jan  1 12:00 /dev/i2c-3
crw------- 1 root root 89,  4 Jan  1 12:00 /dev/i2c-4
crw------- 1 root root 10, 51 Jan  1 12:00 /dev/i2c_detect
# ls -l /dev/*spi*
ls: cannot access /dev/*spi*: No such file or directory

Performance Testing

For wifi performance, an rsync to the Radxa from a Fedora machine got up to around 6.9 Megabytes per second (Mb/s), though it did drop to 3.3 Mb/s on occasion. This was connected over a D-Link 855 wifi-n access point. Overall I got about 6.5 Mb/s while copying a 900 Mb file from an NFS server hosted on the Radxa to a desktop machine over wifi.

A single job compile of openssl 1.0.1e took a little over 8 minutes. For comparison, the BeagleBone Black took over 20 minutes. I found that Linaro had issues performing a multi-job compile of the openssl codebase. Cipher performance was similar or better than the ODroid-U2.

Radxa ciphers

Digest performance was similar to cipher performance with the Radxa competing with the ODroid-U2. Notice that the Radxa offers significantly better MD5 digest performance than the U2 though.

Radxa digests

RSA signature and verification performance continued this trend with the Radxa being in the ballpark of the ODroid-U2 for both tests. For these benchmarks the Radxa has a clear performance advantage over the BeagleBone Black.

rsa-sign copy

radxa rsa verify

The Radax used for this review had 2Gb of RAM, so bonnie++ would need 4 GB of flash in order to avoid the disk cache giving false performance numbers. While it is possible to run bonnie++ in its default mode using 4GB of disk, I limited file size, as shown below, in order to allow comparisons with other machines.

me@radxa:~/bonnie$ bonnie++ -f -m radxa -s 200 -r 100 -d `pwd`

For sequential output I got 7.4 Mb/s with rewrite at 7.6 Mb/s. Around 10.5 and 15.4 thousand files could be created and deleted per second. For comparison the MarS board got 4.7 Mb/s for output and 3.5 MB/s for rewrite; the BeagleBone Black got 4.2 MB/s and 4.5 MB/s respectively; and the ODroid-U2 quad core ARM got 16 Mb/s and 12 MB/s respectively. Not only is the on-board flash 8 GB in size, you can get better performance out of it than many other boards. The ODroid-U2 is significantly faster than the rest of the group using its eMMC interface.

To test 2D graphics performance I used version 1.0.1 of the Cairo Performance Demos. The gears test runs three turning gears; the chart runs four line graphs; the fish is a simulated fish tank with many fish swimming around; gradient is a filled curved edged path that moves around the screen; and flowers renders rotating flowers that move up and down the screen. For comparison I used a desktop machine running an Intel 2600K CPU with an Nvidia GTX 570 card which drives two screens, one at 2560 x 1440 and the other at 1080p. It is interesting that the Radxa offers similar performance to the BeagleBone Black with the Radxa running at 1080 instead of the 720 resolution used for testing the BeagleBone Black.

           Radxa      BBB fps    Mars fps       desktop 2600k/nv570
           at 1080    at 720p    LVDS at        two screens.
  gears         29      26         18             140
  chart          3       2            2              16
   fish          3        4           0.3             188
gradient        12     10        17             117
flowers          2       1           2             170

Power Usage

At an idle 1080 desktop the Radxa drew about 3.5 Watts. Adding a USB keyboard and mouse bumped this to 4.2 W. Running a single openssl compilation moved to 5.5 W and two compiles at once needed 6.0 W. A similar power requirement was seen when running one and two instances of the ‘openssl speed’ benchmark. Interestingly, running a third and fourth openssl speed didn’t seem to change the power draw much. I didn’t see any change in power when wifi was connected; perhaps the wifi chip is always powered.

Wrap up

The light Radxa model brings quad core DIY ARM down to only $80. Having the larger sibling at $100 gives you the extra RAM and storage headroom if your project needs it. If your project can scale to use the four cores and you want a small wireless Linux machine at the heart of your next DIY project the Radxa might be just what you are looking for.

We would like to thank Miniand for supplying the Radxa hardware used in this review.

For more in this embedded board series see:

The MarS DIY Platform for Around $100 (Without Screen)

BeagleBone Black: How to Get Interrupts Through Linux GPIO

Krebs on Security: Why You Should Ditch Adobe Shockwave

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.

shockwaveMy re-education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon University’s CERT. In a recent post on the release of the latest bundle of security updates for Adobe’s Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes.

Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. By my count, Adobe has issued nearly 20 separate security updates for Flash since then, including fixes for several dangerous zero-day vulnerabilities.

“Flash updates can come frequently,  but Shockwave not so much,” Dormann said. “So architecturally,  it’s just flawed to provide its own Flash.”

Dormann said he initially alerted the public to this gaping security hole in 2012 via this advisory, but that he first told Adobe about this lackluster update process back in 2010.

As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH.

“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH.   Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”

Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player.

“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.

For those who need Shockwave Player installed for some reason, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET 4.1 or higher)) can help prevent the exploitation of this weakness.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.

Krebs on Security: The Mad, Mad Dash to Update Flash

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An analysis of how quickly different browser users patch Adobe Flash vulnerabilities shows a marked variation among browser makers. The data suggest that Google Chrome and Mozilla Firefox users tend to get Flash updates relatively quickly, while many users on Microsoft’s Internet Explorer browser consistently lag behind.

The information comes from ThreatMetrix, a company that helps retailers and financial institutions detect and block patterns of online fraud. ThreatMetrix Chief Technology Officer Andreas Baumhof looked back over the past five months across 10,000+ sites the company serves, to see how quickly visitors were updating to the latest versions of Flash.

Baumhof measured the rates of update adoption for these six Flash patches:

Jan 14, 2014 – APSB14-02 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Feb 4, 2014 – APSB14-04 Security updates available for Adobe Flash Player (2 critical flaws, including 1 zero-day)

Feb 20, 2014 – APSB14-07 Security updates available for Adobe Flash Player (1 zero-day)

Mar 11, 2014 – APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Apr 8, 2014, – APSB14-09 Security updates available for Adobe Flash Player (4 critical vulnerabilities)

Apr 28, 2014 - APSB14-13 Security updates available for Adobe Flash Player (1 zero-day)

Overall, Google Chrome users were protected the fastest. According to Baumhof, Chrome usually takes just a few days to push the latest update out to 90 percent of users. Chrome pioneered auto-updates for Flash several years ago, with Firefox and newer versions of IE both following suit in recent years.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

Interestingly, the data show that IE users tend to receive updates at a considerably slower clip (although there are a few times in which IE surpasses Firefox users in adoption of the latest Flash updates).  This probably has to do with the way Flash is updated on IE, and the legacy versions of IE that are still out there. Flash seems to have more of a seamless auto-update process on IE 10 and 11 on Windows 8 and above, and more of a manual one on earlier versions of the browser and operating system.

Another explanation for IE’s performance here is that it is commonly used in business environments, which tend to take a few days at least to test patches before rolling them out in a coordinated fashion across the enterprise along with the rest of the Patch Tuesday updates.

The following graphic depicts Flash patch adoption by IE version for Period #4 in the image above (Mar 11, 2014 - APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)):

Adoption of Flash patch APSB14-08 (Mar. 11, 2014), broken down by IE version.

Adoption of Flash patch APSB14-08 (Mar. 11, 2014), broken down by IE version.

“In the period 4 you can see that IE11 is nicely up to 90% – which is in line with Chrome, but obviously the older the browser version, the less updated Flash is,” Baumhof said.

It’s unclear what might explain the apparent slow uptake of Flash patches for IE and Firefox users following the January and early April Flash updates. It’s worth noting, however, that the Flash patches which saw the fastest uptake regardless of browser type included fixes for zero-day vulnerabilities (see periods 2, 3 and 6 in the first graphic above).

While Chrome appears to have the speediest update process for Flash patches (the company frequently pushes Flash updates out even before Adobe releases them publicly), it’s important to remember that applying any auto-pushed Flash patches in Chrome requires a restart of the browser.

“I use Chrome and I typically never close my browser as I always just hibernate my computer,” Baumhof said. “I noticed that it took me almost seven days to apply a Flash update because Chrome could only do this when you restart the browser, and I simply wasn’t aware of it.”

Flash is a buggy security risk, but a great many Web sites simply won’t work or display certain content without the Flash plugin installed. As such, I’ve urged readers to take advantage of Click-to-Play, which blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash content inside of them.

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released software updates to plug dangerous security holes in their products. Adobe pushed patches to fix holes in Adobe Acrobat/Reader as well as Flash Player. Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.

A majority of the patches released by Microsoft are fixes for products that run in enterprise environments. Chief among the consumer-facing Microsoft updates is cumulative patch for Internet Explorer that fixes a pair of flaws in all supported versions of IE. This patch also includes the emergency update that Microsoft released earlier this month to address a zero-day vulnerability in IE. Microsoft also issued fixes for several Office vulnerabilities. This month’s batch also includes a .NET fix, which in my experience is best installed separately.

Adobe released a fix for its Flash Player software that corrects at least six security flaws. The Flash update brings the media player to v. on Windows and Mac systems, and v. for Linux users. To see which version of Flash you have installed, check this link

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In addition, there is an update available that fixes at least 11 security holes in versions of Adobe Acrobat and Adobe Reader. Windows and Mac users should update to the latest  version (11.0.07).

SANS Internet Storm Center, InfoCON: green: Adobe May 2014 Patch Tuesday, (Tue, May 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

We are now up to 3 bulletins from Adobe.

TL;DR ? Current versions in one simple table (I hope I got that right):

Current Adobe Software Versions
  Windows OS X Linux
Adobe Reader XI 11.0.07 11.0.07 -
Adobe Reader X 10.1.10 10.1.10 -
Adobe Flash Player 13
Adobe Flash Player (Google Chrome)
Adobe Flash Player (MSFT Internet Expl) - -
Adobe Air SDK    
Adobe Illustrator Subscription 16.2.2 16.2.2  
Adobe Illustrator Non-Subscription 16.0.5 16.0.5  



APSB14-14: covering Flash Player [1]. It fixes 6 different vulnerabilities, one of which was found earlier this year during the pwn2own contest (CVE-2014-0510).

These vulnerabilities affect Windows, Linux and OS X. Adobe assigned them “Priority 1″ indicating that they may have been used in targeted exploits. This makes this a “Patch Now!” vulnerability for us.

CVE-2014-0510: pwn2own vulnerability. remote code execution with sandbox bypass.
CVE-2014-0516: Same origin bypass
CVE-2014-0517: Security feature bypass
CVE-2014-0518: Security feature bypass
CVE-2014-0519: Security feature bypass
CVE-2014-0520: Security feature bypass

APSB14-15: For Adobe Acrobat and Reader [2]

CVE-2014-0511: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0512: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0521: information disclosure in Javascript API
CVE-2014-0522: code execution (memory corruption)
CVE-2014-0523: code execution (memory corruption)
CVE-2014-0524: code execution (memory corruption)
CVE-2014-0525: code exectution (use after free?)
CVE-2014-0526: code execution (memory corruption)
CVE-2014-0527: code execution (use after free)
CVE-2014-0528: code execution (double free)
CVE-2014-0529: code execution (buffer overflow)

Like the Flash bulletin, this one is rated “Priority 1″.

APSB14-11: Hotfix for Adobe Illustrator

CVE-2014-0513: code execution (Stack Overflow)

This bulletin is only rated “Priority 3″.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Heartbleed, IE Zero Days, Firefox vulnerabilities – What’s a System Administrator to do?, (Fri, May 9th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

With the recent headlines, we’ve seen heartbleed (which was not exclusive to Linux, but was predominately there), an IE zero day that had folks over-reacting with headlines of “stop using IE”, but Firefox and Safari vulnerabilities where not that far back in the news either.

So what is “safe”?  And as an System Administrator or CSO  what should you be doing to protect your organization?

It’s great to say “Defense in Depth” and “The 20 Critical Controls”, but that’s easy to say and not so easy to do when you are faced with a zero day in the browser that your business application must have to run.  What can you do that’s quick and easy, that offers some concrete protection for your community of 20, 200, 2,000 or 20,000 workstations?

I’m starting a list here, but this is by no means a well-researched, exhaustive and complete list, just a starting point:
Inventory your hosts and the software that you run.  Know your network, and know what’s running on your servers and workstations.  (if this sounds like another way of saying “read the 20 controls, start implementing at #1 and work your way down the list”, then you get my point).  After you inventory, read the list.  Expect a story on this in the next week or so.

Deploy EMET.  In the hype of “don’t run IE” headlines, many of the folks who recommended this missed the fact that if you installed EMET, you were nicely protected against last week’s 0-day.  Expect a story on this later today (yes, I’m on a bit of a tear).

Read your logs.  In every incident that I’ve worked, there’s been *some* indication of the attack or compromise in logs somewhere – this is why you log after all.  This also holds true for system crashes and problems of any kind.  Troubleshooting always starts with your logs, but if you monitor logs for unusual things, you can expect less trouble to troubleshoot, because you’ll see it before it gets to be a problem.  If there are too many logs (yes, log volumes are insane), deploy a tool (there are tons of free ones) that will help you with this.  ELSA ( is a decent starting point for log consolidation and prioritizing, but it’s by no means the only solution – find what works for you and use it.

Control your network perimeter (if you can define a perimeter).  Put an egress filter that allows what you need, then has a deny any/any/log statement at the bottom.  The “log” part makes it simpler to add new list entries to satisfy new business requirements as they come up.

Also at your perimeter, have the ability to block some of the “problem” applictions when you know that things have gone particularly bad.  For instance, if there is a Flash zero-day, there’s no shame in sending a note to your users to say “we have to block flash at the firewall for a few days until there’s a fix”.  Ditto that for ActiveX, Java, PDF files and whatever else you’d care to add to the list.  

Many of these settings are simple tick-boxes at the firewall, some are IPS signatures or some might need a proxy or web content filter product.  The key to all of these is to be prepared, know where the knobs are that you need to tweak, and know what you can and can’t do both technically and within your organization.  If you’re caught by surprise and put a “fix” together in a hurry, document what you did so you can re-use that next time, or improve it when you have an hour to spare.

Talk to your users.  Keep a steady flow of communication going, let them know what’s going on.  Call this “Security Awareness Training” if that scores you points, but the object of the game is to keep your user community in the loop – the more they know about what they should do or not do (and why), the fewer problems will come your way from that direction.  Also, the more that IT and the Security Team is seen as helping and advising (in a good way), the more slack they’ll cut you when you need it – for instance when you need to block Flash, PDF files or their favourite website for a day or three.

We’ve been saying this for years, but I still have clients who say “we trust our people, why would we do any of that”.  My answer remains “so you trust their malware too?”.

I’d invite you, our readers to add to this list in the comments.  This is meant as just a starting point – what have I missed?  What has worked for you?

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Adobe Security Bulletin: Security updates available for Adobe Flash Player, (Mon, Apr 28th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.