Posts tagged ‘flash’

SANS Internet Storm Center, InfoCON: green: BizCN gate actor changes from Fiesta to Nuclear exploit kit, (Mon, Jul 6th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Introduction

An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15.

I started writing about this actor in 2014 [1, 2] and recently posted an ISC diary about it on 2015-04-28 [3]. Ive been calling this group the BizCN gate actor because domains used for the gate have all been registered through the Chinese registrar BizCN.

We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:

  • Compromised servers are usually (but not limited to) forum-style websites.
  • Gate domains have all been registered through the Chinese registrar BizCN using privacy protection.
  • The domains for Nuclear EK change every few hours and were registered through freenom.com.
  • Nuclear EK for this actor is on 107.191.63.163, which is an IP registered to Vultr, a hosting provider specializing in SSD cloud servers [4].
  • The payload occasionally changes and includes malware identified as Yakes [5], Boaxxe [6], and Kovter.

NOTE: For now, Kovter is relatively easy to spot, since its the only malware Ive noticed that updates the infected hosts Flash player [7].

Chain of events

During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it. Simply put, the chain of events is:

  • Compromised website
  • BizCN-registered gate domain
  • Nuclear EK

Lets take a closer look at how this happens.

Compromised website

Compromised websites are the first step in an infection chain.” />

In most cases, the malicious javascript will be injected on any page from the site, assuming you get to it from a search engine or other referrer.

BizCN-registered gate domain

The gate directs traffic from the compromised website to the EK. The HTTP GET request to the gate domain returns javascript. In my last diary discussing this actor [3], you could easily figure out the URL for the EK landing page.” />

Weve found at least four IP addresses hosting the BizCN-registered gate domain. They are:

  • 136.243.25.241
  • 136.243.25.242
  • 136.243.224.10
  • 136.243.227.9

If you have proxy logs or other records of your HTTP traffic, search for these IP addresses. If you find the referrers, you might discover other websites compromised by this actor.

Nuclear EK

Examples of infection traffic generated from 2015-07-03 through 2015-07-05 all show 107.191.63.163 as the IP address hosting Nuclear EK. This IP address is registered to Vultr, a hosting provider specializing in SSD cloud servers [4]. ” />

Finally, Nuclear EK sends the malware payload. It” />

Malware sent by this actor

During the three-day period, we infected ten hosts, saw two different Flash exploits, and retrieved five different malware payloads. Most of these payloads were Kovter (ad fraud malware).” />

Below are links to reports from hybrid-analysis.com for the individual pieces of malware:

Final words

Its usually difficult to generate a full chain of infection traffic from compromised websites associated with this BizCN gate actor. We often see HTTP GET requests to the gate domain return a 404 Not Found. In some cases, the gate domain might not appear in traffic at all.

We believe the BizCN gate actor will continue to make changes as a way to evade detection. Fortunately, the ISC and other organizations try our best to track these actors, and well let you know if we discover any significant changes.

Examples of the traffic and malware can be found at:

As always, the zip file is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.


Brad Duncan
Security Researcher at Rackspace and ISC Handler
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2014/01/01/index.html
[2] https://isc.sans.edu/diary/Gate+to+Fiesta+exploit+kit+on+9424221669/19117
[3] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
[4] https://www.vultr.com/about/
[5] https://www.virustotal.com/en/file/b215e4cf122e3b829ce199c3e914263a6d635f968b4dc7b932482d7901691326/analysis/
[6] https://www.virustotal.com/en/file/a0156a1641b42836e64d03d1a0d34cd93d3b041589b0422f8519cb68a4efb995/analysis/
[7] http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-for-you.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated firefox (multiple vulnerabilities) and wesnoth (information leak).

Debian has updated stunnel4
(authentication bypass).

Debian-LTS has updated libxml2 (multiple vulnerabilities) and pykerberos (insecure authentication).

Fedora has updated drupal6 (F21; F22:
account hijacking)
and drupal7 (F21; F22: multiple vulnerabilities).

openSUSE has updated flash-player (11.4).

Oracle has updated firefox (O5; O6; O7: multiple vulnerabilities).

Red Hat has updated firefox
(RHEL: multiple vulnerabilities) and openstack-cinder (RHEL OSP: file disclosure).

SUSE has updated MySQL (SLE
11 SP3: cipher downgrade attack),
ntp (SLE11 SP3: multiple vulnerabilities), and OpenSSL (SLE 10 Client Tools; SUSE Manager 11 SP2, Studio Onsite; SLE 11 SAP; SLE 11 SP1; SLE SM 11 SP3: multiple vulnerabilities).

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated kvm (C5:
code execution).

Debian-LTS has updated librack-ruby (denial of service) and libwmf (multiple vulnerabilities).

openSUSE has updated flash-player (13.1, 13.2: code
execution), chromium (13.1, 13.2:
multiple vulnerabilities), and openssl
(13.1, 13.2: multiple vulnerabilities).

Oracle has updated kvm (O5:
code execution) and nss (O6; O7: cipher-downgrade attacks).

Red Hat has updated kernel
(RHEL5: privilege escalation) and kvm
(RHEL5: code execution).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities)
and mailman (SL7: code execution).

SUSE has updated compat-openssl098 (SLE12: multiple
vulnerabilities), KVM (SLE11 SP3:
multiple vulnerabilities), and openssl
(SLE12: multiple vulnerabilities).

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated nss (C7;
C6: cipher downgrade) and nss-util (C7; C6: cipher downgrade).

Debian has updated cacti (three vulnerabilities).

Fedora has updated xen (F20: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two
vulnerabilities), kernel 3.8.13 (OL7; OL6: two
vulnerabilities), and kernel 2.6.32 (OL6; OL5: two
vulnerabilities)

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), flash-plugin (RHEL5&6: code execution), nss (RHEL6&7: cipher downgrade), php55-php (RHSC2: multiple vulnerabilities), and rh-php56-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated libreswan (SL7: denial of service) and php (SL7: multiple vulnerabilities).

SUSE has updated IBM Java
(SLE10SP4: multiple vulnerabilities) and Java (SLE11SP2: multiple vulnerabilities).

Ubuntu has updated python2.7,
python3.2, python3.4
(14.10, 14.04, 12.04: multiple vulnerabilities, some from 2013), tomcat6 (12.04: three vulnerabilities), and tomcat7 (15.04, 14.10, 14.04: multiple vulnerabilities).

LWN.net: Security updates for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated flashplugin (code execution).

CentOS has updated kernel (C7:
multiple vulnerabilities), libreswan (C7:
denial of service), mailman (C7: path
traversal attack), and php (C7: multiple vulnerabilities).

Debian has updated wireshark (denial of service).

Debian-LTS has updated zendframework (regression in previous update).

Fedora has updated curl (F22:
information disclosure), libwmf (F21: code
execution), openssl (F21: multiple vulnerabilities), and xen (F22; F21: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated cacti (13.2,
13.1: SQL injection), curl (13.2, 13.1: information disclosure), and libwmf (13.2; 13.1: code execution).

Oracle has updated kernel (OL7:
multiple vulnerabilities), libreswan (OL7:
denial of service), mailman (OL7: path
traversal attack), and php (OL7: multiple vulnerabilities).

SUSE has updated flash-player
(SLED12: code execution).

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player Update – https://helpx.adobe.com/security/products/flash-player/apsb15-14.html, (Tue, Jun 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

-Kevin — ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Emergency Patch for Adobe Flash Zero-Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible.

In an advisory issued Tuesday morning, Adobe said the latest version of Flash — v. 18.0.0.194 on Windows and Mac OS X — fixes a critical flaw (CVE-2015-3113) that is being actively exploited in “limited, targeted attacks.” The company said systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets of these exploits.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all. In a happy coincidence, earlier today I published a piece about my experience going a month without having Flash Player installed. The result? I hardly missed it at all.

Krebs on Security: A Month Without Adobe Flash Player

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

brokenflash-aBrowser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated pyjwt (accepts arbitrary tokens).

Debian-LTS has updated libclamunrar (double-free error), qemu (code execution), qemu-kvm (code execution), and zendframework (multiple vulnerabilities).

Fedora has updated abrt (F22:
multiple vulnerabilities), cups (F22; F21: two
vulnerabilities), drupal7-views (F22; F21; F20: access bypass), gnome-abrt (F22: multiple vulnerabilities),
kernel (F22; F21: privilege escalation), krb5 (F21: two vulnerabilities), libreport (F22: multiple vulnerabilities), openssl (F22: multiple vulnerabilities), postgresql (F22: multiple vulnerabilities), qemu (F21: denial of service), qpid-cpp (F21: two vulnerabilities), and satyr (F22: multiple vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities) and openssl (multiple vulnerabilities).

openSUSE has updated cgit (13.2,
13.1: code execution), xen (13.2; 13.1: multiple vulnerabilities), and XWayland (13.2: permission bypass).

SUSE has updated IBM Java
(SLE11SP3: multiple vulnerabilities).

Клошкодил: 2015-06-17 разни мрежови

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

не-Курсът по системна/мрежова администрация води до доста интересни открития.

Cisco IOS 12.2(11)T9 в/у 2600 (последния IOS, който има за тоя device, който мога да събера в моя flash/памет и в който има IPv6) по някаква причина не разпознава BGP peer-ите като directly connected, ако са вързани по някой сериен link и ттрябва да му се казва ebgp-multihop (не съм тествал за другите интерфейси). Отне бая ровичкане, и доста ровене в debug-а.

По default ipip и подобните тунели под linux слагат за TTL на външния пакет TTL-а от вътрешния пакет (“ttl inherit”). Смисълът на това тотално ми се губи, понеже троши traceroute по ужасен начин. Сега разбрах защо всички примери, дето съм виждал по въпроса имат накован в config-а ttl.

И една дреболия, дето драснах днес – прост скрипт за nagios, който се връзва по SNMP до дадено устройство, и проверява дали всички портове, за които има description са UP, и дали всички останали са DOWN. Доста полезно е за следене на switch-ове и подобни, като има малко трески за дялане, но като цяло е бая удобно за по-прости setup-и (където няма нужда да се връзва конкретен порт с нещо друго).

LWN.net: Security updates for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated libav (two
vulnerabilities), openssl (multiple
vulnerabilities), qemu (multiple
vulnerabilities), qemu-kvm (two vulnerabilities), sqlite3 (denial of service), and xen (multiple vulnerabilities).

Debian-LTS has updated p7zip (directory traversal).

Fedora has updated armacycles-ad (F22; F21; F20: multiple vulnerabilities), filezilla (F22: multiple vulnerabilities), fuse (F20: privilege escalation), libreswan (F20: denial of service), nss (F20: cipher-downgrade attacks), nss-softokn (F20: cipher-downgrade attacks),
nss-util (F20: cipher-downgrade attacks),
ntfs-3g (F20: privilege escalation), and xen (F22; F21: multiple vulnerabilities).

openSUSE has updated flash-player
(11.4: multiple vulnerabilities), coreutils
(13.2: memory handling error), cups (13.2,
13.1: three vulnerabilities), dpkg (13.2,
13.1: integrity-verification bypass), and php5 (13.2, 13.1: information disclosure).

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated openssl (multiple vulnerabilities).

Debian-LTS has updated imagemagick (multiple vulnerabilities) and strongswan (information disclosure).

Fedora has updated qemu
(F22: denial of service).

openSUSE has updated flash-player (13.1, 13.2: multiple
vulnerabilities), python-setuptools
(13.1: non-secure SSL hostname matching), and tidy (13.1, 13.2: buffer overflow).

Oracle has updated wpa_supplicant (O7: multiple vulnerabilities).

Red Hat has updated wpa_supplicant (RHEL7: multiple vulnerabilities).

Scientific Linux has updated wpa_supplicant (SL7: multiple vulnerabilities).

Slackware has updated openssl (multiple vulnerabilities) and php (S14: multiple vulnerabilities).

SUSE has updated cups (SLE12: multiple vulnerabilities),
cups154 (SLE12: multiple vulnerabilities), flash-player (SLE12: multiple vulnerabilities), and xen (SLE11 SP3; SLE12: multiple vulnerabilities).

Ubuntu has updated openssl (multiple vulnerabilities).

LWN.net: Security updates for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated cups (two vulnerabilities).

Debian has updated cups (two vulnerabilities).

Debian-LTS has updated libapache-mod-jk (information disclosure) and libraw (denial of service).

Oracle has updated abrt (OL7:
multiple vulnerabilities) and kernel (OL6: multiple vulnerabilities).

Red Hat has updated abrt (RHEL7:
multiple vulnerabilities), flash-plugin
(RHEL5,6: multiple vulnerabilities), and kernel (RHEL6; RHEL6.2: multiple vulnerabilities).

Scientific Linux has updated kernel (SL6: multiple vulnerabilities).

Ubuntu has updated cups (15.04,
14.10, 14.04, 12.04: two vulnerabilities) and qemu, qemu-kvm (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Krebs on Security: Adobe, Microsoft Issue Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

brokenwindowsThe bulk of the flaws Microsoft addressed today (23 of them) reside in the Internet Explorer Web browser. Microsoft also issued fixes for serious problems in Office, the Windows OS itself and Windows Media Player, among other components. A link to an index of the individual Microsoft updates released today is here.

As it normally does on Patch Tuesday, Adobe issued fixes for its Flash and AIR software, plugging a slew of dangerous flaws in both products. Flash continues to be one of the more complex programs to manage and update on a computer, mainly because its auto-update function tends to lag the actual patches by several days at least (your mileage may vary), and it’s difficult to know which version is the latest.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.160. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer onWindows 8.x, should automatically update to version 18.0.0.160, although Chrome users on Mac systems will find 18.0.0.161 is actually the latest version, according to Adobe. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

brokenflash-a

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). See this graphic for the full Adobe version release.

Most applications bundled with Adobe AIR should check for updates on startup. If prompted, please download and install the AIR update. If you need to update manually, grab the latest version here.

As usual, please sound off in the comments section if you experience any issues applying any of these patches.

Errata Security: What’s the state of iPhone PIN guessing

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

I think even some experts have gotten this wrong, so I want to ask everyone: what’s the current state-of-the-art for trying to crack Apple PIN codes?

This is how I think it works currently (in iOS 8).
To start with, there is a special “crypto-chip” inside the iPhone that holds your secrets (like a TPM or ARM TrustZoneSecurCore). I think originally it was ARM’s TrustZone, but now that Apple designs its own chips, that they’ve customized it (“Secure Enclave”). I think they needed to add stuff to make Touch ID work.
All the data (on the internal flash drive) is encrypted with a random AES key that nobody, not even the NSA, can crack. This random AES key is stored on the crypto-chip. Thus, if your phone is stolen, the robbers cannot steal the data from it — as long as your phone is locked properly.
To unlock your phone, you type in a 4 digit passcode. This passcode gets sent to the crypto-chip, which verifies the code, then gives you the AES key needed to decrypt the flash drive. This is all invisible, of course, but that’s what’s going on underneath the scenes. Since the NSA can’t crack the AES key on the flash drive, they must instead get it from the crypto-chip.
Thus, unlocking the phone means guessing your 4 digit PIN.
This seems easy. After all, it’s only 4 digits. However, offline cracking is impossible. The only way to unlock the phone is to send guesses to the crypto-chip (a form of online cracking). This can be done over the USB port, so they (the NSA) don’t need to sit there trying to type every possible combination — they can simply write a little script to send commands over USB.
To make this more difficult, the crypto-chip will slow things down. After 6 failed guesses, the iPhone temporarily disables itself for 1-minute. Thus, it’ll take the NSA a week (6.9 days), trying all 10,000 combinations, once per minute.
Better yet, you can configure your phone to erase itself after 10 failed attempts ([Erase Data] Passcode setting). This isn’t the default configuration, but it’s how any paranoid person (like myself) configures their phone. This is a hard lock, preventing even the NSA from ever decrypting the phone. It’s the “going dark” problem that the FBI complains about. If they get the iPhone from a terrorist, drug dealers, or pedophile, they won’t be able to decrypt it (well, beyond the 0.1% chance of guessing 10 random numbers). (Note: I don’t think it actually erases the flash drive, but simply erases the secret AES key — which is essentially the same thing).
Instead of guessing PIN numbers, there may be a way to reverse-engineer such secrets from the crypto-chip, such as by using acids in order to remove the top from the chip then use an electron microscope to read the secrets. (Physical possession of the phone is required). One of the Snowden docs implies that the NSA can sometimes do this, but that it takes a month and a hundred thousand dollars, and has a 50% chance of destroying the chip permanently without being able to extract any secrets. In any event, that may have been possible with the older chips, but the latest iPhones now include custom chips designed by Apple where this may no longer be possible.
There may be a a physical exploit that gets around this. Somebody announced a device that would guess a PIN, then immediately power down the device before the failed guess could be recorded. That allows an infinite number of guesses, requiring a reboot of the phone in between. Since the reboot takes about a minute, it means hooking up the phone to the special device and waiting a week. This worked in phones up to iOS 8.1, but presumably it’s something Apple has since patched (some think 8.1.1 patched this).
There may be other exploits in software. In various versions of iOS, hackers have found ways of bypassing the lock screen. Generally, these exploits require the phone to still be powered on since it was stolen. (Coming out of sleep mode is different than being powered up, even though it looks like the same unlocking process to you). However, whenever hackers disclose such techniques, Apple quickly patches them, so it’s not a practical long term strategy. On the other hand, they steal the phone, the FBI/NSA may simply hold it powered on in storage for several years, hoping an exploit is released. The FBI is patient, they really don’t care if it takes a few years to complete a case. The last such exploit was in iOS 7.0, and Apple is about to announce iOS 9. They are paranoid about such exploits, I doubt that a new one will be found.
If the iPhone owner synced their phone with iTunes, then it’s probable that the FBI/NSA can confiscate both the phone and the desktop in order to grab the data. They can then unlock the phone from the desktop, or they can simply grab the backup files from the desktop. If your desktop computer also uses disk encryption, you can prevent this. Some desktops use TPMs to protect the disk (requiring slow online cracking similar to cracking the iPhone PIN). Others would allow offline cracking of your password, but if you chose a sufficiently long passwords (mine is 23 characters), even the NSA can’t crack it — even at the rate of billions of guesses per second that would be possible with offline cracking.
The upshot is this. If you are a paranoid person and do things correctly (set iPhone to erase after 10 attempts, either don’t sync with desktop or sync with proper full disk encryption), then when the FBI or NSA comes for you, they won’t be able to decrypt your phone. You are safe to carry out all your evil cyber-terrorist plans.
I’m writing this up in general terms because I think this is how it works. Many of us general experts glance over the docs and make assumptions about how we think things should work, based on our knowledge of crypto, but we haven’t paid attention to the details, especially the details as the state-of-the-art changes over the years. Sadly, asking general questions gets general answers from well-meaning, helpful people who really know only just as much as I do. I’m hoping those who are up on the latest details, experts like Jonathan Zdziarski, will point out where I’m wrong.

Response: So Jonathan has written a post describing this in more detail here:  http://pastebin.com/SqQst8CV

He is more confident the NSA has 0days to get around everything. I think the point wroth remembering is that nothing can be decrypted without 0days. and that if ever 0days become public, Apple patches them. Hence, you can’t take steal somebody phone and take it to the local repair shop to get it read — unless it’s an old phone that hasn’t been updated. It also means the FBI is unlikely to get the data — at least without revealing that they’ve got an 0da.


Specifics: Specifically, I think this is what happens.

Unique-id (UID): When the CPU is manufactured, it’s assigned a unique-identifier. This is done with hardware fuses, some of which are blown to create 1 and 0s. Apple promises the following:

  • that UIDs are secret and can never be read from the chip, but anybody, for any reason
  • that all IDs are truely random (nobody can guess the random number generation)
  • that they (or suppliers) keep no record of them

This is the root of all security. If it fails, then the NSA can decrypt the phone.

Crypto-accelerator: The CPU has a built-in AES accelerator that’s mostly separate from the main CPU. One reason it exists is to quickly (with low power consumption) decrypt/encrypt everything on the flash-drive. It’s the only part of the CPU that can read the UID. It can therefore use the UID, plus the PIN/passcode, to encrypt/decrypt something.

Special flash: Either a reserved area of the flash-drive, or a wholly separate flash chip, is used to store the rest of the secrets. These are encrypted using the UID/PIN combo. Apple calls this “effaceable” storage. When it “wipes” the phone, this area is erased, but the rest of the flash drive isn’t. Information like your fingerprint (for Touch ID) is stored here.

So the steps are:

  1. iOS boots
  2. phone asks for PIN/passcode
  3. iOS sends PIN/passcode to crypto-accelerate to decrypt flash-drive key (read from the “effaceable” storage area)
  4. uses flash-drive key to decrypt all your data

I’m skipping details. This is just enough to answer certain questions.

FAQ: Where is the unique hardware ID stored? On the flash memory? The answer is within the CPU itself. Flash memory will contain further keys, for example to unlock all your data, but they have to be decrypted using the unique-id plus PIN/passcode.

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated fusionforge
(code execution), postgresql-9.1
(regression in previous update), and symfony (restriction bypass).

Debian-LTS has updated ipsec-tools (denial of service), ruby1.9.1 (multiple vulnerabilities), and wordpress (multiple vulnerabilities).

Fedora has updated gcab (F21:
directory traversal), libtiff (F21: two
vulnerabilities), netty (F22: HttpOnly
cookie bypass), php-ZendFramework (F22:
CRLF injection), python-django (F22:
incorrect session flushing), suricata (F21:
denial of service), torque (F22; F21; F20:
denial of service), and zeromq (F22: security bypass).

Gentoo has updated adobe-flash
(multiple vulnerabilities) and phpmyadmin (multiple vulnerabilities).

openSUSE has updated Chromium
(13.2, 13.1: multiple vulnerabilities), parallel (13.2, 13.1: file overwrite), and mysql-connector-java (13.2, 13.1: information disclosure).

SUSE has updated firefox
(SLE11SP3: multiple vulnerabilities).

Matthew Garrett: This is not the UEFI backdoor you are looking for

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

This is currently the top story on the Linux subreddit. It links to this Tweet which demonstrates using a System Management Mode backdoor to perform privilege escalation under Linux. This is not a story.

But first, some background. System Management Mode (SMM) is a feature in most x86 processors since the 386SL back in 1990. It allows for certain events to cause the CPU to stop executing the OS, jump to an area of hidden RAM and execute code there instead, and then hand off back to the OS without the OS knowing what just happened. This allows you to do things like hardware emulation (SMM is used to make USB keyboards look like PS/2 keyboards before the OS loads a USB driver), fan control (SMM will run even if the OS has crashed and lets you avoid the cost of an additional chip to turn the fan on and off) or even more complicated power management (some server vendors use SMM to read performance counters in the CPU and adjust the memory and CPU clocks without the OS interfering).

In summary, SMM is a way to run a bunch of non-free code that probably does a worse job than your OS does in most cases, but is occasionally helpful (it’s how your laptop prevents random userspace from overwriting your firmware, for instance). And since the RAM that contains the SMM code is hidden from the OS, there’s no way to audit what it does. Unsurprisingly, it’s an interesting vector to insert malware into – you could configure it so that a process can trigger SMM and then have the resulting SMM code find that process’s credentials structure and change it so it’s running as root.

And that’s what Dmytro has done – he’s written code that sits in that hidden area of RAM and can be triggered to modify the state of the running OS. But he’s modified his own firmware in order to do that, which isn’t something that’s possible without finding an existing vulnerability in either the OS or (or more recently, and) the firmware. It’s an excellent demonstration that what we knew to be theoretically possible is practically possible, but it’s not evidence of such a backdoor being widely deployed.

What would that evidence look like? It’s more difficult to analyse binary code than source, but it would still be possible to trace firmware to observe everything that’s dropped into the SMM RAM area and pull it apart. Sufficiently subtle backdoors would still be hard to find, but enough effort would probably uncover them. A PC motherboard vendor managed to leave the source code to their firmware on an open FTP server and copies leaked into the wild – if there’s a ubiquitous backdoor, we’d expect to see it there.

But still, the fact that system firmware is mostly entirely closed is still a problem in engendering trust – the means to inspect large quantities binary code for vulnerabilities is still beyond the vast majority of skilled developers, let alone the average user. Free firmware such as Coreboot gets part way to solving this but still doesn’t solve the case of the pre-flashed firmware being backdoored and then installing the backdoor into any new firmware you flash.

This specific case may be based on a misunderstanding of Dmytro’s work, but figuring out ways to make it easier for users to trust that their firmware is tamper free is going to be increasingly important over the next few years. I have some ideas in that area and I hope to have them working in the near future.

comment count unavailable comments

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated thunderbird (C6; C5: multiple vulnerabilities).

Debian has updated kfreebsd-9 (denial of service) and xen (code execution).

Debian-LTS has updated commons-httpclient (multiple vulnerabilities) and ruby1.8 (man-in-the-middle attack).

Mageia has updated avidemux (multiple vulnerabilities), firefox, thunderbird, sqlite3 (multiple vulnerabilities), moodle (multiple vulnerabilities), php (multiple vulnerabilities), phpmyadmin (two vulnerabilities), and xbmc (denial of service).

openSUSE has updated clamav
(13.2, 13.1: multiple vulnerabilities), docker (13.2: multiple vulnerabilities), and
flash-player (13.2, 13.1: multiple vulnerabilities).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Ubuntu has updated thunderbird
(15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird
(C7: multiple vulnerabilities).

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).

Fedora has updated java-1.8.0-openjdk (F21: unspecified
vulnerability), NetworkManager (F21: denial
of service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).

Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).

openSUSE has updated flash-player
(11.4: multiple vulnerabilities), qemu (13.2; 13.1:
code execution), and firefox (11.4: multiple vulnerabilities).

Red Hat has updated thunderbird
(RHEL5,6,7: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated KVM (SLE11SP3:
code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).

Errata Security: Those expressing moral outrage probably can’t do math

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Many are discussing the FBI document where Chris Roberts (“the airplane hacker”) claimed to an FBI agent that at one point, he hacked the plane’s controls and caused the plane to climb sideways. The discussion hasn’t elevated itself above the level of anti-vaxxers.

It’s almost certain that the FBI’s account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said “I hacked a plane” in order to get a search warrant, then that’s what their notes will say. It’s like cops who will yank the collar of a drug sniffing dog in order to “trigger” on drugs so that they have an excuse to search the car.

Also, security researchers are notorious for being misunderstood. Whenever we make innocent statements about what we “could” do, others often interpret this either as a threat or a statement of what we already have done.

Assuming this scenario is true, that Roberts did indeed control the plane briefly, many claim that this is especially reprehensible because it endangered lives. That’s the wrong way of thinking about it. Yes, it would be wrong because it means accessing computers without permission, but the “endangered lives” component doesn’t necessarily make things worse.

Many operate under the principle that you can’t put a price on a human life. That is false, provably so. If you take your children with you to the store, instead of paying the neighbor $10 to babysit them, then you’ve implicitly put a price on your children’s lives. Traffic accidents near the home are the leading cause of death for children. Driving to the store is a vastly more dangerous than leaving the kids at home, so you’ve priced that danger around $10.

Likewise, society has limited resources. Every dollar spent on airline safety has to come from somewhere, such as from AIDS research. With current spending, society is effectively saying that airline passenger lives are worth more than AIDS victims.

Does pentesting an airplane put passenger lives in danger? Maybe. But then so does leaving airplane vulnerabilities untested, which is the current approach. I don’t know which one is worse — but I do know that your argument is wrong when you claim that endangering planes is unthinkable. It is thinkable, and we should be thinking about it. We should be doing the math to measure the risk, pricing each of the alternatives.

It’s like whistleblowers. The intelligence community hides illegal mass surveillance programs from the American public because it would be unthinkable to endanger people’s lives. The reality is that the danger from the programs is worse, and when revealed by whistleblowers, nothing bad happens.

The same is true here. Airlines assure us that planes are safe and cannot be hacked — while simultaneously saying it’s too dangerous for us to try hacking them. Both claims cannot be true, so we know something fishy is going on. The only way to pierce this bubble and find out the truth is to do something the airlines don’t want, such as whistleblowing or live pentesting.

The systems are built to be reset and manually overridden in-flight. Hacking past the entertainment system to prove one could control the airplane introduces only a tiny danger to the lives of those on-board. Conversely, the current “security through obscurity” stance of the airlines and FAA is an enormous danger. Deliberately crashing a plane just to prove it’s possible would of course be unthinkable. But, running a tiny risk of crashing the plane, in order to prove it’s possible, probably will harm nobody. If never having a plane crash due to hacking is your goal, then a live test on a plane during flight is a better way of doing this than the current official polices of keeping everything secret. The supposed “unthinkable” option of live pentest is still (probably) less dangerous than the “thinkable” options.

I’m not advocating anyone do it, of course. There are still better options, such as hacking the system once the plane is on the ground. My point is only that it’s not an unthinkable danger. Those claiming it is haven’t measure the dangers and alternatives.

The same is true of all security research. Those outside the industry believe in security-through-obscurity, that if only they can keep details hidden and pentesters away from computers, then they will be safe. We inside the community believe the opposite, in Kerckhoff’s Principle of openness, and that the only trustworthy systems are those which have been thoroughly attacked by pentesters. There is a short term cost of releasing vulns in Adobe Flash, because hackers will use them. But the long term benefit is that this leads to a more secure Flash, and better alternatives like HTML5. If you can’t hack planes in-flight, then what you are effectively saying is that our believe in Kerckhoff’s Principle is wrong.

Each year, people die (or get permanently damaged) from vaccines. But we do vaccines anyway because we are rational creatures who can do math, and can see that the benefits of vaccines are a million to one times greater than the dangers. We look down on the anti-vaxxers who rely upon “herd immunity” and the fact the rest of us put our children through danger in order to protect their own. We should apply that same rationality to airline safety. If you think pentesting live airplanes is unthinkable, then you should similarly be able to do math and prove it, rather than rely upon irrational moral outrage.

I’m not arguing hacking airplanes mid-flight is a good idea. I’m simply pointing out it’s a matter of math, not outrage.

Linux How-Tos and Linux Tutorials: Install Linux on a Modern WiFi Router: Linksys WRT1900AC and OpenWrt

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Ben Martin. Original post: at Linux How-Tos and Linux Tutorials

linksyswrt1900ac router

The Linksys WRT1900AC is a top-end modern router that gets even sweeter when you unleash Linux on it and install OpenWrt. OpenWrt includes the opkg package management system giving you easy access to a great deal of additional open source software to use on your router. If you want the pleasure of SSH access on your router, the ability to use iptables on connections passing through it, and the ability to run various small servers on it, the Linksys WRT1900AC and OpenWrt are a powerful combination.

From a hardware perspective, the Linksys WRT1900AC includes simultaneous dual band with support for 802.11n (2.4 GigaHertz) up to 600 Megabytes per second and 802.11ac (5 GHz) up to 1.3 Gigabytes per second. This lets you connect your older devices to 802.11n and newer hardware can take advantage the greater speed and less congested 802.11ac signal.

The router has a dual-core Marvell Armada 370/XP CPU with 256 MB of RAM and 128 MB of flash storage. You can also attach more storage to the WRT1900AC using its USB 3.0 and eSATA ports. When using OpenWrt you might also like to attach a webcam and printer to the router. The Linksys WRT1900AC has a 4 port gigabit switch and a gigabit upstream WAN port.

Initial setup

The stock firmware that comes with the Linksys WRT1900AC uses a very simple four-step procedure for initial setup. I only partially followed the recommended setup steps.

Step 1: Connect the antennae and power.

Step 2: Connect your upstream “Internet” link to the appropriate port on the router.

Step 3: Connect to the wifi signal from the router. You are given a custom wireless network name and password which appears to be set differently for each individual router. This step 3 nicely removes the security vulnerability inherent in initial router setup, because your router will have a custom password right from the first time you power it on.

Step 4: Log in to linksyssmartwifi.com and setup the router.

Instead of directly connecting to the Internet port, I used one of the 4 gigabit switch ports to attach the router to the local LAN. This made using the linksyssmartwifi.com website at step 4 not work for me. I could create an account on the smartwifi site, but it wanted me to be connected through the wifi router in order to adjust the settings.

You can however set up the router without needing to use any remote websites. The Linksys will appear at 192.168.1.1 and connecting a laptop to the wifi router and manually forcing the laptop’s IP address to 192.168.1.2 allowed me to access the router configuration page. At that stage the Connectivity/Local Network page lets you set the IP address of the router to be something that will fit into your LAN in a non conflicting manner (and on the subnet you are using) and also disable the DHCP server if you already have one configured.

The initial screen I got when I was connecting directly using 192.168.1.1 again wanted to take me off to a remote website, though you can click through to avoid having to do that if you want.

I tried to attach a 120 GB SanDisk Extreme SSD to test eSATA storage. Unfortunately ext4 is not a supported filesystem for External Storage in the stock firmware. It could see /dev/sda1 but 0 kilobytes used of 0 kb total space. Using a 16 GB flash pen drive formatted to FAT filesystem was fine; the ftp service was started and the drive showed up as a Samba share, too.

Switching over to OpenWrt

At the time of writing the options for installing OpenWrt on the device were changing. There were four images which offered Linux kernel version 3.18 or 4.0 and some level of extra fixes and updates depending on the image you choose. I used Kaloz’s evolving snapshots of trunk linked at openwrt_wrt1900ac_snapshot.img.

Flashing the image onto the router is very simple as you use the same web interface that is used to manually install standard firmware updates. The fun, and moments of anxiety that occur after the router reboots are familiar to anyone who has ever flashed a device.

When the router reboots you will not have any wifi signals at all from it. The router will come up at a default IP address of 192.168.1.1. The easiest method to talk to the router is to use a laptop and force the ethernet interface to an address of 192.168.1.2. Using a trunk distribution of OpenWrt you are likely not to have a useful web interface on the router. Visiting 192.168.1.1 will likely show an empty web server with no files.

When falling back to trying to do an SSH or network login to the router, another little surprise awaits. Trying to SSH into the router showed that a connection was possible but I was unable to connect without any password. Unfortunately, OpenWrt sets the default password to nothing, creating a catch-22 with SSH not allowing a login with no password, so connection seemed impossible. The saving grace is that telnet is also running on the router and after installing the telnet client on the laptop I could login without any password without any issue. Gaining access to the router again was a tremendous relief.

In the telnet session you can use the passwd command to set a password and then you should be able to login using SSH. I opted to test the SSH login while the telnet session was still active so that I had a fallback in case login failed for some reason.

To make the web interface operational you will have to install the LuCI package. The below commands will do that for you. If you need to use a proxy to get to the Internet the http_proxy, https_proxy, and ftp_proxy environment variables will be of use. Again you might run into a little obstacle here, with the router on the 192.168.1.0/24 subnet it might not be able to talk with your existing network if it is on the often used 192.168.0.0/24 subnet. I found that manually forcing the IP address to a 192.168.0.X address using ifconfig on br-lan changed the address for bridged ports and everything moved to that subnet. This is not a permanent change, so if it doesn’t work rebooting the router gets you back to 192.168.1.0/24 again. It is easy to change this for good using LuCI once you have that installed.

export http_proxy=http://192.168.1.10
opkg update
opkg install luci

Once you have LuCI installed the rest of the router setup becomes point and click by visiting the web server on your router. To enable WiFi signals, go to the Network/Wifi page which gives you access to the two radios, one for 2.4 Ghz and the newer 5 Ghz 802.11nac standard. Each radio will be disabled by default. Oddly, I found that clicking edit for a radio and scrolling down to the Interface Configuration and the Wireless Security page, the default security was using “No Encryption.” I would have thought WPA2-PSK was perhaps a better default choice. So getting a radio up and running involved setting an ESSID, checking the Mode (I used Access Point), and setting the Wireless Security to something other than nothing and setting a password.

Many of the additional features you might install with opkg also have a LuCI support package available. For example, if you want to run a DLNA server on the Linksys WRT1900AC the minidlna package is available, and a luci-app-minidlna package will let you manage the server right from the LuCI web interface.

opkg install minidlna
opkg install luci-app-minidlna

Although the Linksys WRT1900AC has 128 MB of flash storage, it is broken up into many smaller partitions. The core /overlay partition had a size of only 24.6 MB with /tmp/syscfg being another 30 MB partition of which only around 300 KB was being used. While this provides plenty of space to install precompiled software, there isn’t enough space to install gcc onto the Linksys WRT1900AC/OpenWrt installation. I have a post up asking if there is a simple method to use more of the flash on the Linksys WRT1900AC from the OpenWrt file system. Another method to gain more space on an OpenWrt installation is to use an extroot, where the main system is stored on external storage. Perhaps with the Linksys WRT1900AC this could be a partition on an eSATA SSD.

If you don’t want to use extroot right away, another approach is to use another ARM machine that is running a soft floating point distribution to compile static binaries. Those can be transferred over using rsync to the OpenWrt installation on the Linksys WRT1900AC. An ARM machine is either using soft or hard floating point, and generally everything is compiled to work with one or the other. To see which version of floating point your hardware is expecting you can use the readelf tool to sniff at a few existing binaries as shown below. Note the soft-float ABI line in the output.

root@linksys1900ac:~# readelf -a /bin/bash|grep ABI
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Flags:                             0x5000202, has entry point, Version5 EABI, soft-float ABI

I tried to get push button WPS setup to work from OpenWrt without success. I had used that feature under the standard firmware so it is able to work and makes connecting new devices to the router much simpler.

I also notice that there are serial TTL headers on the Linksys WRT1900AC and a post shows a method to reflash the firmware directly from uboot. I haven’t tried this out, but it is nice to see as a possible final ditch method to resurrect a device with non functioning firmware.

Another useful thing is to set up users other than root to use on the OpenWrt installation so that you have less risk of interrupting normal router activity. You might like to install that shadow utils and sudo in order to do this as shown below:

  root@wrt1900ac:/dev# opkg install sudo
  root@wrt1900ac:/dev# opkg install shadow-useradd shadow-groupadd
  root@wrt1900ac:/dev# sudo -u ben bash

I found that the fan came on when the Linksys WRT1900AC was booting into OpenWrt. The fan was turned off again soon after. The temperature readings are available using the sensors command as shown below.

root@wrt1900ac:~# sensors 
tmp421-i2c-0-4c
Adapter: mv64xxx_i2c adapter
ddr:          +52.8 C  
wifi:         +55.1 C  
armada_thermal-virtual-0
Adapter: Virtual device
cpu:          +61.7 C  

Performance

Using an LG G3 phone with Android 5, the Wifi Network Analyzer app indicated a speed of 433 Mbps with the phone about a foot from the router. That speed dropped back to around 200Mbps when I moved several rooms away. The same results were given using the stock firmware and the OpenWrt image.

Running iperf (2.0.5) on the OpenWrt installation and a Mid 2012 Macbook Air gave a Bandwidth of 120 Mbps. The same client and server going through a DLink DIR-855 at a similar distance on 5 Ghz gave only 82 Mbps. Unfortunately the Mac only has wifi-n on it as wifi-ac was added to the next year’s model.

The LG G3 running Android 5 connected to the wifi-ac network using the iperf app could get 102 Mbps. These tests where run by starting the server with ‘-s’ and the client with ‘-c server-ip-address’. The server which was running on the Linksys WRT1900AC/OpenWrt machine chose a default of 85 kb TCP window size for these runs. Playing with window sizes I could get about 10 percent additional speed on the G3 without too much effort.

I connected a 120 GB SanDisk Extreme SSD to test the eSATA performance. For sequential IO Bonnie++ could write about 89 Mbps and read 148 Mbps and rewrite blocks at about 55 Mbps. Overall 5,200 seeks/s were able to be done. This compares well for read and rewrite with the eSATA on the Cubox which got 150 Mbps and 50  Mbps respectively. The Cubox could write at 120  Mbps which is about 35 percent faster than the Linksys WRT1900AC. This is using the same ext4 filesystem on both machines, the drive was just moved to each new machine.

bonnie++ -n 0 -f -m Linksys1900ac -d `pwd` 

OpenSSL performance for digests was in a similar ballpark to the BeagleBone Black and CuBox i4Pro. For ciphers the story was very different depending on which algorithm was used, DES and AES-256 were considerably slower than other ARM machines, whereas Blowfish and Cast ran at similar speeds to many other ARM CPUs. For 1,024 bit RSA signatures the Linksys WRT1900AC was around 25-30 percent the performance of the more budget ARM CPUs.

digests linksys router  

ciphers linksys router

rsa sign Linksys router

Final Thoughts

It is great to see that LuCI gives easy access to the router features and even has “app” packages to let you configure some of the additional software that you might like to install on your OpenWrt device. OpenWrt images for the Linksys WRT1900AC are a relatively recent development. Once a recommended stable image with LuCI included is released it should mitigate some of the tense moments that reflashing can present at the moment. The 177+ pages on the OpenWrt forum for the Linksys WRT1900AC are testament to the community interest in running OpenWrt on the device.

It is wonderful to see the powerful hardware that the Linksys WRT1900AC provides being able to run OpenWrt. The pairing of Linux/FLOSS and contemporary hardware lets you customize the device to fit your usage needs. Knowing that you can not only SSH in but that rsync is ready for you and that your programming language of choice can be installed on the device for those little programs that you want to have available all the time but don’t really want to leave a machine on in order to do. There are also some applications which work well on the router itself, for example, packet filtering. A single policy on the router can block tablets and phones from connecting to your work machines.

We would like to thank Linksys for providing the WRT1900AC hardware used in this article.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).

SUSE has updated flash-player (SLE12: multiple vulnerabilities).

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated firefox (multiple vulnerabilities) and tomcat6 (denial of service).

CentOS has updated firefox (C7; C6:
multiple vulnerabilities), kexec-tools (C7:
file overwrites), pcs (C7; C6: privilege escalation), tomcat (C7: HTTP request smuggling), and tomcat6 (C6: HTTP request smuggling).

Debian has updated quassel (SQL injection).

Fedora has updated clamav (F20:
multiple vulnerabilities), dpkg (F21; F20: two
vulnerabilities), kernel (F21: two
vulnerabilities), texlive (F21: predictable
filenames), and wpa_supplicant (F20: code execution).

Gentoo has updated ettercap (multiple vulnerabilities).

Mageia has updated dnsmasq
(information disclosure), flash-player-plugin (multiple vulnerabilities), hostapd (denial of service), netcf (denial of service), pam (two vulnerabilities), and testdisk (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL5:
multiple vulnerabilities), kernel (OL7: two
vulnerabilities), kexec-tools (OL7: file
overwrites), tomcat (OL7: HTTP request
smuggling), and tomcat6 (OL6: HTTP request smuggling).

Red Hat has updated firefox
(RHEL5,6,7: multiple vulnerabilities), flash-plugin (RHEL5,6: multiple
vulnerabilities), java-1.6.0-ibm (RHEL5,6:
multiple vulnerabilities), java-1.7.0-ibm
(RHEL5: multiple vulnerabilities), kernel
(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEMRG2.5:
privilege escalation), kexec-tools (RHEL7:
file overwrites), kvm (RHEL5: code
execution), pcs (RHEL7; RHEL6: privilege escalation), qemu-kvm
(RHEL7; RHEL6: code execution), qemu-kvm-rhev (RHEL7, RHEL6,
RHEL OSP4,5,6: code execution), tomcat
(RHEL7: HTTP request smuggling), tomcat6
(RHEL6: HTTP request smuggling), and xen
(RHEL5: code execution).

Scientific Linux has updated kvm
(SL5: code execution) and xen (SL5: code execution).

Slackware has updated mozilla (multiple vulnerabilities).

SUSE has updated php5 (SLE12:
multiple vulnerabilities).

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat.

brokenwindowsThree of the Microsoft patches earned the company’s most dire “critical” rating, meaning they fix flaws that can be exploited to break into vulnerable systems with little or no interaction on the part of the user. The critical patches plug at least 30 separate flaws. The majority of those are included in a cumulative update for Internet Explorer. Other critical fixes address problems with the Windows OS, .NET, Microsoft Office, and Silverlight, among other components.

According to security vendor Shavlik, the issues address in MS15-044 deserve special priority in patching, in part because it impacts so many different Microsoft programs but also because the vulnerabilities fixed in the patch can be exploited merely by viewing specially crafted content in a Web page or a document. More information on and links to today’s individual updates can be found here.

Adobe’s fix for Flash Player and AIR fix at least 18 security holes in the programs. Updates are available for Windows, OS X and Linux versions of the software. Mac and Windows users, the latest, patched version is v. 17.0.0.188. 

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

brokenflash-a

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you run Adobe Reader, Acrobat or AIR, you’ll need to update those programs as well. Adobe said it is not aware of any active exploits or attacks against any of the vulnerabilities it patched with today’s releases.

Linux How-Tos and Linux Tutorials: Build Your Own Linux Distro

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

There are hundreds of actively maintained Linux distributions. They come in all shapes, sizes and configurations. Yet there’s none like the one you’re currently running on your computer. That’s because you’ve probably customised it to the hilt – you’ve spent numerous hours adding and removing apps and tweaking aspects of the distro to suit your workflow.

Wouldn’t it be great if you could convert your perfectly set up system into a live distro? You could carry it with you on a flash drive or even install it on other computers you use.

 

Read more at LinuxVoice.