Don’t run “strings” against files…

2014.10.27

From http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html:

Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running/usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout – something that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd.

Other well-known utilities in that suite include objdump and readelf.Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and “optimize” the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking

Check the site for POC code. It’s old and it’s nasty.

Categories : Security

How to Manually Update Bash to Patch Shellshock Bug on Older Fedora-Based Linux Systems | Steve Jenkins’ Blog

2014.10.23
Categories : Security
Tags :     

Juniper MACSec Notes

2014.10.16

MACSec is kind of neat (TL;DR for the impatient: layer-1 crypto on links).

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

CLI config:

#create an association:
set security macsec connectivity-association ca1

#choose a mode (static cak recommended — see here for why)
set security macsec connectivity-association ca1 security-mode static-cak

#ckn needs to be a 64-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key ckn deadbeef99

#cak needs to be a 32-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key cak deadbeef11

# set to 255 to make it “less likely” to be chosen as key server, 0 for “more likely”
set security macsec connectivity-association ca1 mka key-server-priority 0

# set to 6000 for high-traffic environment. default to 2000.
set security macsec connectivity-association ca1 mka transmit-interval 6000

#this leaves headers unencrypted for troubleshooting, set to 0 for full encryption, set to 50 for unencrypted ipv6 headers
set security macsec connectivity-association ca1 offset 30

# replay protection, set to 0 to enforce all packets coming in order
set security macsec connectivity-association ca1 replay-protect replay-window-size 5

# exclude a protocol
set exclude-protocol lldp

#enable macsec
set security macsec interfaces xe-0/1/0 connectivity-association ca1

Troubleshooting:
show security macsec statistics interface xe-0/1/0 detail

additional reading:
http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/macsec.html
http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/command-summary/show-security-macsec-statistics.html
(Cisco version: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf)

 

There’s a Cisco version of this here: http://david.piniella.net/2015/11/cisco-macsec-notes/

Categories : HowTo  Networking  Security

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback

2014.10.14

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED

2014.10.13
Categories : News  News  Privacy  Security

Cory Doctrow on the need for easy to use security mechanisms

2014.09.18

Cory Doctrow via The Guardian:

Technical people need our non-technical friends to adopt good privacy practices. Every communications session has at least two parties, the sender and the recipient(s), and your privacy can leak out of either end of the wire. It doesn’t matter if I keep all my email offline, encrypted on my laptop, if it all ends up in the inboxes of people who leave it sitting on Gmail’s servers.

So this is critical, and not just for “normal people”. Even technically sophisticated people often find it difficult to follow security protocol in their own communications and computing. Things that aren’t usable just don’t get used. Making crypto as easy as your favourite websites and apps is the only way to make privacy a reality for everyone.

via Privacy technology everyone can use would make us all more secure | Technology | theguardian.com.

 

That’s all well and good, but how do you do it? If you’re reading this, it’s a safe bet you’re at least interested in the idea of data security. But how do you implement this among the nontechnical? It’s easy enough to tell a group of technical people “install PGP, encrypt and sign everything, don’t use weak keys” etc. But how do you get your mom to use it? Or the 62-year-old accountant that prefers to not have to deal with computers except to buy things online and email old friends or distant relatives?

Categories : News  Security

A Few Thoughts on Cryptographic Engineering: What’s the matter with PGP?

2014.09.05

A Few Thoughts on Cryptographic Engineering: What’s the matter with PGP?.

TL;DR: keys suck, key management sucks, no perfect foward secrecy really sucks, implementation sucks, software sucks and we should rethink how to do this stuff slightly better.

If you’ve used PGP (or GPG), it’s hard to find fault with his arguments, though.

Categories : Security

ProtonMail Blog – News and Updates

2014.09.04

ProtonMail Blog – News and Updates.

Just got access to the public beta of this; here’s to hoping others follow suit.

Categories : Security

Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED

2014.09.03

The web forum 4chan is known mostly as a place to share juvenile and, to put it mildly, politically incorrect images. But it’s also the birthplace of one of the latest attempts to subvert the NSA’s mass surveillance program.

When whistleblower Edward Snowden revealed that full extent of the NSA’s activities last year, members of the site’s tech forum started talking about the need for a more secure alternative to Skype. Soon, they’d opened a chat room to discuss the project and created an account on the code hosting and collaboration site GitHub and began uploading code.

Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services.

via Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED.

 

It’s a shame that w.a.s.t.e. died such an ignoble death — mostly because it was hard to set up, I think. Even so, IM was just a side-feature, not it’s raison d’etre, so you can still make an argument for Tox and against w.a.s.t.e., despite the very nice Pynchon reference.

Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science

2014.09.02

To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone.  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”

via Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science.

BYOD is a huge security problem in organizations, but this is just a friendly reminder: if you’re out in the world, you have to expect attacks.

 

Categories : Security