FreeBSD sysarch kernel panic vulnerability

A bug has been found and fixed in the FreeBSD kernel that would allow someone with malicious intent to crash a running system. It’d be difficult to achieve unless the attacker had console access. However it’s been patched for all supported systems. See here for all the details (which I won’t repeat).

The problem was found by Core Security, and they have provided an excellent write-up here.

But if you want it in plain English:

The sysarch() system call is used to get/set processor-specific stuff. You’re not supposed to call it directly; you’re supposed to call a processor-specific library if you want to do things like that, but you still can call it if you want to. On processors that support memory segments, such as i386,  there is a Local Descriptor Table (LDT) to manage them if you want to mess with specific stuff like that. However, for security reasons, you can only modify the LDT using the sysarch() call, which checks what you’re trying to do and prevents applications from doing anything crazy.

Unfortunately the AMD64 implementation of the code gets the checking wrong. If you use a signed integer it’s always going to be less than another unsigned value, and when it compares the two parameters to make sure that one is less than the other it passes when it shouldn’t, and the rogue parameter causes it to go funky-deux and overwrite a shed load of stuff.

This is in all in:

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post
/sys/amd64/amd64/sys_machdep.c

in the function:

int amd64_set_ldt(td, uap, descs)

The FreeBSD advisory contains a patch for all “supported” versions; but what if you’re using an older one? Using the information from Core it’s easy enough to patch. But what else is affected?

To save you the trouble, I’ve looked back at earlier versions. The problem code definitely exists in the AMD64 versions for 8.x, but isn’t present in any 7.x, as far as I can tell. The system call simply doesn’t exist. On i386 versions, I can’t see any obvious problem with the code.

How worried should we be? If someone breaks in to a system with shell access, they will be able to crash it. However, I think it’s very unlikely that any service is written in such a way that malicious data could cause the necessary parameters to be sent to sysarch() call. In fact, on checking the ports collection, it’s not exactly used all over the place. You’re highly unlikely to be running any application that even makes the call.

Android Stagefright bug gets serious

AndroidLogoSThere’s a bug in all by the most recent versions of the Android operating system that can theoretically allow attackers to take over the device simply by viewing a web page or downloading a media file. It’s actually in the Stagefright library, and was the talk of Black Hat last August. Then it was considered hard to exploit, but security researcher Hanan Be’er at  North-Bit in Israel has now published a paper proving it’s very dangerous.

Stagefright is the name of the media processing library found in all versions of Android you’re likely to find. It opens and reads any media downloaded to the device. With a specially crafted file you can cause it to crash when it does this; you don’t have to even play the file. However, it has been difficult to make use of this fact to “break out” and do anything more nasty.

Since Android 5.0, a system called Address Space Layout Randomisation (ASLR) has been in use. Basically the memory space is shuffled randomly so malicious code doesn’t know where anything else is, making attacks more difficult. This made exploiting Stagefright’s flaws a lot harder. The fact that the problem exists on Android 2.2 to 4.x, which doesn’t do ASLR, has been the subject of much complacency. Google has released fixes for the bug, known as CVE-2015-3864, but by no means have all the Android devices been updated. I guess that the vast majority have not, including the recent ones using Android 5.x. The infrastructure for updating Android simply doesn’t exist. Apple’s devices are very exploitable, but at least they have a mechanism for updating them.

So how does the North-Bit exploit work? It’s actually very straightforward. First you deliver a dodgy video file to the device; putting it on a web site is the obvious, easy method. This will cause Stagefright to crash and restart in a known state. When it does this, some JavaScript running on the same page slurps various parameters on the system, such as the current location of libc, and sends it back to the attacker. A new video file is then created and sent using this information, and it’s game over – possibly after a few tries, but North-Bit says the exploit is reliable.

How worried should we be? I’d say we should be very worried. Unless your device manufacturer and/or mobile network rolls out the patch, I can’t see any mitigation.

Apple is too cool for the CIA to touch

Tim Cook 2009 cropped
Tim Cook – time he was sent to jail?
You can’t have missed the furore over Apple’s refusal to help the CIA get the data from a terrorist murderers iPhone. On the one side the CIA says that we need the data to protect the public, a line with the judiciary of the USA agrees with, and Apple should do everything possible to get it for them. On the other side there’s Apple’s PR engine trying (successfully) to spin the story and avoid complying with the court order.

In the mean time the Brazilians haven’t shown such deference to a cultural icon when it comes to Facebook owned WhatsApp refusing to hand over data concerning a major drugs trafficker, even after several court orders. The Brazilian authorities have arrested Diego Dzodan, Facebook’s hancho in Latin America, and thrown him in jail until such time as the company obeys the law.

Perhaps he Americans could try that with Tim Cook – you break the law, you go to jail.

Meanwhile, Apple might seem to be setting itself up as the criminals friend over this. In the land of the free where profit is king, I guess their money is as good as anyone else’s so perhaps we should be too judgemental. But in an outrageous spin, Apple has told the world that if they comply with the court order then all Apple handsets will have a backdoor and no longer be secure. This is disingenuous. The situation is this:

Apple encrypts the data stored on the phone. You have to enter a password to unlock it. If you enter ten wrong passwords it will wipe the data from the phone. The CIA has asked Apple to modify this handset to disable the data wiping feature, so the CIA can then just keep throwing passwords at it until it unlocks. Clearly, this is going to have no physical effect on any other handset anywhere else in the world. So what’s Apple’s problem?

If Apple helped the CIA break in to the handset, Apple can no longer claim that its handsets are invulnerable. Terrorists, fraudsters and anyone up to something will know that the authorities can get at Apple data even more easily than if it was stored on iCloud. Note well: the fact that Apple hasn’t produced the mod needed to do this (publicly), doesn’t mean that its not possible right now; and it may even be happening. But Apple wants to maintain the illusion that it can’t.

Put another way, it’s easy enough to bypass the locks on a front door. You just need a large enough sledge hammer. Doubt this? Look at the footage of a police raid taking place – a few burly coppers with a battering ram and it’s open in seconds. Apple is selling locks and trying to pretend there’s no such thing as a sledgehammer.

So why, might one ask, don’t the US authorities stop messing around and get the court order enforced? Are they really scared of Apple?

What’s really worrying about this situation is that “civil liberties campaigners” and some corporate America is rushing to put out statements in Apple’s defence. In other words, big business reckons it’s above the law made by the people using a democratically elected government.

Spam from the Government Secure Internet

gov.uk

Well that’s what it looks like. Criminals apparently from Bangalore have been distributing loads of malware spams from addresses like Nich***.Davi**.5208@vosa.gsi.gov.uk, and they’re getting through spam filters.

The messages continue:

 


 

 

Subject: DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet virus
scanning service supplied by Vodafone in partnership with Symantec.
(CCTM Certificate Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

 

This all looks pretty genuine – they probably copied it verbatim with the exception of the “good afternoon”.

The payload is a Microsoft Word document with macros, but I’ve yet to figure out exactly what it’s doing. In the parlance of the security “industry” it’d be a zero-day exploit, but that’s not interesting. What did come as a bit of a surprise to me is that GSI doesn’t seem to bother with SPF records, which would have helped detect the fake. Bayesian analysis throws up nothing, and it’s coming from a clean IP address that has yet to be listed. The only things wrong with it are that there’s no reverse lookup, and no SPF on vosa.gsi.gov.uk to flag it as dodgy.

The civil service clearly hasn’t got this security business clear yet.

Is HSBC’s voice identification really secure?

I was woken by Radio 4 this morning with news that HSBC (and First Direct) will be rolling out voice identification software as a replacement for the “cumbersome” password-based system currently in use. I’ve been using this cumbersome system for more than twenty years, and I can’t say I have any problem with it – ten seconds and you’re in; and time has proven it reasonably secure.

But this new biometric “voice-print” system sounds a tad more dodgy to me. It comes from Nuance Communications, and apparently it checks over 100 unique identifiers in someone’s voice, including speed and behavioural features and maps the sound it’s hearing back to physical features such as the shape of the larynx and nose. The technology might be better remembered as Dragon Dictate from the 1990’s, although Nuance has been working on the biometric aspects for some time, and recently announced Santander was going to use it in Mexico.

I’m naturally suspicious of any biometric identification method apart from retinae scans, having looked at many such schemes over the years. They’re generally vulnerable to amounts to “replay” attacks. Fingerprint or face recognition can usually be fooled relatively simply with a picture of the real thing. So what’s to stop a replay recording of someone’s voice? Nothing, as far as I can tell.

When the BBC asked about recordings being played back they were told that any recording process would lose the subtleties of live speech, and the BBC seemed happy with that. Well I’m not! The way telephones work these days, your voice is sampled, encoded in to very few bps and sent. How is this going to look any different to a recording? You can store and repeat a section of telephone call digital data easily enough and it’s bound to be indistinguishable.

I can see some solutions – the system could ask you to repeat some random phrase back instead, and word recognition could determine whether you said the right thing after the biometric recognition matched the voice print. But this isn’t the answer the BBC got.

I’m awaiting more information…

HSBC had a bad January with cyber-attacks. Is this some ill-conceived scheme to try and change the news agenda?

 

TP-Link 8-Port Gigabit Smartswitch review

There’s a tendency with any well-designed network for someone to go and do something the designer didn’t expect. A single desk with a couple of wall ports suddenly needs three network printers and a couple of PCs and an IP camera, and you’ve run out of sockets. The easy answer is to bung in a desktop switch, but once you’ve done this you’ve lost control, and visibility, about what exactly is going on downstream of your managed switch port.

In recent years a few desktop managed switches have appeared, and I’ve been looking at a reasonably priced TP-Link 8-port Gigabit Easy Smart Switch (model TL-SG108E to be precise). TP-Link have an “Easy” smart switch, and a non-easy versions (such as the TL-SG2008). I’ve yet to get my hand on the latter. They also make a JetStream range of layer 2 “Light” Managed Switch, which have a couple of SPF slots even in the 8-port models. Confusingly, the “light” versions are actually the top-of-range models.

TP-Link kit started turning up in the UK several years ago, with appalling technical support and documentation. It did tend to work, and was keenly price. I’m happy to say that TP-Link has got its act together, with proper English documentation and apparent backup, although I have to say I’ve yet to invest in anything expensive enough to make calling on their customer service worthwhile.

Unpacking the Easy Smart Switch you find a the neatly made metal boxed switch, with a good quality feel about it. The PSU is the normal quality wall-wort type, delivering just under 1A. Cooling is by convection away from the metal box; there is no fan and no apparent need for one.

You can use this switch as self-configuring switch straight out of the box and it just works. Testing it unscientifically as a desktop switch, I’ve no complaints about the performance. I didn’t try aggregating the lines for an uplink or anything fancy, as chances are on a desktop you’ll only have one port talking to another at any one time.

After that it was time to manage it, and this is where I hit a snag. In spite of the box saying it was compatible with Windoze, Mac, Linux and so on, it turns out that you need to run some Windows-based software to do anything with it. Although it had port 80 open, the is no web management interface; and port 22 was there but lacked an SSH interface. In other words, it’s useless unless you are a Windows shop. According to TP-Link there is a version 2 of this switch which does sport proper web and SSH interfaces, but version 2 isn’t on sale  in the UK at time of writing.

If you find a Windows PC to run it, you can set the IP address over Ethernet or set it up for DHCP. Once it’s on the IP network the configuration utility can be used to configure various options and run diagnostics – and upgrade the firmware, which you may want to do immediately looking at the release notes on the TP-Link web site.

Useful features are port mirroring, rate setting and (if you can figure it out), various VLAN options in including port-based. You can throttle ports, view port statistics and run a cable diagnostic. One serious omission is that there is no way I could see to control the layer 2 routing – i.e. statically assign a MAC address to a particular port. Only dynamically learned MAC addresses are supported, which is what you get a dumb switch for.

There are a number of security and QoS options, such as storm control for ports. Whether this is going to be used on a small unstacked desktop switch is debatable. The VLAN options could be very useful as part of a more complex multi-switch network, giving granularity down to the desktop.

Another feature inherited from it’s larger siblings is link aggregation. You can bond up to four ports together for a high-speed uplink; but on a a 5 or 8-port switch, this really can’t be that useful, can it?

If you can live without the access control and incompatibility with anything non-Windows, the price of this switch makes it an excellent choice net to a dumb switch at about the same price. However, for a few pounds more you a get a TP-Link SG2008, which doesn’t seem to suffer these limitations – or indeed a D-Link model of similar specification. D-Link switches tend to be fast and trouble-free in my experience.

Pros: Have a managed switch at the same price as an unmanaged one.

Cons: Management features provided are less use on a small switch, especially as access control is missing. The management can only be done using a Windows utility – no web or SSH interface.

Conclusion: Spend a bit more on a better TP-Link model, or look at D-Link or Netgear.

 

Lincolnshire Council in £1M ransomware plot

Coat_of_arms_of_Lincolnshire_County_CouncilReports are that Lincolnshire Council has been shut down for four days because it’s been targeted by ransomware that has encrypted all its files. That they’ve been a victim of such a scam doesn’t surprise me – it’s all too common. What’s moving my eyebrows skyward is the fact that the criminals are asking for £1M to restore their data.

I’ve seen a lot of this before, and the criminals generally ask for a sum that it’s easier to pay than mess around trying to repair the damage. In other words, £500 is normal but £1M is not. For this to be credible, someone would have had to target them specifically, and come up with a plot to damage a lot of data in one go. This is possible if one PC has R/W access to a lot of files on a server, but for the criminals to expect to do this value of damage the council would have to be pretty incompetent and the criminals would have had to know this for certain. (What am I saying?)

From the BBC report there are a couple of interesting lines:

“The authority said it was working with its computer security provider to apply a fix to its systems.”

Hmm. So who is their computer security provider? If they have one that’s any good, the network would have been set up to avoid such wholesale damage. Serco took over the Council’s IT operations in April 2015. in a £70M+ deal. Whether the outsource company has outsourced the “security provision” is a little harder to know.

Further down the BBC article it says:

“Chief information officer Judith Hetherington-Smith said only a small number of files were affected.”

If that was true, restore them from a backup or take the hit – how can a small number of files be worth £1M?

Locking down the network after such an attack is a good idea, and this would disrupt office services for certain. But something just doesn’t add up here. It’s possible that the £1M ransom demand has been made up, to cover their embarrassment. Or it could just be sloppy journalism by the BBC – no facts checked and a story about some ransomware being blown out of all proportions. Serious news media haven’t had much to say on the subject. The Register has covered it, but has not repeated the £1M ransom claim.

Grant Shapps – need for speed?

Used with permission from http://www.communities.gov.uk/corporate/help/conditions/
Rt Hon Grant Shapps MP

People (e.g. the Guardian) are clearly out to get Grant Shapps MP, and given their bias you can see why. But he’s not helping with the publication of his recent report, which he and British Infrastructure Group of MPs have wittly titled “Broadbad” (PDF format).

It’s calling for Openreach to be made independent of the remainder of BT, in order for the public to get the “super-fast” broadband we need if we’re not to revert to the stone-age. They claim that BT has wasted 1.7Bn on rolling out this technological artery to rural areas, yet 5.7M household’s don’t have the “minimum required” speed of 10Mb.

I say wrong, wrong and wrong.

First off, Openreach hasn’t received 1.7Bn for the rural broadband project. It’s only received about a third of that, and it’s a project in progress.

Secondly, I’d dispute that 5.7M households have yet to be connected. This is based on an old Ofcom report using figures available before the project got under way.

Thirdly, the case for 10Mb+ Internet connections to homes  h as not been met. It’s justified because the UK will “lag behind” countries like Japan and South Korea. So what?

The UK lags behind the USA in gun crime; should we therefore relax restrictions on firearms ownership? “Lagging behind” per se does not matter a jot. Their justification as to why we need higher speeds amounts to “Ofcom have shown that as consumers get better download speeds, they consume more data”. No sh*t, Sherlock!

So what is this data people are consuming? Basically Netflix. Only video has the “need” for high throughput Internet connection, and although this might help the bottom line of OTT media providers, it’s hard to see any other economic benefits to anyone.

According to the report, Spain also has faster connections than our unlucky punters; so if they’re trying to correlate domestic broadband speeds with economic virility, they’ve shot their fox.

As I’ve said before, the whole concept is insane. Streaming video requires about 2Mbps. How many streams does a household need?

Most other high-usage domestic customers are, basically, pirating media. They need fast upload speeds for that, which aren’t really mentioned in the report. Why should the public purse be subsidising either OTT operators or pirates?

A few weeks ago I tackled someone from the Home Office about this crazy idea, and the reasoning behind it was more cynical than I thought. It’s only one civil servant’s opinion, but my contact has a pretty good idea about how government really works.

Consider all the infrastructure projects we could be working on; things that would benefit the country. There’s road and rail networks (HS2 is a drop in the ocean), the national grid, water supply and sewers. How about a sustainable transport network, as it’s a certainty we’re going to need one. All these cost serious money, with the exchequer hasn’t got. But the government has to be seen to be investing in infrastructure. The cheap option is to roll out mad-speed Internet. They can claim it’s needed for business; voters have no idea what a megabit of data can actually be used for. And the public want it. They don’t need it, but that’s not the point. They want it.

If you tell Mondeo Man his broadband is lagging behind the Spaniards, he’ll want something done about it. (If you tell him to wire up the house properly instead of using WiFi, it’d be in one ear and out the other.)

So, by making a fuss about broadband speeds and then demanding action from BT, and throwing relatively little money about, the government can look like it’s dealing decisively with a pressing issue.

As for Mr Shapps, he claims to have been in the Internet business before becoming an MP. He should know better, but it turns out he had a web development company so probably doesn’t know the difference between a kilobit and a megabit either. If only he’d asked.

How people get around the Netflix and iPlayer proxy block

The FSF thinks Netflix is wrong to protect artist’s right using DRM

Earlier this month at CES, Netflix’s chief product officer Neil Hunt stated that his company’s policy on subscribers accessing content over a VPN remained unchanged. That’s to say that they ask customers not to do it, as it can bust licensing restrictions on content. Neflix is probably the largest provider of streamed TV programmes around the world, now operating in a claimed 190 countries.

I’m not a fan of Netflix – they’re big campaigners for “Net Neutrality”, meaning that all content must be treated the same and ISPs can’t charge more or slow down particular traffic. As their content is not for the public good, and yet accounts for about  40% of the world’s public Internet traffic, they would say that, wouldn’t they? As media organisations such as the BBC (iPlayer) are in the OTT game, the fact that this is a business model where the bulk of the costs are paid for by all Internet users whereas the profits go to the streaming service is not generally mentioned in the popular press. In other words, they profit from the ISP’s investment without contributing anything back. Amazon Prime is another good example.

Anyway, the content that Netflix streams is licensed from content producers, who have good reasons for licensing it on a geographic basis. A TV programme broadcast in one country becomes harder to sell to networks abroad if it’s already available via streaming, and upsetting the status quo won’t be good for content producers. This will leading to less investment in good programming. Netflix is “campaigning” to change this, as though the public, including its customers, have some kind of rights that are being denied. It would, of course, help Netflix’s commercial interests if regional licensing didn’t exist – at least short-term.

That aside, I was amused to see that Neflix’s latest pronouncement, in a company blog post by David Fullagar (VP of Content Delivery Architecture) a week after the CES announcement, that it would now be clamping down on its customers use of proxies or VPNs to smuggle streamed data across boarders. One might surmise that the content providers, many of whom are also local broadcasters, didn’t appreciate Neil Hunt’s complacent sounding comments. The status quo he was defending was basically an weakly enforced contractual prohibition on its customers streaming through a proxy. A actual enforced ban would result in a loss of revenue to Netflix, or if you’re less cynical, would go against the company’s stated aim of “all content free to all (subscribers)”.

But in spite of the soothing words to calm the outrage of its content suppliers, what can Netflix actually do about this? How do you block your customers using a VPN?

It seems to me that it’s impossible to tell whether you’re sending UDP packets to an IP address that’s actually a VPN. It can’t be done. There can be any number of endpoints behind one IP address (an asymmetric NAT LAN), and any number of VPN connections to who-knows-where. And they’ll all appear as one IP address, and the traffic will be indistinguishable.

So how do streaming companies block VPNs now? By having a list IP addresses used by published ones, and that generally means commercial ones. Okay, that might work for the public/commercial VPNs. I shan’t be shedding too many tears if they’re blocked, because they’re making money out of license-busting, which is wrong.

But consider this. Supposing you pay the BBC for a TV license but live abroad for part of the year. You have a moral right to view the content you’ve paid for, and could do so using iPlayer. The only problem is that iPlayer may detect you’re outside the UK by your IP address, and stop you. The solution? Put a proxy server on the network in your house in the UK and connect to it when you’re abroad. I have evidence that this happens a lot.

This can also be done immorally. People in one country with relatives living abroad can set up such a proxy for their friends and relatives to use, and Netflix will be none the wiser. Even if Netflix did suspect an IP address of having too much traffic, what could they possibly do about it? Contact the owner and investigate? How would they even find the owner?

Many ISPs use dynamic addresses in order to charge more for a static one to business customers, with the effect that you don’t know who’s using what IP address today. If you do find a suspected VPN, tomorrow it’s IP address will have changed to one of millions, all used by normal domestic customers.

Finding the many small, private VPNs is going to be impossible. One method might be to probe an IP address to see if a VPN port was open. This is no proof that it’s in use, and no proof that it’s not used for one of the many purposes that a VPN was designed for. And even if they were to try it, it’s simple to restrict access to the VPN ports to your friends abroad. And besides, probing an IP address for an open port without permission is illegal.

The only other method I can think of that would work is to examine the traffic to/from an IP address and see if there’s a correlation between outgoing packets and incoming data from one of Netflix’s servers. But Netflix can’t do that; only an ISP has the technical ability to examine traffic on a particular subscriber’s line. And those are the ISPs that Netflix is abusing by loading them with 40% of their traffic without contributing to the cost. Good luck with that.

 

iZettle contactless payments on American Express (Amex)

Since I reviewed iZettle’s new contactless card reader there have been a few updates to the App, and after the initial teething problems I’m happy to report that it’s been working flawlessly hereabouts.

iZettle Bluetooth Card Reader
iZettle Bluetooth Card Reader

The latest update is to support contactless payments on American Express. This came as a bit of a surprise, as I assumed it already did! It just goes to show how important Amex is…

You need to do a firmware update. You get this by connecting to your tablet/phone and running the iZettle App. Then go to Settings/Card Readers and select Update. I’ll let someone else try it first, as I can live without the functionality for a while longer.

This does not, of course, work on the freebie iZettle reader – only the Bluetooth one that you pay money for. Don’t be cheap – it’s good!

This update means support for contactless covers Visa, MasterCard, Applepay and Amex. I have to say that I’ve yet to find a card in the UK it couldn’t use, one way or another.