TrustedSec https://www.trustedsec.com Mon, 22 Jan 2018 20:54:20 +0000 en-US hourly 1 http://goldengamebingo.com/?page=wp-content/uploads/2017/02/cropped-trusted-sec-icn-32x32.png TrustedSec https://www.trustedsec.com 32 32 Very high level of confidence’ Russia used Kaspersky software for devastating NSA leaks, Featuring David Kennedy – Yahoo Finance http://goldengamebingo.com/?page=2018/01/high-level-confidence-russia-used-kaspersky-software-devastating-nsa-leaks-featuring-david-kennedy-yahoo-finance/ Mon, 15 Jan 2018 22:17:22 +0000 http://goldengamebingo.com/?page=?p=13697 Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers. “That’s a Russian intelligence operation,” a former senior intelligence official,...

The post Very high level of confidence’ Russia used Kaspersky software for devastating NSA leaks, Featuring David Kennedy – Yahoo Finance appeared first on TrustedSec.

]]>
Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers.

“That’s a Russian intelligence operation,” a former senior intelligence official, who requested anonymity to speak bluntly, told Yahoo Finance. “They’ve gotten a lot noisier than they used to be.”

Read the Article: Very high level of confidence’ Russia used Kaspersky software for devastating NSA leaks, Featuring David Kennedy – Yahoo Finance

The post Very high level of confidence’ Russia used Kaspersky software for devastating NSA leaks, Featuring David Kennedy – Yahoo Finance appeared first on TrustedSec.

]]>
Local cybersecurity company warns of flaws in the phone, tablet, computer you’re using right now, Featuring Alex Hamerstone -News 5 Cleveland http://goldengamebingo.com/?page=2018/01/local-cybersecurity-company-warns-flaws-phone-tablet-computer-youre-using-right-now-featuring-alex-hamerstone-news-5-cleveland/ Mon, 08 Jan 2018 15:49:44 +0000 http://goldengamebingo.com/?page=?p=13693 There’s a good chance the phone, tablet or computer you use has a computer chip flaw that’s opening you up to hackers. The recent announcement of more than a billion devices being susceptible sent 5 On Your Side Investigators into action. We tracked down a company in our backyard designed to help stop the bad...

The post Local cybersecurity company warns of flaws in the phone, tablet, computer you’re using right now, Featuring Alex Hamerstone -News 5 Cleveland appeared first on TrustedSec.

]]>
There’s a good chance the phone, tablet or computer you use has a computer chip flaw that’s opening you up to hackers. The recent announcement of more than a billion devices being susceptible sent 5 On Your Side Investigators into action.

We tracked down a company in our backyard designed to help stop the bad guys.”It’s a different type of flaw than what we usually see,” said Alex Hamerstone from TrustedSec in Strongsville. The company helps organizations recognize cyber threats and vulnerabilities. The newest culprits are flaws called Spectre and Meltdown and they are found in computer chips. “The chip allows a little bit of information to come and go without it being verified,” said Hamerstone.

Read the Article: Local cybersecurity company warns of flaws in the phone, tablet, computer you’re using right now

The post Local cybersecurity company warns of flaws in the phone, tablet, computer you’re using right now, Featuring Alex Hamerstone -News 5 Cleveland appeared first on TrustedSec.

]]>
Linus Torvalds Is Not Happy About Intel’s Meltdown and Spectre Mess, Featuring Alex Hamerstone – Gizmodo.com http://goldengamebingo.com/?page=2018/01/linus-torvalds-not-happy-intels-meltdown-spectre-mess-featuring-alex-hamerstone-gizmodo-com/ Mon, 08 Jan 2018 15:32:31 +0000 http://goldengamebingo.com/?page=?p=13685 Famed Linux developer Linus Torvalds has some pretty harsh words for Intel on the fiasco over Meltdown and Spectre, the massive security flaws in modern processors that predominantly affect Intel products. Meltdown and Spectre exploit an architectural flaw with the way processors handle speculative execution, a technique that most modern CPUs use to increase speed. Both classes of vulnerability...

The post Linus Torvalds Is Not Happy About Intel’s Meltdown and Spectre Mess, Featuring Alex Hamerstone – Gizmodo.com appeared first on TrustedSec.

]]>
Famed Linux developer Linus Torvalds has some pretty harsh words for Intel on the fiasco over Meltdown and Spectre, the massive security flaws in modern processors that predominantly affect Intel products.

Meltdown and Spectre exploit an architectural flaw with the way processors handle speculative execution, a technique that most modern CPUs use to increase speed. Both classes of vulnerability could expose protected kernel memory, potentially allowing hackers to gain access to the inner workings of any unpatched system or penetrate security measures. The flaw can’t be fixed with a microcode update, meaning that developers for major OSes and platforms have had to devise workarounds that could seriously hurt performance.

Read the Article: Linus Torvalds Is Not Happy About Intel’s Meltdown and Spectre Mess, Featuring Alex Hamerstone – Gizmodo.com

The post Linus Torvalds Is Not Happy About Intel’s Meltdown and Spectre Mess, Featuring Alex Hamerstone – Gizmodo.com appeared first on TrustedSec.

]]>
Meltdown & Spectre Fixes Arrive—But Don’t Solve Everything, Featuring Alex Hamerstone – Wired.com http://goldengamebingo.com/?page=2018/01/meltdown-spectre-fixes-arrive-dont-solve-everything-featuring-alex-hamerstone-wired-com/ Sat, 06 Jan 2018 15:44:14 +0000 http://goldengamebingo.com/?page=?p=13689 This week, a pair of vulnerabilities broke basic security for practically all computers. That’s not an overstatement. Revelations about Meltdown and Spectre have wreaked digital havoc and left a critical mass of confusion in their wake. Not only are they terrifically complex vulnerabilities, the fixes that do exist have come in patchwork fashion. With most computing devices...

The post Meltdown & Spectre Fixes Arrive—But Don’t Solve Everything, Featuring Alex Hamerstone – Wired.com appeared first on TrustedSec.

]]>
This week, a pair of vulnerabilities broke basic security for practically all computers. That’s not an overstatement. Revelations about Meltdown and Spectre have wreaked digital havoc and left a critical mass of confusion in their wake. Not only are they terrifically complex vulnerabilities, the fixes that do exist have come in patchwork fashion. With most computing devices made in the last two decades at risk, it’s worth taking stock of how the clean-up efforts are going.

Part of the pandemonium over addressing these vulnerabilities stems from the necessary involvement of multiple players. Processor manufacturers like Intel, AMD, Qualcomm, and ARM are working with the hardware companies that incorporate their chips, as well as the software companies that actually run code on them to add protections. Intel can’t single-handedly patch the problem, because third-party companies implement its processors differently across the tech industry. As a result, groups like Microsoft, Apple, Google, Amazon, and the Linux Project have all been interacting and collaborating with researchers and the processor makers to push out fixes.

Read the Article: Meltdown & Spectre Fixes Arrive—But Don’t Solve Everything

The post Meltdown & Spectre Fixes Arrive—But Don’t Solve Everything, Featuring Alex Hamerstone – Wired.com appeared first on TrustedSec.

]]>
Welcome to 2018! A Meltdown and Spectre Run-Through http://goldengamebingo.com/?page=2018/01/meltdown-spectre-welcome-2018-walkthrough/ Sat, 06 Jan 2018 00:43:29 +0000 http://goldengamebingo.com/?page=?p=13658 Welcome to 2018! It’s only been a few days into the new year and we already have newly named bugs, thanks to the Google Project Zero, Cyberus Technology, and the Graz University of Technology. Jann Horn, Werner Haas, Thomas Prescher, Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz, Paul Kocher, Daniel Genkin, Mike Hamburg, Moritz...

The post Welcome to 2018! A Meltdown and Spectre Run-Through appeared first on TrustedSec.

]]>
Welcome to 2018! It’s only been a few days into the new year and we already have newly named bugs, thanks to the Google Project Zero, Cyberus Technology, and the Graz University of Technology.

Jann Horn, Werner Haas, Thomas Prescher, Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz, Paul Kocher, Daniel Genkin, Mike Hamburg, Moritz Lipp, and Yuval Yarom all contributed to the discovery and disclosure of the Meltdown and/or Spectre. These three teams have identified a flaw in processor design, allowing a low-privilege process to read memory, which could mean anything from breaking ASLR (Address Space Layout Randomization) to recovering passwords from memory. The attacks are made possible by “speculative execution“, a technology that allows increased processor speed.

There have been some estimates that the latest patches for Meltdown specifically can have anywhere from a five to thirty percent reduction of performance. This estimate appears to be high as most are not reporting substantial impact to system performance. Google additionally has released different techniques that may mitigate the speed reduction even further.

The bugs have large implications for attackers, who are already positioned to run code on a compromised machine or within VM environments. Drive-by attacks are also possible, using JavaScript to launch the attack and then read protected memory. The primary concern is the ability to reach protected memory and potentially steal sensitive data such as passwords and other components of sensitivity on the system.

Let’s break down the two bugs as they are separate. First, let’s discuss Meltdown.

The Meltdown attack is used to read memory written to by the kernel and other user protected memory space. This would allow the attacker to potentially read passwords and other sensitive data. It has been shown to read up to 503 KB/s. In the case of a cloud or virtualized environment, this allows the attacker to read the data from the host system, as well as any other guest VM running on the host. Docker, LXC, and OpenVZ are also affected, since they utilize the host’s CPU.

CVE Number

CVE-2017-5754

Affected Hardware

  • Intel Microprocessors
  • ARM and AMD (theoretical, not proven)

Details and Breakdown

Meltdown attack is a CPU vulnerability that allows an unprivileged user to read kernel related memory. Since this is a CPU vulnerability, it is independent of the installed OS. As a little background into why the memory is accessible, the kernel maps all the system’s memory into its address space and the kernel is addressed in each user’s space. All OS’s rely on the CPU, guaranteeing the permissions are correct for the virtual address space. The virtual addresses have a bit set to determine permissions for the calling application. The CPU checks the permission bit of the virtual address to determine if the callee has permission to access the requested memory. The vulnerability uses this check to bypass permission restrictions. An exception is generated when a user attempts to access kernel memory.

The branch prediction mechanism will attempt to execute the next few instructions until the exception is handled and the out-of-order cache is cleared. In short, the CPU attempts to be more efficient by “predicting” the flow of execution. When the CPU comes to an instruction that is time intensive (say, retrieve a value from disk or handle an exception), it will attempt to process the next few instructions. This is done so that when the slow instructions are finished, the next few instructions can be completed quickly because they are already processed.

During the prefetch instruction (out-of-order) operations, the permission bit is not checked. This allows the user to generate an exception, and before that exception can terminate the running process, the out-of-order execution has requested the memory from the kernel space and can store it in micro-operations. These micro-operations are then sent to another process through a covert tunnel. This covert tunnel uses known cache attacks, such as Evict+Time, Prime+Probe, and Flush+Reload. The covert tunnel sends the cache a byte at a time.

There are three steps to the Meltdown attack:

1. Cause the Exception – Use out-of-order execution to read kernel memory and write to a micro-operation
2. Exfil Data through Covert Channel – Send the data to another process before exception terminates current process
3. Read from Covert Channel – Scan data for passwords or other interesting data

Resources

Original Meltdown Research Paper

Meltdown Remediation

Microsoft Client Systems

Microsoft Server Systems

Redhat

VMWare

ARM

Intel has claimed a patch will be available soon and will fix both Meltdown and Spectre: Intel Communication on Meltdown and Spectre

Microsoft has also provided PowerShell scripts to validate success after patching. To install, open up the PowerShell (Posh) command prompt and type: Install-Module SpeculationControl

 

Figure 1 – Before Patching
 

Figure 2 – After Patching
Next, lets discuss Spectre. The Spectre attack is a CPU vulnerability that allows a process to read data. CPU data can read from the current process, or the kernel using speculative execution and the cache to recover sensitive data from a process by leveraging the branch predictor to train it to know that the branch being used will be true. This allows the process to read private data that would otherwise not be readable.

CVE Numbers

CVE-2017-5753, CVE-2017-5715

Hardware Affected

Intel, AMD, and ARM.

Details and Breakdown

The first step is training the branch predictor to be true. Once the branch predictor is trained, it then invokes the branch with a false value after flushing the cache, then reads from it. If the difference in time from before and after the cache is read is less than the CACHE_HIT_THRESHOLD, then the value saved in the address is from the false speculative execution and it then stores the value.

Review of Code

The code included in the paper (see Appendix A) shows an example of reading a “secret” value from your process space with the following method.

This code has a “victim_function” that checks to make sure that the passed-in value (x) is less than the size of array1, and if it is, then stores the value of array1[x] * 512 into array2, which is 255*512 bytes long. It then trains the branch predictor by calling the function with several calls that train the branch predictor to allow the function to branch to True. The code then calls the function with an invalid offset, which points to the secret data and the training allows the value to be stored in the cache. It then loops over array2, timing the delay while reading the values, and if the delay is less than the max threshold set, it then increments the counter for the results.

Possibility of the Attack

This one specifically is an arbitrary read, so it can be used to read sensitive memory in the current process, a separate process, or be used as a kernel ASLR defeat.

To be able to read memory from another process, it seems you will need some way to have the target process execute a gadget with attacker controlled data.

Theoretical Examples

  • JavaScript that tries to read passwords in the JIT process space
  • Dumping the kernel memory of a host system when running in a VM as root
  • Using eBPF filters to bypass kernel ASLR

Sources

Original Spectre Research Paper

– YAROM, Y., AND FALKNER, K. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In USENIX Security Symposium 2014 (2014), USENIX Association, pp. 719–732

Project Zero Write-up

Conclusion

Intel, Microsoft, Apple, and all other vendors have stepped up and been able to quickly address the Meltdown vulnerability. The Spectre attacks is going to take a longer-term approach from hardware manufactures, especially if it requires direct firmware patches. These are often difficult patches to deploy corporate wide and one that will take a substantial amount of work in corporations and home users. What individuals should do now is ensure their operating system, browsers, and general patches released by vendors are applied by the affected.

The named vulnerabilities come and go and highlight the need to have a strong security program in place with a multi-layered defense strategy. This one was particularly bad as it involved lower level hardware that is the basis for the framework and architecture for operating systems and the foundation of computers. The goods news is that vendors and manufacturers are stepping up to address. We’ll continue to monitor the fixes for Spectre and direct attack scenarios related to it as time progresses.

This blog was written by: Kevin Haubris, Scott Nusbaum, and Justin Elze.

The post Welcome to 2018! A Meltdown and Spectre Run-Through appeared first on TrustedSec.

]]>
More Complex Intruder Attacks with Burp! http://goldengamebingo.com/?page=2017/12/complex-intruder-attacks-burp/ Thu, 21 Dec 2017 18:11:47 +0000 http://goldengamebingo.com/?page=?p=13642 Recently I was performing an external penetration test, and there was not a lot of attack surface but there was a firewall device present with one of those browser based SSL VPN services. Without a lot to go on other than some usernames gathered from LinkedIn, this seemed like a door worth trying to force....

The post More Complex Intruder Attacks with Burp! appeared first on TrustedSec.

]]>
Recently I was performing an external penetration test, and there was not a lot of attack surface but there was a firewall device present with one of those browser based SSL VPN services. Without a lot to go on other than some usernames gathered from LinkedIn, this seemed like a door worth trying to force. I wished to target these users with a password spray, and I also wanted to have a go at some possible local users that might’ve been defined on the device, like root, fwAdmin, admin, etc. I was less worried about locking out these accounts, so towards the end of the engagement I tried a straight brute-force on them once I was ready to be loud.

Ah, but there were problems. Aren’t there always? The device did not submit the passwords in the HTTP request, even though they were TLS protected. Some kind of digest was used. It looked like md5.

Additionally, the URL being posted to wasn’t the same as the form it came from. Looking at the login process, I concluded that I first needed to request that form, collect multiple values, and finally perform some kind of digest calculation using my proposed password. Here are a couple excerpts from the login page.

I took a look at “processButn()” and determined that I minimally needed param1, id, and sessId to compose a response. My first instinct was to approach this problem with Burp’s macro and parameter extract functionality. This got me close, but I ran into some difficulties. Specifically, I could not find a way to implement what the JavaScript was doing with chains of payload processing or recursive greps.

So, what all was the JavaScript doing?

It set a couple cookies, and calculated a CHAP response. Looking into the chapDigest() function I discovered that the param1 and id values from the form get converted from ASCII hex into bytes, concatenated with the password, and finally an md5 sum is generated and converted back to ASCII hex. This is not entirely complex but spread across two requests with sessId also moved from form fields to cookies, and it’s more than I want to figure out inside of Burp alone.

Fortunately, I have an extension I wrote that I use often to help with these situations. You can get a copy here: https://github.com/GeoffWalton/Burp-Command/blob/master/externalCommand.rb.

Basically, it lets me process or generate Intruder payloads using external commands. So first I needed to ensure that I could calculate the digest correctly. I didn’t have a device to actually test a valid login with so what I did is just make the requests using a browser, test the parameters in my local script, and verified the digest matched the one generated by my browser.

I could’ve monkeyed around with replicating the script behavior, but it was easier to just steal the JavaScript right from the device. I found what I needed, then copied and pasted it into a local js[c] file.

All but the last line was lifted directly from the device! I just needed to take the arguments in, and print the resulting digest out.

Now I needed a way of obtaining the values!  I used ‘copy-as curl command’ in Burp and merged the results into a tiny shell script. This script would be my actual command I would call from my extension, and it would in turn invoke jsc to run the JavaScript code above. Finally, it would combine the outputs into something convenient to use as my Intruder payload.

If the page structure had been much more complex, a little Ruby or Python script with some XPATH queries might have been a cleaner approach, but in this case, it was faster to just throw this together in bash.

This script returned a single string without a newline including most of the parameters I needed for my authentication request when given a password on standard input. It’s worth pointing out that curl was using Burp as a proxy. This means Burp would log these requests so I would keep a complete request history if the customer needed it. Now I just needed to set up the Intruder attack.

First step: send one of the actual authentication requests to the Intruder.

Next, I did a little rearranging and editing to accommodate the output of my script. Note that I went ahead and made the cookie name part of the replacement value. I also replaced the parameters my script was writing out with a bogus insertion point, “x”.

Next, I jumped over to my extension’s tab and configured it to call my script.

Finally, I disabled making the unmodified payload request and configured the payloads as indicated in the screen shots to follow. Remember they run top to bottom, left to right, so I needed to reference payload three (3) in payload one (1) to fill in that cookie value.

Here in payload set two (2) I popped in some user names.

Finally, in payload set three (3) came my list of passwords and I used my custom payload processor “command.”

This was ideal for my password spray attack (not shown) using Sniper, however for the cluster bomb attack, Burp will only run the payload processor once per cluster. I didn’t know if the sessId could be reused for multiple login attempts or not with this device, so that could have been a problem for this particular brute-force attack effort, although I didn’t see any output to indicate that. I had only some Repeater experiments that indicated that sessions expired after some number of seconds.

Still, despite the above draw back, Burp was a good tool for this. You might be asking, “Couldn’t you just script out making the request either with another curl command, Ruby, Python, etc.?”  Sure, I have already created most of the script logic. Burp is still adding a lot of value here for me though:

  • It’s keeping a full request / attack history.
  • I don’t know what a successful login looks like so I’m glad to be able to sort easily by response length, and possibly use grep match/extract after the fact.
  • I can easily pivot from my password spray to brute-force without re-working my script.
  • I can visually inspect the requests to ensure they look right; again, it’s important not having a valid login or device I can reference for testing.

The post More Complex Intruder Attacks with Burp! appeared first on TrustedSec.

]]>
Episode 2.10 Is your keyboard listening? A different type of jailbreak, Grinch Bots Stealing Christmas? Chrome, and Red Team Architecture! http://goldengamebingo.com/?page=2017/12/episode-2-1-0-dec-7th-2017-keyboards-jailbreaks-grinch-bots-red-team-2-1-0/ Thu, 07 Dec 2017 23:06:35 +0000 http://goldengamebingo.com/?page=?p=13611 Welcome to the Trusted Security Podcast – a podcast dedicated to bringing the latest news on information security and the industry. This episode features the following members: Dave Kennedy, Ben Tenjamin, Geoff Walton, Chris Prewitt, Justin Bollinger

The post Episode 2.10 Is your keyboard listening? A different type of jailbreak, Grinch Bots Stealing Christmas? Chrome, and Red Team Architecture! appeared first on TrustedSec.

]]>
Welcome to the Trusted Security Podcast – a podcast dedicated to bringing the latest news on information security and the industry. This episode features the following members: Geoff Walton, Ben Tenjamin, Geoff Walton, Scott White, Costa Petros, and Rob Simon

Show links:

http://www.zdnet.com/article/popular-virtual-keyboard-leaks-31-million-user-data/

https://www.bleepingcomputer.com/news/security/man-hacks-jail-computer-network-to-get-friend-released-early/

https://nypost.com/2017/12/03/schumer-says-grinch-bots-are-stealing-christmas/

https://posts.specterops.iohttps://www.trustedsec.com/designing-effective-covert-red-team-attack-infrastructure-767d4289af43

https://arstechnica.com/gadgets/2017/12/chrome-will-block-third-party-software-from-meddling-with-its-processes/

Tool Time Notes:

https://github.com/bbb31/slurp

Episode:

Download Episode 2.10 Here

The post Episode 2.10 Is your keyboard listening? A different type of jailbreak, Grinch Bots Stealing Christmas? Chrome, and Red Team Architecture! appeared first on TrustedSec.

]]>
The NSA Agent Who Inexplicably Exposed Critical Secrets, Featuring David Kennedy – Wired.com http://goldengamebingo.com/?page=2017/12/nsa-agent-inexplicably-exposed-critical-secrets-featuring-david-kennedy-wired-com/ Mon, 04 Dec 2017 17:52:20 +0000 http://goldengamebingo.com/?page=?p=13597 A SERIES OF leaks has rocked the National Security Agency over the past few years, resulting in digital spy tools strewn across the web that have caused real damage both inside and outside the agency. Many of the breaches have been relatively simple to carry out, often by contractors like the whistleblower Edward Snowden, who employed just a...

The post The NSA Agent Who Inexplicably Exposed Critical Secrets, Featuring David Kennedy – Wired.com appeared first on TrustedSec.

]]>
A SERIES OF leaks has rocked the National Security Agency over the past few years, resulting in digital spy tools strewn across the web that have caused real damage both inside and outside the agency. Many of the breaches have been relatively simple to carry out, often by contractors like the whistleblower Edward Snowden, who employed just a USB drive and some chutzpah. But the most recently revealed breach, which resulted in state secrets reportedly being stolen by Russian spies, was caused by an NSA employee who pleaded guilty Friday to bringing classified information to his home, exposing it in the process. And all, reportedly, to update his resume.

Read the Article: The NSA Agent Who Inexplicably Exposed Critical Secrets.

The post The NSA Agent Who Inexplicably Exposed Critical Secrets, Featuring David Kennedy – Wired.com appeared first on TrustedSec.

]]>
Episode 2.9 OWASP Top 10 2017, OSX Root login bypass, Uber Hacked, who are the shadow brokers, ROCA! http://goldengamebingo.com/?page=2017/12/episode-2-8-july-3rd-2017-nsa-exploit-tools-petya-russia-ransomware-systemd-deathstar-office-persistence-methods-2/ Mon, 04 Dec 2017 15:31:26 +0000 http://goldengamebingo.com/?page=?p=13594 Welcome to the Trusted Security Podcast – a podcast dedicated to bringing the latest news on information security and the industry. This episode features the following members: Dave Kennedy, Ben Tenjamin, Geoff Walton, Chris Prewitt, Justin Bollinger

The post Episode 2.9 OWASP Top 10 2017, OSX Root login bypass, Uber Hacked, who are the shadow brokers, ROCA! appeared first on TrustedSec.

]]>
Welcome to the Trusted Security Podcast – a podcast dedicated to bringing the latest news on information security and the industry. This episode features the following members: Ben Tenjamin, Geoff Walton, Scott White, Ryan Leese, Scot Berner, and Rob Simon

Show links:

http://www.securityweek.com/final-version-2017-owasp-top-10-released

https://objective-see.com/blog/blog_0x24.html

http://money.cnn.com/2017/11/22/technology/uber-hack-consequences-cover-up

https://krebsonsecurity.com/2017/12/former-nsa-employee-pleads-guilty-to-taking-classified-data

https://blogs.akamai.com/2017/10/what-you-need-to-know-about-the-roca-vulnerability.html

Tool Time Notes:

https://github.com/al14s/rawr

https://github.com/ChrisTruncer/EyeWitness

https://github.com/michenriksen/aquatone

 

Download Episode 2.9 Here

The post Episode 2.9 OWASP Top 10 2017, OSX Root login bypass, Uber Hacked, who are the shadow brokers, ROCA! appeared first on TrustedSec.

]]>
DerbyTV http://goldengamebingo.com/?page=2017/11/derbytv/ Tue, 28 Nov 2017 17:56:52 +0000 http://goldengamebingo.com/?page=?p=13584 This blog post isn’t directly information security related per se, but is technical in nature, so it should appeal to the geek in most of us. When Dave posted pictures of the gear being used to stream the Track talks within the Hyatt at DerbyCon this year, there was a fair amount of interest in...

The post DerbyTV appeared first on TrustedSec.

]]>
This blog post isn’t directly information security related per se, but is technical in nature, so it should appeal to the geek in most of us. When Dave posted pictures of the gear being used to stream the Track talks within the Hyatt at DerbyCon this year, there was a fair amount of interest in the specs. What follows will cover not only the hardware used, but also why it was selected. If you’re the TL;DR type, just skip straight to the System Design below and don’t bore yourself with the details.

Background

CATV Systems

What follows is related to interior distribution systems. Line-powered outside plant systems utilize a different design methodology.

Cable TV (CATV) and/or off-air (MATV) distribution are highly frequency dependent. The longer the distances involved, the more signal loss in the line, and more amplification that is required. This isn’t free however. Distribution amplifiers can only be cascaded four times before the signal is not sufficient to drive the input stage. With that in mind, there are only two ways to solve this problem: increase of the cable diameter or reduction in the highest signal (or a combination of the two).

For cable, diameters can range from RG-6 coax (smallest) to 7/8in hardline (largest). All factors are directly proportional to the cable size. As the diameter increases, so does the cost per foot, minimum bend radius, connectors, tooling, taps/splitters, and effort to install. So, this is often a balance within the installation environment.

Reduction in frequency is obviously the limitation of total channels Since not all channels in a cable or satellite line-up are generally in demand, a maximum number of channels is selected. Since it is desired to keep the frequency as low as possible, modulators are used to shift the desired channels down into a lower frequency range. The modulators are then all combined to form a new channel line-up. An over-simplified example:

Most system designs also accommodate a reverse path (local origination) to the head-end distribution system. This allows any TV jack to be used as an input to the system. The reverse path is transmitted below the lowest channel (2) and requires a sub-band modulator at the TV end with a corresponding demodulator at the head-end. The signal is then fed back into the system just as any other channel.

Streaming

We can’t argue that in 2017 anyone can stream to networks and the Internet with devices as simple as our mobile phone. In contrast, professional video streaming is an expensive proposition, when done correctly. Video codecs are predominantly from companies such as VBrick, AMX, Matrox, AJA, and Haivision. Cost can also range from $1k – $2k per channel.

Hyatt Regency Louisville

The hotel was built in 1978, so things like the CATV system are only semi-modern at best. While the distribution equipment has been updated, the cable plant is still reflective of the late 70s. It would be impractical to attempt to update the backbone portions of the system.

That being said, the system has a few shortcomings. The previously mentioned local origination does not exist. Additionally, the modulators, while semi-new, only accept composite video and mono audio as a source. This limits the available options, as a quality scan converter (VGA/HDMI -> composite video) is at least $750+ per channel. Yes, cheaper ones exist, but frankly they suck.

When renting a facility, Internet service can be provided, but the network is off limits. This means there is no way to reliably get signals from the first and second floors to the head-end equipment in the basement (which is 1.5 stories underground). There is however Internet access in the basement.

System Design

Obviously, we needed to try and keep the cost as low as possible, while trying to design something within the confines of the venue limitations. Adrian’s recording equipment is already setup to stream to YouTube, so the source is basically free. That simplest plan was to use a computer to connect to YouTube and then output to the Hyatt distribution system. For reception of the stream, the device that initially came to mind was a Raspberry Pi 1, which has native composite video. It was quickly determined that it did not have the resources to handle the video. The Raspberry Pi 3B however, has plenty of processing power and RAM, but the composite video jack is gone (or so it would seem).

What isn’t readily obvious at first glance is that the composite video has been combined with the audio signal on the 3.5mm jack. The caveat is that the pinout does not align with any cable you will find on Amazon. But who cares about connector color, right?

After an initial configuration and testing, the Pi handled continuously playing videos from YouTube for hours on end. The next step was to build something as compact as possible, while supporting for five channels plus one spare, and providing redundancy. Since the Pi is specified to need a 5V 2A power supply, each power supply would need to be rated for at least 8A, so that it would not be loaded more than 80%. The bill of materials is as follows:

(1) Anker Premium 1ft Micro USB Cables (6pk)

https://www.amazon.com/dp/B00N8VHW72/

(1) Cable Matters Cat6 Snagless Ethernet Patch Cable, 1ft (5pk)  

https://www.amazon.com/dp/B00C2CBBAM/

(5) Dynex DX-AV071 3.5mm (M) to 3 RCA (M) Audio/Video Cable, 6ft

https://www.amazon.com/dp/B001ACW0GY

(1) NETGEAR GS108 8-Port Gigabit Ethernet Network Switch

https://www.amazon.com/dp/B00MPVR50A/

(3) Anker 40W/8A 5-Port USB Charger

https://www.amazon.com/dp/B00VH8ZW02/

(6) Raspberry Pi 3 Model B Motherboard

https://www.amazon.com/dp/B01CD5VC92/

(5) SanDisk Ultra 32GB microSDHC

https://www.amazon.com/dp/B010Q57T02/

(1) GeauxRobot Raspberry Pi 3 Model B 7-layer Dog Bone Stack Clear Case 

https://www.amazon.com/dp/B01D916RNK/

(2) Aluminum Heatsink for Raspberry Pi 3 (4pk)

https://www.amazon.com/dp/B010DG5GM2/

(1) M3 x 60mm Aluminum Standoff (10pk) 

https://www.amazon.com/dp/B01MUDQPFW

The only additional item not on the list, that I had laying around, was a 4-inch fan for cooling. The quantities also include redundancy in the way of one spare each: Raspberry Pi, power supply, and micro USB cable.

The Pis are running stock Raspbian with ‘xscreensaver’ installed in order to disable the screensaver and display blanking. All were configured identically for flexibility. The desktop wallpaper was set with the DerbyCon 7 logo and Track name, so that if the browser crashed, attendees would be able to accurately report which channel was offline. Fortunately, the Hyatt has five channels available for alternate sources. While it would be nice to have a KVM switch for the keyboard/monitor/mouse, it would cost as much as the entire build.

Keep in mind that there is only one video driver on the Raspberry Pi, so only one output type can be used at a time. Providing the 3.5mm jack is connected at boot, the composite video signal is active. Otherwise, the HDMI output takes precedence.

Conclusion

Originally, it was intended to be in use for DerbyCon 6 in 2016. What wasn’t apparent at the time was that YouTube videos are encoded with the H.264 codec. However, live streams are HTML5. At that time, the Ice Weasel web browser did not support HTML5. A last-minute switch to Ubuntu Mate solved this issue, however there were driver issues with the audio interface that were unable to be resolved once the conference started.

Fast forward to DerbyCon 7 this year and Raspbian, once updated, supported HTML5 and had no audio driver issues. By all appearances, the room streaming went relatively smoothly. There were several trips to the basement for resets, but mostly due to the browser not resuming when the stream was stopped and restarted. Hopefully attendees enjoyed the option of chilling in their hotel room and still being able to watch the desired Track.

There you have it. The technical details and a little history of the in-hotel Track streaming. Is it perfect? Definitely not. But for roughly $550 at time of build, it gets the job done.

The post DerbyTV appeared first on TrustedSec.

]]>