security

Spectre is here to stay

As a result of our work on Spectre, we now know that information leaks may affect all processors that perform speculation…. Since the initial disclosure of three classes of speculative vulnerabilities, all major [CPU] vendors have reported affected products…. This class of flaws are deeper and more widely distributed than perhaps any security flaw in history, affecting billions of CPUs in production across all device classes.

From Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, and Toon Verwaest (all of Google) in Spectre is here to stay; An analysis of side-channels and speculative execution. They continue:

» about 300 words

Bare metal clouds are hard

The problem, explains Eclypsium, is that a miscreant could rent a bare-metal server instance from a provider, then exploit a firmware-level vulnerability, such as one in UEFI or BMC code, to gain persistence on the machine, and the ability to covertly monitor every subsequent use of that server. In other words, injecting spyware into the server’s motherboard software, which runs below and out of sight of the host operating system and antivirus, so that future renters of the box will be secretly snooped on.

Indeed, the researchers found they could acquire, in the Softlayer cloud, a bare-metal server, modify the underlying BMC firmware, release the box for someone else to use, and then, by tracking the hardware serial number, wait to re-provision server to see if their firmware change was still intact. And it was. BMC is the Baseband Management Controller, the remote-controllable janitor of a server that has full access to the system.

» about 500 words

Hard solutions to container security

The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.

From Aleksa Sarai explaining the latest Linux container vulnerability.

To me, the underlying message here is: Containers are Linux.

From Scott McCarty washing his hands of it.

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.

From the Kata Containers website. The project is intended to be “compatible with the OCI specification for Docker containers and CRI for Kubernetes” while running those containers in a VM instead of a namespace.

The future of Kubernetes is Virtual Machines, not Containers.

From Paul Czarkowski, discussing multitennancy problems and solutions for Kubernetes.

The day-to-day drudgery of state sponsored hacking

After a review of bids and testing the capabilities of some of the exploits offered, the team decided to build its own malware. “This is the only inexpensive way to get to the iPhone, except for the [Israeli] solution for 7 million and that’s only for WhatsApp,” explained one team member in a message. “We still need Viber, Skype, Gmail, and so on.” The same was true of the Android and Windows malware and the back-end tools used to manage the campaign. Rather than using zero-day exploits, the organization relied on a combination of physical access, spear-phishing, and other techniques to inject its espionage tools onto the targeted devices.

From Sean Gallagher in ArsTechnica on the details leaked from a state sponsored malware effort.

Solving Problems In Secret

Matt Blaze computer and information science at University of Pennsylvania and blogs about security at Exhaustive Search. His recent post on mistakes in spying techniques, protocols, and hardware caught my interest: Indeed, the recent history of electronic surveillance is a veritable catalog of cautionary tales of technological errors, risks and unintended consequences. Sometime mishaps lead […] » about 400 words

SSH Tunneling Examples

Most of my work is available publicly, but some development is hosted on a private SVN that’s hidden behind a firewall. Unfortunately, my primary development server is on the wrong side of that particular firewall, so I use the following command to bridge the gap: ssh -R 1980:svn_host:80 username@dev_server.com That creates a reverse tunnel through […] » about 200 words

Evil Evil klaomta.com

A quick Google search of klaomta.com reveals more than a few people wondering why it’s iframed on their websites. The answer is that the site has been compromised.

Unfortunately for the fellow who asked me the question at WordCamp, solving the problem can be a bit of a chore. Keeping your WordPress installation up to date is important, as there are some known security flaws in older versions, but most of the attacks that crackers use are targeted elsewhere. Your passwords, all your server apps, the PHP config, your hosting control panel, and other users all must go under the microscope when trying to find security holes.

Crime vs. Highways. Or, Internet Security Is A Social (Not Technical) Problem

Stefan Savage, speaking in a segment on March 13’s On The Media, asked: The question I like to ask people is, what are you going to do to the highway system to reduce crime. And when you put it that way, it sounds absolutely ridiculous, because while criminals do use the highway, no rational person […] » about 400 words

Fly Safe, Fly Without ID

This is an old one, but because I’m in the air again today it’s worth digging up this up. Defense Tech long ago pointed out The Identity Project‘s position on showing ID for air travel:

If a 19 year-old college student can get a fake ID to drink, why couldn’t a bad person get one, too? And no matter how sophisticated the security embedded into the ID, wouldn’t a well-financed terrorist be able to falsify that, too? The answer to both questions is obviously ‘yes’.

Honest people, on the other hand, go to Pro-Life rallies. Honest people go to Pro-Choice rallies, too. Honest people attend gun shows. Honest people protest the actions of the President of the United States. Honest people fly to political conventions. What if those with the power to put people on a ‘no fly’ list decided that they didn’t like the reason for which you wanted to travel? The honest people wouldn’t be going anywhere.

Plugin Options Pages in WordPress 2.7

WordPress 2.7 requires that plugins explicitly white list their options using a couple new functions. WordPress MU has required this security measure for a while, and it’s nice to see an evolved form of it brought to the core code. [Migrating Plugins and Themes to 2.7][1] article in the codex offers some guidance, but here’s how it works:

First, register each option for your plugin during the admin_init action:

``` function myplugin_admin_init(){ register_setting( 'my-options-group', 'my-option-name-1', 'absint' ); register_setting( 'my-options-group', 'my-option-name-2', 'wp_filter_nohtml_kses' ); } add_action( 'admin_init', 'myplugin_admin_init' ); ```

In the example above, the value for my-option-name-1 will be filtered by absint before being saved to the options table. my-option-name-2 will be stripped of any HTML by wp_filter_nohtml_kses.

Then build a form like this prototype:

```
      </td>
    </tr>
  </table>
</div>

Easy.

 [1]: http://codex.wordpress.org/Migrating_Plugins_and_Themes_to_2.7#Plugins "Migrating Plugins and Themes to 2.7 « WordPress Codex"

Presidents Change…Presidential Limousines Change

Presidential Limos are armored, yes, but Gregg Merksamer reveals that George W. Bush’s limos sport five-inch thick glass, more than twice as thick as in Clinton’s limo. Merksamer should know, he wrote the book on so-called “professional cars”. He says half an inch is enough to stop a .44 magnum at point blank range, and […] » about 100 words

Mark Jaquith On WordPress Security For Plugin Developers

I’ve been pretty aware of the risks of SQL injection and am militant about keeping my database interactions clean. Mark Jaquith today reminded me about the need to make sure my browser output is filtered through clean_url(), sanitize_url(), and attribute_escape(). Furthermore, we all need to remember current_user_can(), check_admin_referer(), and nonces. » about 100 words

[Insert Word Here] Is Hurting Your Network

Corporate networks are defenseless against the growing threat from instant messaging, and the government warns WiFi is insecure and easily sniffed.

Experts suggest we take precautions against the growing risk of p2p software that’s exposing sensitive documents and threatening national security.

Businesses blame security problems on their employees, their mobile devices, and other consumer technologies.

And now we have MySpace.

Carry-On Restrictions To Carry On?

The Mercury News’ QA on carry-on restrictions answered a big question I had: Q Can I still carry my laptop, cell phone and iPod on board? A Those items are still OK as long as you’re not traveling to or through the United Kingdom. But a Reuters story posted at C|Net suggests the restriction on […] » about 200 words

Plan C: Signed JavaScripts

The Mozilla docs on JavaScript security give a hint of hope that signed scripts will work around the cross-domain script exclusions that all good browsers enforce. But an item at DevArticles.com throws water on the idea: Signed scripts are primarily useful in an intranet environment; they’re not so useful on the Web in general. To […] » about 300 words

Disobey

Gary Wolf wrote in the June issue of Wired about how smart mobs in New York’s World Trade Center outbrained the “authorities” and enjoyed higher survival rates because of it. Wolf is talking about the NIST report on Occupant Behavior, Egress, and Emergency Communications (warning: PDFs). There’s also this executive summary and this looks like […] » about 300 words