Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Jan 19, 2016 5:27 pm

Privilege escalation vulnerability discovered in Linux kernel

It's been there since 3.8, released in 2013.

Fix should be available soon (if not already) for most major distros; the trouble, as always, is going to be Android deployment.

User avatar
Grath
Posts: 1341
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Wed Jan 27, 2016 4:23 pm



User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Fri Feb 19, 2016 2:35 pm

Ars: Encryption isn’t at stake, the FBI knows Apple already has the desired key

It's a nice, thorough rundown of what the FBI and the courts are actually asking for in the San Bernardino case.

The gist:

The FBI isn't asking Apple to break the encryption on the phone; they're asking for a custom firmware that's friendlier to brute-force attacks on the PIN. (Quicker timeout between PIN guesses, unlimited number of PIN guesses, and some automated means to input PINs instead of having to actually do each one manually.)

Arguments for:

The government isn't asking Apple to create a backdoor in its OS that it can use carte blanche; it's merely asking it to take trivial steps to make it possible to use well-known and extremely unsophisticated means to guess a PIN.

And they've done it the right way: they've gone through the courts and gotten a warrant.

The firmware will be keyed to multiple unique identifiers on the phone, and will not run on any other phone. Even assuming it could be reverse-engineered and the FBI (or a third party) worked out how to replace those identifiers with other ones, they wouldn't be able to get it to run on another device, because they don't have Apple's signing key. (And if Apple's signing key were compromised or some method were discovered to bypass the key check, then attackers wouldn't need to reverse-engineer a custom binary blob to pwn your phone; they could get it to run whatever the fuck code they wanted.)


Argument against:

The precedent that the government can compel a company to build, compile, and install a custom firmware on-demand is troubling.

Even if we agree that this use is legitimate, there's no guarantee that the next one will be. Can we trust the FBI and the courts to make good decisions about which accused criminals to go after?

The FBI is clearly using this specific case to press the issue because it's something that it's easy to get everyone to agree on. (TERRORISTS!) They previously tried to get Apple to do it for an accused drug dealer's phone.

User avatar
Rico
Posts: 439
Joined: Tue Jan 21, 2014 2:29 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Rico » Fri Feb 19, 2016 3:56 pm

I think the argument against also has to include:
Most of the court personnel in charge of granting or denying similar requests will have no idea whether what they're ruling about is as relatively benign a technical request as this one is, so this case could certainly create a more damaging precedent.

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Fri Feb 19, 2016 4:41 pm

Right, excellent point.

The arguments against mostly come down to what kind of precedent it will set. On some level they're slippery-slope arguments -- but as I've often said before, slippery-slope arguments are fair when we're talking about interpreting the Bill of Rights.

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Fri Feb 19, 2016 5:43 pm

Adding:

This calls attention to another problem, which is that phone lockscreens are poorly-equipped for strong passcodes. Quickly typing a 4-digit numerical code or drawing a four-point pattern on a screen are good enough ways of protecting a phone from casual access, but the only way they can stand up to a sustained attack is with software solutions like wiping the keys after a certain number of unsuccessful attempts.

Fingerprints are potentially a better solution, but they come with the problem that if anyone ever gets a copy of your fingerprints, you can't change them.

I think I've said this before, but I think the best solution right now is to make password input fields friendlier to Correct Horse Battery Staple-style passwords. Hell, you could even add a feature that automatically generates a password of that sort; randomly pick four words of a certain length from the system dictionary. Then allow autocomplete and autocorrect in the password field, but don't store any words entered into a password field into the predictive text database.

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat Feb 20, 2016 1:19 am

Also, Apple previously suggested that the FBI set the phone to do an auto-backup to iCloud (which can be done without unlocking the device), where they would then be able to recover it without having to create a custom FBIOS, but a county official appears to have changed the iCloud password.

User avatar
sei
Posts: 906
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Mon Feb 22, 2016 7:27 am

Linux mint web server was compromised via WordPress and a bunch of Linux Mint ISOs served around Feb 20, 2016 were backdoored.
Image

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Jun 29, 2016 12:53 am

Anybody still using Symantec?

No?

Okay, anybody work for a company that's still using Symantec?

If so, might want to show this to somebody in IT who can explain it to whoever makes the purchasing decisions: High-severity bugs in 25 Symantec/Norton products imperil millions

The catch is that switching vendors won't necessarily help.

Tuesday's advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages. Although the software is often considered a mandatory part of a good security regimen—on Windows systems, at least—their installation often has the paradoxical consequence of opening a computer to attacks that otherwise wouldn't be possible. Over the past five years, Ormandy in particular has exposed a disturbingly high number of such flaws in security software from companies including Comodo, Eset, Kaspersky, FireEye, McAfee, Trend Micro, and others.

User avatar
Büge
Posts: 2346
Joined: Mon Jan 20, 2014 6:56 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Büge » Wed Jun 29, 2016 7:53 am

Funny, I was talking to a customer yesterday who swore Kaspersky was impregnable.

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Jun 29, 2016 9:59 am

Kaspersky might still be the best. I didn't copy over the links from that passage I quoted but here's the Kaspersky: Mo Unpackers, Mo Problems post it linked to. There doesn't seem to be anything nearly as nasty there as the Symantec bug where it'll automatically load an attachment with elevated privileges.

User avatar
Mothra
Woah Dangsaurus
Posts: 3017
Joined: Mon Jan 20, 2014 7:12 pm
Location: Boston, MA
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mothra » Wed Jun 29, 2016 1:17 pm

Oh BOY.

Good to know, I'll spread the word.

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat Jul 30, 2016 10:06 pm

If you're using LastPass, you're gonna wanna patch it.

And, on general principle, I would recommend against ever using a piece of software that automatically fills in your passwords. I don't use Lastpass but I assume there must be a setting that makes you take an extra step before it fills in passwords, like authorize it with a context menu or something. Do that.

Speaking of things that are self-evidently awful ideas: I've been using Swiftkey for years but I've never enabled cloud sync before, because sharing all my keystrokes is a self-evidently terrible idea. If that means I have to re-train the thing every time I do a new install, so be it.

And oh hey, looks like I was right; people are getting other people's predictive text now.

User avatar
Thad
Posts: 5318
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue Aug 16, 2016 12:36 am

Techdirt: Democratic National Committee Creates A 'Cybersecurity Board' Without A Single Cybersecurity Expert

I've met and/or dealt with Chopra (misspelled Copra in the article) and Wong -- and both are very smart and good policy people. The other two seem to have good policy chops as well. But none of them are actual cybersecurity experts. I have no problem with these people being on this advisory board, but it's insane to put together a cybersecurity advisory board that doesn't include at least a single (and probably more) actual technologist with experience in cybersecurity. And that's doubly true when the goal of the board is to help the DNC with its own cybersecurity.

If the goal of the board was to advise on cybersecurity policy, then the makeup of it is at least slightly more understandable, but that's not the goal. It's to actually improve the cybersecurity of the DNC. Even if the goal were just policy, having someone with actual technology experience with cybersecurity would be sensible.

User avatar
Büge
Posts: 2346
Joined: Mon Jan 20, 2014 6:56 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Büge » Tue Aug 16, 2016 8:40 am

Well, if they can create policy on abortion without the input of a woman...

User avatar
Mothra
Woah Dangsaurus
Posts: 3017
Joined: Mon Jan 20, 2014 7:12 pm
Location: Boston, MA
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mothra » Tue Aug 16, 2016 9:42 am

Image


User avatar
Mongrel
Posts: 7905
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Fri Sep 09, 2016 1:04 pm

Daily Dot: Wikileaks omitted 2-billion Euro transfer from Syria to Russia from Syrian email infodump

It's interesting to me how since the fiasco of the Ukraine invasion Russia itself has almost faded from world news*, but bits and pieces of Russia's shadow influence have been cropping up more and more. They're playing it a lot smarter than they have in the recent past... which is bad news, I suppose.

*Well, unless you count the doping story. But Russian athletes doping was an old story in the frikken 80's. I'm not sure I can even imagine a world where the default state for Russian athletes isn't to be constantly juiced up.
Image

User avatar
Sharkey
Posts: 601
Joined: Mon Jan 20, 2014 6:11 pm
Location: Send Lawyers, Guns and Money
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Sharkey » Fri Sep 09, 2016 7:14 pm

It's like we learned nothing from Rocky IV.
Image

Who is online

Users browsing this forum: No registered users and 2 guests