THESE FORUMS NOW CLOSED (read only)

  • 03 Oct 2024, 07:00
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Shellshock and other assorted computer security stuff  (Read 13159 times)

Pilchard123

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,131
  • I always name them Bitey.

Hi guys. How're you doing? Got Bash installed? Patched it? Maybe you should think about it.
Logged
Piglet wondered how it was that every conversation with Eeyore seemed to go wrong.

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #1 on: 26 Sep 2014, 01:00 »

My OpenBSD machine doesn't have Bash installed.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

ankhtahr

  • GET ON THE NIGHT TRAIN
  • *****
  • Offline Offline
  • Posts: 2,700
  • A hacker spathe night owl
Re: Shellshock and other assorted computer security stuff
« Reply #2 on: 26 Sep 2014, 01:35 »

tcsh?  :-D

I love my zsh. But I still have bash installed. Sadly not easy to get rid of it completely.
Logged
Quote from: Terry Pratchett
He had the look of a lawn mower just after the grass had organised a workers' collective.

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Re: Shellshock and other assorted computer security stuff
« Reply #3 on: 03 Oct 2014, 01:26 »

Interestingly, there's a similar vulnerability in cmd.exe, it appears: https://twitter.com/dakami/status/517790323154485248

Impact is likely going to be far lower, though. Anything on Windows that needs scripting isn't using cmd.exe, it's using the Windows Script Host to run VBScript.
Logged

LTK

  • Methuselah's mentor
  • *****
  • Offline Offline
  • Posts: 5,009
Re: Shellshock and other assorted computer security stuff
« Reply #4 on: 03 Oct 2014, 14:38 »

In other news, it appears that there is an unpatchable vulnerability in all USB devices.

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack
Logged
Quote from: snalin
I just got the image of a midwife and a woman giving birth swinging towards each other on a trapeze - when they meet, the midwife pulls the baby out. The knife juggler is standing on the floor and cuts the umbilical cord with a a knifethrow.

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Re: Shellshock and other assorted computer security stuff
« Reply #5 on: 03 Oct 2014, 14:46 »

That is hilariously sensationalized.

There are vulnerabilities in many USB microcontrollers that can allow reflashing the firmware with untrusted firmware. That's been known for ages.

Sure, it'll take forever to get the bad devices out of circulation, but not all devices use Phison USB controllers, and not all devices even have reflashable firmware.
Logged

ankhtahr

  • GET ON THE NIGHT TRAIN
  • *****
  • Offline Offline
  • Posts: 2,700
  • A hacker spathe night owl
Re: Shellshock and other assorted computer security stuff
« Reply #6 on: 16 Oct 2014, 00:52 »

hmm. Have you by chance disabled SSLv3 for this server now? (Or did Cloudflare disable it?) Tapatalk on my mobile can't connect to the forums anymore, and SSLv3 support is disabled. Whoever it was, good decision. POODLE is bad.
Logged
Quote from: Terry Pratchett
He had the look of a lawn mower just after the grass had organised a workers' collective.

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #7 on: 16 Oct 2014, 00:57 »

I've not yet fully checked out what's going on, but you could have the answer.

Yesterday the forums were moved to a permanent https connection, using a new certificate (no longer self-signed).  But this morning, I find that I can no longer connect using https using Tapatalk/Android, nor using Opera (Chroms)/Windows XP; whereas Tapatalk/iPhone is OK, as is Opera/Windows 8.1.

The comic works using http but not https on the Windows XP machine, but the forums are no longer available using http.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

Masterpiece

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,364
  • No time for Claireification
Re: Shellshock and other assorted computer security stuff
« Reply #8 on: 16 Oct 2014, 02:04 »

Ah. Explains why my IE is asking for me to allow unsafe content.

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Re: Shellshock and other assorted computer security stuff
« Reply #9 on: 16 Oct 2014, 02:19 »

Windows XP shouldn't be used on the public internet anyway, so...

I believe there's options to disable SSLv3 support in newer versions of IE, as well, so it doesn't even try.
Logged

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #10 on: 16 Oct 2014, 03:16 »

Windows XP shouldn't be used on the public internet anyway,

... without appropriate care and protection.  Some of us can manage our computing infrastructure reasonably safely.

I believe there's options to disable SSLv3 support in newer versions of IE, as well, so it doesn't even try.

One problem is that such settings are often not exposed, but in the area where you have to know what you're doing.  For instance, the command to force TLS only in Chrome is a command line one.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #11 on: 16 Oct 2014, 11:45 »

Note: the change of the forum to https means that Tapatalk users will need to delete the forum from their app and then add it back in; this will force it to fetch the changed address from the server.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

jwhouk

  • Awakened
  • *****
  • Offline Offline
  • Posts: 11,022
  • The Valley of the Sun
Re: Shellshock and other assorted computer security stuff
« Reply #12 on: 16 Oct 2014, 14:55 »

I was wondering. It seems to be working again, though.
Logged
"Character is what you are in the Dark." - D.L. Moody
There is no joke that can be made online without someone being offended by it.
Life's too short to be ashamed of how you were born.
Just another Joe like 46

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #13 on: 16 Oct 2014, 15:23 »

It's happened without?  Even better - perhaps what I did just jumped the queue (cache) somewhere.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Re: Shellshock and other assorted computer security stuff
« Reply #14 on: 16 Oct 2014, 15:35 »

It is worth noting that, looking at what Firefox (now 33) is saying, it's not happy about there being content sourced from non-secure sites on this page.

So, I decided to change my avatar to pull from https://bhtooefr.org instead of http://bhtooefr.org, to help matters (although your avatar contributes to the problem, too)... and it reverts to no avatar. D'oh! (I just uploaded my avatar to the forums directly, though...)
Logged

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #15 on: 16 Oct 2014, 15:50 »

There must be a setting I've turned off, because I don't get that warning.

Nor do I have a secure web server to hand; I guess the time is coming to think about that.  I think there was a reason I didn't set one up ages ago...  Ah, I remember, something to do with having a reverse proxy and multiple web sites - I have multiple URLs on the same port, and SSL negotiation precedes the exchange of headers, so the site name is unknown and the certificate can't be identified - something like that.  Plus my port 443 is already dedicated to the mail server's web mail.

I may be out of date about the restrictions, so I'll investigate that.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #16 on: 16 Oct 2014, 16:58 »

I'll look at the avatar code in the forum software; the problem may be similar to that which I've just fixed to get YouTube back (SoundCloud will follow tomorrow).
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

ev4n

  • Scrabble hacker
  • *****
  • Offline Offline
  • Posts: 1,328
  • Shameless Shamy Shipper
Re: Shellshock and other assorted computer security stuff
« Reply #17 on: 20 Oct 2014, 05:12 »

Fwiw, my home PC has been unable to browse to forums.questionablecontent.net since the patch, in either chrome or IE.

I'm patching and scanning to try to find a problem on my side.
Logged

ankhtahr

  • GET ON THE NIGHT TRAIN
  • *****
  • Offline Offline
  • Posts: 2,700
  • A hacker spathe night owl
Re: Shellshock and other assorted computer security stuff
« Reply #18 on: 02 Dec 2014, 13:43 »

So let's bring back some life into this thread with more general computer security and crypto stuff!

I'm currently working on finally getting some order and safety into my data security.

I've rented a lock box in a bank, where I store paper copies and a USB stick containing encrypted digital copies of private keys and such things.

I've never really used GPG before, because I wanted to read some more about it to not do anything wrong. I've decided to use an additional subkey for signing, so I can leave my Master key in the lock box unless I want to sign other peoples keys.

I'll also keep a backup of the configuration of my Yubikey in there, so I can finally start using Keepass with OTP, without having to worry about losing my Yubikey and thus access to all my passwords. Oh. Fallback passwords for anything which is secured with the Yubikey are in the lockbox as well. Probably a backup of the LUKS headers of my encrypted hard drives as well.

What do you guys do to keep your data safe and secure?
Logged
Quote from: Terry Pratchett
He had the look of a lawn mower just after the grass had organised a workers' collective.

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #19 on: 03 Dec 2014, 03:00 »

I'll look at the avatar code in the forum software; the problem may be similar to that which I've just fixed to get YouTube back (SoundCloud will follow tomorrow).

I never mentioned here that I spent time trying to make a patch to fix this, but it got too complex to finish.  It's been sorted in the next major release of the forum, which has just entered public beta, but that will be at least a year away on past performance.



I've spent a lot of time in the past week on web security issues at work, getting the https security on three old websites up from an F on the tester I use to B, B and A-.  The A- one (running Tomcat v6) could have been an A, but only by dropping support for browsing in Windows XP, and many of the users are still on XP (they're in the NHS, which is rather behind in that matter).  The other two are running IIS6, which can't do better; but they are both due for replacement quite soon.  My own website (Apache 2.4) has a straight A, of course.



I've been wondering about suggesting Yubikey and AuthLite for two-factor authentication in the IT services I run.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

hedgie

  • Methuselah's mentor
  • *****
  • Offline Offline
  • Posts: 5,382
  • No Pasarán!
Re: Shellshock and other assorted computer security stuff
« Reply #20 on: 23 Dec 2014, 21:04 »

It's probably just a *nix problem (including OS X), but there's a nasty NTP vulnerability going around, and that should be patched.
Logged
"The highest treason in the USA is to say Americans are not loved, no matter where they are, no matter what they are doing there." -- Vonnegut

LTK

  • Methuselah's mentor
  • *****
  • Offline Offline
  • Posts: 5,009
Logged
Quote from: snalin
I just got the image of a midwife and a woman giving birth swinging towards each other on a trapeze - when they meet, the midwife pulls the baby out. The knife juggler is standing on the floor and cuts the umbilical cord with a a knifethrow.

hedgie

  • Methuselah's mentor
  • *****
  • Offline Offline
  • Posts: 5,382
  • No Pasarán!
Re: Shellshock and other assorted computer security stuff
« Reply #22 on: 18 Feb 2015, 18:00 »

https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html

Apparently FreeBSD has been having problems with their random number generator.
Logged
"The highest treason in the USA is to say Americans are not loved, no matter where they are, no matter what they are doing there." -- Vonnegut

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Re: Shellshock and other assorted computer security stuff
« Reply #23 on: 18 Feb 2015, 18:04 »

Granted, -RELEASE is safe.

If you run -CURRENT, though...

In other news... Lenovo installs SSL MITM spyware on laptops: https://forums.lenovo.com/t5/Security-Malware/Potentially-Unwanted-Program-Superfish-VisualDiscovery/m-p/1860408/highlight/true#M1697
« Last Edit: 18 Feb 2015, 18:38 by bhtooefr »
Logged

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Logged

Half Empty Coffee Cup

  • Psychopath in a hockey mask
  • ****
  • Offline Offline
  • Posts: 609
Re: Shellshock and other assorted computer security stuff
« Reply #25 on: 23 Feb 2015, 14:50 »

I understand perfectly. We're not customers... we're the commodity.
Logged
Mistakes, ahoy!

celticgeek

  • GET ON THE NIGHT TRAIN
  • *****
  • Offline Offline
  • Posts: 2,697
  • Linux Geek
    • The Celtic Geek
Re: Shellshock and other assorted computer security stuff
« Reply #26 on: 23 Feb 2015, 15:07 »

I, of course, bought a new Lenovo laptop just before the news came out.  I did check, and my laptop is not infected, but of course, I had Mint 17.1 installed on it, rather than Windows, and it was installed from a fresh disk, so life is good.  So far.....

Logged
a 'dèanamh nan saighdean airson cinneadh MacLeòid
We Wear Woad When We Write Code
Ní féidir liom labhairt na Gaeilge.
Seachd reultan, agus seachd clachan, agus aon chraobh geal.

Stoon

  • Pneumatic ratchet pants
  • ***
  • Offline Offline
  • Posts: 303
Re: Shellshock and other assorted computer security stuff
« Reply #27 on: 25 Feb 2015, 21:23 »

I, of course, bought a new Lenovo laptop just before the news came out.  I did check, and my laptop is not infected, but of course, I had Mint 17.1 installed on it, rather than Windows, and it was installed from a fresh disk, so life is good.  So far.....
Love it!
Logged

Is it cold in here?

  • Administrator
  • Awakened
  • ******
  • Offline Offline
  • Posts: 25,163
  • He/him/his pronouns
Re: Shellshock and other assorted computer security stuff
« Reply #28 on: 16 Apr 2015, 15:25 »

I had a random bit of security irony today. There was a presentation about security assurance in software development. I couldn't watch it because it requires Flash, which I flatly will not allow on my computer because of its record of endless security vulnerabilities.
Logged
Thank you, Dr. Karikó.

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #29 on: 21 Jul 2015, 08:07 »

I guess this belongs here as well as the News thread:

Be scared.  Be very scared:

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Re: Shellshock and other assorted computer security stuff
« Reply #30 on: 21 Jul 2015, 09:39 »

Well, that's terrifying.

And, really, I'm not surprised - even my 1999 Golf has a network upon which all devices can see everything else (while it's a year before VW put everything on a CAN bus, there is the K-line (essentially RS-232 at weird baud rates) that every control module in the car is sitting on for diagnostic purposes), and there's no access control other than matching the baud rate, sending the command to the correct control module address (but everything sees everything on the K-line), and occasionally 5 digit passwords that are, for the most part, printed in the workshop manuals).

Even things like the instrument cluster, which contains the immobilizer (well, on US-market cars it's not active until 2000), can be attacked with readily available software, the ROM dumped (on some clusters, this takes an hour of brute forcing a password, but most, it gets in immediately), the secret key code decoded, and the immobilizer protections are effectively defeated.

For all I know, there's a buffer overflow in the central locking (for manual windows)/central convenience (for power windows) module that can be used to attack other K-line or CAN-bus modules, for a wireless attack.

When modern cars don't even bother to isolate the infotainment from the powertrain/safety CAN bus, and have long-range wireless protocols in their infotainment systems... and even when they do (some cars use FlexRay or Ethernet for infotainment instead), they put infotainment data on the instrument cluster, which communicates with the powertrain/safety CAN bus anyway, and is therefore an attack surface on the powertrain/safety bus. And, don't forget the steering wheel/column controller, which is often on the powertrain/safety bus for things like cruise control (typically the airbags are directly connected to the airbag module) and the infotainment bus for infotainment control... And, then, you've got telematics systems that directly have a need to access the powertrain/safety bus to do what they do (crash detection to call emergency services, remote diagnostics, remote unlock (although central locking could be put on another bus), remote shutdown for police)...
Logged

ankhtahr

  • GET ON THE NIGHT TRAIN
  • *****
  • Offline Offline
  • Posts: 2,700
  • A hacker spathe night owl
Re: Shellshock and other assorted computer security stuff
« Reply #31 on: 21 Jul 2015, 10:41 »

Yep. I know of cars which have the control unit for the side mirror adjustments in the mirror, and this lead the whole CAN bus out of the vehicle. Those cars can actually be opened by opening the mirror casing, which is only clipped on and attaching to the CAN bus, which of course also controls the central locking. You can take control of a whole vehicle by opening the side mirror casing.
Logged
Quote from: Terry Pratchett
He had the look of a lawn mower just after the grass had organised a workers' collective.

cesium133

  • Preventing third impact
  • *****
  • Offline Offline
  • Posts: 6,148
  • Has a fucked-up browser history
    • Cesium Comics
Re: Shellshock and other assorted computer security stuff
« Reply #32 on: 21 Jul 2015, 15:49 »

The car I bought a few weeks ago was recalled because of a bug in the radio software that causes the seatbelt chimes to not work. I guess I can sort of see them being related (and seatbelt chimes aren't exactly critical), but why on earth should the entertainment system software have access to the critical functions of the car like the engine and brakes?  :psyduck:
Logged
The nerdy comic I update sometimes: Cesium Comics

Unofficial character tag thingy for QC

Masterpiece

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,364
  • No time for Claireification
Re: Shellshock and other assorted computer security stuff
« Reply #33 on: 21 Jul 2015, 17:54 »

Is it weird that I find this hugely fascinating

ChaoSera

  • Scrabble hacker
  • *****
  • Offline Offline
  • Posts: 1,405
Re: Shellshock and other assorted computer security stuff
« Reply #34 on: 22 Jul 2015, 11:03 »

Is it weird that I find this hugely fascinating
Not at all.

And cesium - it's probably a cost thing. If you wire everything up on one bus you don't have to put in additional cabelage, which saves money.
Logged

BenRG

  • coprophage
  • *****
  • Offline Offline
  • Posts: 7,861
  • Boldly Going From The Back Seat!
Re: Shellshock and other assorted computer security stuff
« Reply #35 on: 23 Jul 2015, 04:06 »

Just a heads-up to the admins. I didn't see which advert it was but one of the ads on questionablecontent.net is a hijack that sends you to a fake Flashplayer download site.
Logged
~~~~

They call me BenRG... But I don't know why!

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Shellshock and other assorted computer security stuff
« Reply #36 on: 23 Jul 2015, 05:38 »

Administrator Comment The admins of this forum here have nothing to do with Jeph's comic site. On matters like this email him directly - he does take note and block some ads, even if he doesn't reply individually.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )
Pages: [1]   Go Up