RealTime IT News

Blog Archives

Black Hat and the InfoSec Community Lose Barnaby Jack

By Sean Michael Kerner   |    July 26, 2013

barnaby black hatFrom the 'Life is Precious' files:

I woke up this morning to check my email, in the hope that I got an overnight confirmation from celebrated hacker extraordinaire Barnaby Jack that we'd be talking soon about his upcoming Black Hat session.

Instead, my inbox/twitter stream was filled with comments/praises about his life - as Jack passed away last night.  

Life is sudden, it is busy and it is precious....

Barnaby Jack was well known in the security community. In 2009, he joined the ranks of the epic mythos of Black Hat talks that had to be pulled due to 'concerns' about his ATM hacking research.

Instead of walking away from the research, he walked away to a new employer that supported his 2010 return to Black Hat, where he presented the research.

Of the last 16 years of Black Hat talks, that one presentation remains in my memory at the top of the list. Standing in front of a crowded room, literally 'jackpotting' ATMs with his skills and of course his inimitable  humor.

Jack was supposed to be talking next week about hacking medical devices. Black Hat GM Trey Ford was among the many in the InfoSec community saddened by Jack's passing today and he made it clear that Black Hat won't be filling Jack's speaking session with someone else.

barnaby

Our thoughts and prayers go out to his family, friends and all those who knew and worked with him.

*UPDATE* The Black Hat Conference has just issued the following statement:

We have lost a member of our family. Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable. Barnaby had the ability to take complex technology and intricate research and make it tangible and accessible for everyone to learn and grow from. Beyond his work in our industry, Barnaby was an incredibly warm hearted and welcoming individual with a passion for celebrating life. We all have a hilarious and upbeat story about Barnaby. He is truly a shining example of what we love about this community.

Black Hat will not be replacing Barnaby's talk on Thursday, Aug. 1. No one could possibly replace him, nor would we want them to. The community needs time to process this loss. The hour will be left vacant as a time to commemorate his life and work, and we welcome our attendees to come and share in what we hope to be a celebration of his life. Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognize the legacy that he leaves behind.

Our deepest sympathies go out to Barnaby Jack's family and loved ones. Words cannot adequately describe how much he will be missed, but it is certain that Barnaby will NEVER be forgotten.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.

Apache Updates Open Source HTTP Server 2.4.6

By Sean Michael Kerner   |    July 22, 2013

apacheFrom the 'Why Are You Still Running 1.3.x?' files:

Nearly two weeks ago, the Apache Software Foundation updated its namesake Apache HTTP webserver with new 2.0.65 and 2.2.25 releases.

What was noticeably absent was an update to the current leading edge - Apache 2.4.x

That's no longer the case as Apache has now released Apache 2.4.6

The Apache 2.4.6 update includes two security updates, one of which (CVE-2013-1896 )was patched two weeks ago in the 2.2.25 update. It's unclear to me why the leading edge of HTTP is two week behind a security patch of the non-leading edge, but it is a cause for concern.

SECURITY: CVE-2013-1896 (cve.mitre.org)     
 mod_dav: Sending a MERGE request against a URI handled by      
mod_dav_svn with the source href (sent as part of the request body      
as XML) pointing to a URI that is not configured for DAV will      
trigger a segfault.

In addition the other fix is:

SECURITY: CVE-2013-2249 (cve.mitre.org)
       mod_session_dbd: Make sure that dirty flag is respected when saving
       sessions, and ensure the session ID is changed each time the session
       changes. This changes the format of the updatesession SQL statement.
       Existing configurations must be changed.

The Apache 2.4.6 update isn't just about security though, it also includes the mod_macro module which is intended to enable easier configuration management.

According to Apache:

"This modules provides macros within apache runtime configuration files. These macros have parameters. They are expanded when used (parameters are substituted by their values given as an argument), and the result is processed normally."

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Linus, Linux, Civility and Fighting in Hockey

By Sean Michael Kerner   |    July 17, 2013

linus nvidiaFrom the 'It's all part of the game' files:

A lot of chatter on the LKML (and elsewhere) this week about civility, threats and verbal abuse in the Linux kernel development community.

It all started thanks to Sarah Sharp, who asked for a new level of decorum and professionalism.

It's a conversation that remains hotly debated on the LKML today, which makes for some fun reading.

The TL;dr version is that Linus Torvalds is vigorously defending his position, his right to use whatever language/tone he needs.

"The fact is, people need to know what my position on things are. And I can't just say "please don't do that", because people won't listen. I say "On the internet, nobody can hear you being subtle", and I mean it.

All this talk made me think about the debate around fighting in Hockey (yes i'm Canadian so we think about hockey 12 mos a year).

Fighting is bad right?

If you punch someone in the face on the street you go to jail (or could be charged). You punch someone in the face in a hockey game and you to the penalty box (maybe).

In hockey, fighting is part of the game.

Sure, Canadians debate the role of fighting in hockey all the time. Hockey Canada is changing the way minor levels of hockey play too, banning any hitting until the age of 12 or so now too. So there is change.

Much of that change has been driven by the need to prevent injuries, specifically concussions.

Bringing it back to Linux, is there a similar driver? (other than civility?) Is there an injury that verbal abuse/non-civil discourse is bringing?

Or is Linus' style, just, 'part of the game'?

I suspect, that just as is the case with fighting in Hockey - that civility in Linux development is an evolving debate. The right thing to do is to talk about it and thanks to Sarah Sharp, that's what is now happening.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

The Importance of Open Source Licensing Realized by GitHub

By Sean Michael Kerner   |    July 16, 2013

choose a licenseFrom the 'Because it Matters' files:

GitHub has emerged to be one of the most popular (if not THE most popular) tool for collaborative online version control and development. While it is often associated with open source software development, that's not always a requirement.

In fact, many projects on GitHub (the actual numbers vary depending on who/when you ask) don't even have a declared license.

That's not good.

Open source licenses, protect both the developer and the user. It's not just about freedom either, it's about understanding that code is 'real' in the sense that it is intellectual property (that can be made free/open).

Choosing an open source license might have been an issue for some developers, because quite frankly they didn't know any better. In an effort to educate developers, GitHub now has the Choosealicense.com site set up.

Really straightforward choices too: MIT, Apache or GPL.

While I personally believe that choosing a license is important -- GitHub also explains that developers can have no license as well. *

You're under no obligation to choose a license and it's your right not to include one with your code or project. But please note that opting out of open source licenses doesn't mean you're opting out of copyright law.


You'll have to check with your own legal counsel regarding your particular project, but generally speaking, the absence of a license means that default copyright laws apply. This means that you retain all rights to your source code and that nobody else may reproduce, distribute, or create derivative works from your work. This might not be what you intend.

My advice, choose wisely.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Is It Time to Restore Civility to Linux Development?

By Sean Michael Kerner   |    July 15, 2013

tuxFrom the 'Don't Mess with Sarah' files:

Linus Torvalds is well known for his use of colorful language on the Linux Kernel Mailing List (LKML) and he's not the only one that uses questionable language that some might considering threatening.

For the last 20 years, I can't remember anyone actually standing up to Linus (or the other colorful devs) saying that's just not right -- until today.

Sarah Sharp, Linux kernel developer at Intel, is making a stand against the verbal abuse.

Sharp wrote in an LKML message:


Violence, whether it be physical intimidation, verbal threats or verbal abuse is not acceptable. Keep it professional on the mailing lists.


Let's discuss this at Kernel Summit where we can at least yell at each other in person. Yeah, just try yelling at me about this. I'll roar right back, louder, for all the people who lose their voice when they get yelled at by top maintainers. I won't be the nice girl anymore.

It's obvious to me that Sharp is right. It should be obvious to all decent human beings that violence and threats of abuse have no place in civil development discourse either.

Do I expect Linus to change? No.

Do I hope he will? Yes.

Will Sharp change anything? I sure hope so. The fact that she's standing up and making her voice heard is the start of a conversation that should have started a long time ago.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Black Hat Changes Wi-Fi Vendors - The Network Will Still be HOSTILE

By Sean Michael Kerner   |    July 15, 2013

black hat 2013From the 'Aruba Out/ Xirrus In' files:

Two weeks to go until the big Black Hat security conference and I've just found out about a really big change. For the last several years, my first stop at any Black Hat event was the Wi-Fi control room/suite - run by Aruba Networks.

So this year, I reached out Aruba to get connected and found out that they aren't the Wi-Fi vendor/service provider for 2013.

Instead, Xirrus has been selected as the Black Hat Wi-Fi vendor.

While this is a shift for the Black Hat conference, it's not all that surprising either. UBM Tech (the organizer of the Black Hat event) also runs Interop. At Interop this year, Wi-Fi was provided by....yup you guessed it - Xirrus.

I met with Xirrus' Mike Rydalch, principal technologist at. at Interop earlier this year. That's a network that needs to deliver service to over 300 exhibitors, 10,000 wireless devices and on million square feet of space.

But that's still not Black Hat.

I actually spoke with Rydalch at Interop about Black Hat - at the time neither he nor/I knew that Xirrus would be the Wi-Fi vendor there. It's a challenge he told me he really wanted to embrace.

Black Hat is quite literally one of the most hostile networks on Earth. Rogue access points pop up all the time and people openly try to sniff each others traffic. Attacks both known (and likely a few unknown) occur on a alarmingly regular basis.

The fact that it's a 'new' vendor (as opposed to the last several years), might perhaps represent a risk to some conference go-ers. Not me. I've seen how Rydalch commands a Wi-Fi network and I suspect though the network environment is hostile, Black Hat Wi-Fi will be a shining example of how secure Wi-Fi can be delivered.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Open Source Apache Server 2.0.x Updated for the Last Time

By Sean Michael Kerner   |    July 12, 2013

apacheFrom the 'yum-update/apt-get upgrade RIGHT NOW' files:

The Apache Software Foundation is out with a pair of important updates to its namesake Apache HTTP Server.

The new updates are the Apache 2.0.65 and Apache 2.2.25 releases. Of particular note is the fact that the Apache 2.0.65 release is the final release of the Apache 2.0.x line of HTTP server.

Apache 2.0 was first released back in April of 2002, giving this open source web server platform an astonishing 11 years of support.

The final Apache 2.0.x release is number 2.0.65 and includes fixes for at least six security flaws. Those flaws include:

  •  CVE-2013-1862 (cve.mitre.org)      
    mod_rewrite: Ensure that client data written to the RewriteLog is      
    escaped to prevent terminal escape sequences from entering the      
    log file.    
  • CVE-2012-0053 (cve.mitre.org)    
     Fix an issue in error responses that could expose "httpOnly"    
    cookies when no custom ErrorDocument is specified for status code    
    400.  
  •   CVE-2012-0031 (cve.mitre.org)      
    Fix scoreboard issue which could allow an unprivileged child    
    process to cause the parent to crash at shutdown rather than    
    terminate cleanly.
  •     CVE-2011-3368 (cve.mitre.org)    
     Reject requests where the request-URI does not match the HTTP      
    specification, preventing unexpected expansion of target URLs in      
    some reverse proxy configurations.
  •     CVE-2011-3192 (cve.mitre.org)    
     core: Fix handling of byte-range requests to use less memory, to    
    avoid denial of service. If the sum of all ranges in a request is    
    larger than the original file, ignore the ranges and send the    
    complete file.
  •     CVE-2011-3607 (cve.mitre.org)    
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif    
    module is enabled, could allow local users to gain privileges via    
    a .htaccess file.

Apache is also updating its new Apache 2.2.x web server to version 2.2.25 for a pair of vulnerabilities including:      

  •    * SECURITY: CVE-2013-1896 (cve.mitre.org)    
     mod_dav: Sending a MERGE request against a URI handled by      
    mod_dav_svn with the source href (sent as part of the request body      
    as XML) pointing to a URI that is not configured for DAV will      
    trigger a segfault.
  •    * SECURITY: CVE-2013-1862 (cve.mitre.org)    
     mod_rewrite: Ensure that client data written to the RewriteLog is      
    escaped to prevent terminal escape sequences from entering the      
    log file.

While Apache 2.2.x is likely more widely deployed at this point, the Apache 2.4.x branch is currently the leading edge of Apache Web Server production code. Apache 2.4.x is still relatively news having only first debuted in February of 2012.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Defcon Banning Feds? Don't Worry There Will Be Plenty at Black Hat

By Sean Michael Kerner   |    July 11, 2013

defcon 21From the 'Biting the hand that feeds you' files:

Apparently, Jeff Moss (aka Dark Tangent) doesn't want U.S. Federal agents showing up at his Defcon conference this year.

The irony is that at Defcon in 2012, the NSA's top brass General Keith Alexander was the keynote of the event.

Alexander praised the work that Defcon hackers do through his keynote too. Long story short is that the U.S. **NEEDS** hackers especially as the stakes continue to rise on Nation State (read:China) cyber-attacks and espionage.

Moss wrote:
"When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year."

The irony of the situation is that Black Hat - the 'other' conference that Moss started and sold to UBM Tech a few year back - is very much embracing U.S. Federal agents. In fact the same General Alexander is speaking at Black Hat this year, among numerous other government panels and events.

Do all the same 'hackers' go to both Black Hat and Defcon? No, not entirely -- but make no mistake about it, there is significant overlap too.

There is little chance in my mind that federal agents will not attend Defcon - it's just such a target rich environment for recruiting and education that they can't stay away -- but given Moss' position, the game of 'spot the fed' is likely to be more difficult than years past as federal agents take a lower profile.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Open Source OpenStack Quantum Networking Renamed to Neutron?

By Sean Michael Kerner   |    July 10, 2013

OpenStack - RoundedFrom the 'Doing the Neutron Dance' files:

Technology nomenclature is always a 'funny' business. Case in point, the soon to be renamed OpenStack Quantum networking project.

I first heard about/wrote about Quantum in 2011as part of the OpenStack Diablo release cycle. It's a brilliant idea, distill the core elements needed for Networking-as-a-Service in the cloud down to its most base - or quantum - components. Then have that abstraction available via APIs into which networking vendors/services can plug-in.

In 2011, the term SDN wasn't the hype-cycle it is today - otherwise perhaps this project could have simply been called OpenStack SDN.

In any event, at the OpenStack Summit in Portland earlier this year - the direction was taken to start to replace the name OpenStack Quantum, simply with - OpenStack Networking. Apparently there is some naming (copyright?) confusion that might be associated with the name Quantum.

So I was a bit surprised to learn that the name OpenStack Networking isn't sticking either. Starting with the upcoming Havana release, the new name for Quantum networkingis now Neutron.

Why?

I don't know - I was just starting to get used to calling it OpenStack Networking too - but 'pet' names that aren't purely generic (ie. calling your cat - cat) certainly do have their value.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Google Pays $34,901.10 for Chrome 28 Flaws

By Sean Michael Kerner   |    July 09, 2013

From the '$21,500 Bug Bounty' files:

Google has release its latest open source Chrome web browser release. 28.0.1500.71.

This is mostly a bug and security fix update - with some very notable bug fixes. While Google has been paying security researchers for flaws for some time, with Chrome 28 Google is really upping the ante with the largest payout in the history of the Google's security bug bounty program for a normal Chrome release.

Researcher Andrey Labunets is being awarded a special reward of $21,500 for a pair of flaws identified as CVE-2013-2879 and CVE-2013-2868.

Another big winner this month is researcher Collin Payne who scored $6,267.40 from Google for CVE-2013-2879: Use-after-free with network sockets.

Google is also paying out a tidy sum of $3,133.7 for CVE-2013-2853: Man-in-the-middle attack against HTTP in SSL, which was reported by Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco at INRIA Paris.

The other big ticket bug bounty fix in the Chrome 28 is a $2,000 reward to security research Miaubiz. He is credited with reporting CVE-2013-2871: Use-after-free in input handling. Miabiz is no stranger to Google's bug bounty program. In fact he is the first researcher that ever got more then $3,337 for a bug from Google.

Back in March of 2012 for the Chrome 17 releases. Miaubiz was awarded a special reward of $10,000 for his contributions to Chrome security.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Red Hat Adds VMware Exec to Promote Global Strategic Alliances

By Sean Michael Kerner   |    July 08, 2013

red hatFrom the "If You Can't Beat Them... files:

There is a bit of a revolving door in the tech industry, where people move from one industry competitor to another (unless of course they have non-compete agreements and even then..).

Linux vendor Red Hat today announced the appointment of former VMware exec Scott Musson as Red Hat's new VP of Global Strategic Alliances. That's a big job and a critical one for the present and future growth of Red Hat.

While Red Hat does have direct sales, the partnership channel has long been a key driver of growth and pull-through momentum. Musson will help direct Red Hat's foundational parterships with IBM, HP, Dell and Cisco.

At VMware, Musson was the Senior Director of Global Strategic Alliances. And yeah, VMware is also partnered with IBM, HP, Dell and Cisco, so I suspect Musson will have an easy transition.

"I’m honored to join a passionate team that has built strong relationships with and continues to show commitment to their partners," Scott Musson, vice president of Global Strategic Alliances, Red Hat said in a statement. "Red Hat's leadership in key technology areas, including cloud, big data and application infrastructure and modernization, offers some exciting opportunities to make an impact."

Musson isn't the first exec that Red Hat has pulled from rival. In April of this year, Red Hat named former Microsoft exec Radhesh Balakrishnan as the new global leader for Red Hat’s virtualization infrastructure solutions.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

OpenStack Open Source Cloud Security Sprints Forward

By Sean Michael Kerner   |    July 03, 2013

OpenStack Hardening GuideFrom the 'Forget Crawl, Walk, Run- SPRINT!' files:

One of the most exciting aspects of agile code development is the reliance on code sprints to complete certain tasks. It's an approach that works also for documentation.

At the OpenStack Summit in Portland this past May, the OpenStack Security Group (OSSG) pledged to sit downto do a documentation sprint to build an OpenStack Hardening Guide.

That work was completed last week, and now the first OpenStack Security Guide is now available.

The contributions came from an elite group of security professionals (don't let their 'interesting' titles scare you..) including:

  • Bryan Payne - Nebulous Fella
  • Robert Clark - Teaboy in chief
  • Keith Basil - Master of w00t!
  • Cody Bunch - Fanatical about OpenStack
  • Malini Bhandaru - Intel
  • Gregg Tally - APL Superstar
  • Eric Lopez - Network Virtualization rake
  • Shawn Wells - 500+ requirements guy
  • Ben de Bont - Aussie Bloke
  • Nathanael Burton - National Security Agency
  • Vibha Fauver - virtAppSec
  • Eric Windisch - Rocks the brown wingtips
  • Adam Hyde - Book Sprint Facilitator Extraordinaire
  • Andrew Hay - Mr. Burmuda

The guide is a 263 page omnibus that is a compelling must read operations manual for security in the OpenStack world. Simply put - installing OpenStack without first taking into consideration the security guidance in this guide is a recipe for disaster, in my opinion.

In addition to proscriptive guidance, the authors have included some interesting fictional case studies for secure cloud deployment. The case studies include 'Alice's Private Cloud which is intended to meet FedRamp requirements and Bob's public cloud.

There is a lot to read - and no it's not as easy to secure a cloud as simply running Bastille(like we did in the early Linux days). I suspect that the hardening guide is still somewhat of a work in progress, but the core fundamentals are all there.

Anyone that already has an OpenStack cloud or is considering deploying one, would be well served to review the guide.

The free ePub guide is available here.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Why Firefox OS will be a Big Win for Apple

By Sean Michael Kerner   |    July 02, 2013

FirefoxOSFrom the 'Counter-intuitive' files:

Apparently Mozilla officially launched Firefox OS yesterday.

The first Firefox OS powered phones are set to debut - soon - Deutsche Telekom and Telefonica will release the first Firefox OS devices.

This is a big win for the open mobile web - unless of course the carriers lock down their Firefox OS devices. Since Firefox OS is essentially - the web - locking down a Firefox OS device won't be an easy thing to do. Users via their browser, do what browsers are supposed to do, they browse the web.

The Firefox Marketplace - the app store of the open web world - is the gateway for Firefox OS - and its maturity or lack thereof at launch will be the item that makes or breaks Firefox OS.

There is little doubt in my mind that Firefox OS will gain traction. It's a royalty free open source system that is open, what's not to like?

The Apple people are sure to love Firefox OS too.

The type of user that is likely going to be attracted to Firefox OS is the price conscious user that thinks Android devices are too expensive. I strongly suspect that if Firefox OS gains traction it will do so at the expense of Android. Firefox OS if successful will further fragment the choices available versus Apple IOS.

Apple has very strong brand loyalty, I'm not so sure that Google (or its myriad hardware vendors) have anything quite the same for Android. Apple's CEO likes to talk about fragmentation on Android and the Android naysayers love to talk about security. Firefox OS will only add further fuel to that fire, inevitably and indirectly helping Apple.

Another entrant in the mobile space with big carrier backing will also help to shift those that are still on feature-phones to finally move to the modern era. For better or for worse, Apple is the leader in the modern smartphone world and as those new smartphone users start to get used to the new world order, if Firefox OS apps don't match the quality of IOS, I suspect those users ($$ permitting) will look at Apple too.

Yes Firefox OS is a win for the open web.

It will not lock users/developers down with objective-c or Java bindings. It's a brilliant (and obvious) innovation that makes sense. It is however entering a crowded market and in that crowd, Apple has the most to gain.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.