RealTime IT News

Blog Archives

LinuxCon: Running Containers in a Hostile Environment

By Sean Michael Kerner   |    August 24, 2016

TORONTO — Containers offer many different security benefitA and can even be used to run hacking competitions, without being hacked itself. In a session at the LinuxCon ContainerCon conference in Toronto  Stéphane Graber LXD Technical Lead at Canonical Ltd detailed how the NorthSec captureLXD the flag contest makes use of containers (specifically LXC) to enable the contest.

The whole setup involved no less than 11,387 Linux containers and an all IPv6 network that was setup to mimic the real Internet, but could only run locally. Graber said that the network setup really makes it feel like hackers on the real internet.

To secure all the containers, Graber and the NorthSec team use the LXD daemon to further isolate the containers and provide security.

Over the course of a very detailed technical overview, Graber explained that full configuration setup that enabled the competition to work. Overall a really interesting use-case of containers that couldn't easily be done with regular bare metal, and with more difficulty (and hardware) using traditional virtual machines.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

Docker 1.12.1 Released; Brings Huge Improvements for Raspberry Pi Installs

By Sean Michael Kerner   |    August 19, 2016

The big news out of Dockercon this year was the the Docker 1.12 update, providing an integrated swarm-mode container orchestration system directly into Docker. As a Dockersomewhat cautious person when it comes to running new stuff in production, I always wait for the .x.y update (in this case a .1) before running new stuff on systems I really care about.

Aside from a solid number of bug fixes that actually make swarm-mode very stable, there is a big update in the 1.2.1 update with an official ARM update that brings an easy installation to Raspberry Pi devices.

The git pull to look at for this is 24815"Adding support in install.sh to install the Docker Engine on a standard Raspberry Pi running a raspbian/jessie OS," developer Dieter Reuter wrote.

In a message to me Reuter provided some additional color:

With the new Docker 1.12.1 release we've now reached a major milestone because you can now install Docker with a single command on every ever built Raspberry Pi, more than 8 million devices out in the world! Because with 1.12.1 there is the first ARM Debian package official available from Docker to install it on a standard Raspbian/Jessie OS. The only thing you need is, to login into a Raspberry Pi which is connected to the internet and type "curl -sSL get.docker.com | sh" - yeah, it's just so easy right now!

We also just released our own new HypriotOS 1.0.0 for the Raspberry Pi a few hours ago - it's way smaller than before and it already includes the Docker 1.12.1 official build for ARM.

So what are you waiting for? I know what I'm doing this weekend…

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

DEFCON: BtleJuice MitM Hacks Bluetooth (and belittles Bluetooth Padlock security)

By Sean Michael Kerner   |    August 05, 2016

LAS VEGAS - Hacking Bluetooth to date has been about buying an Uberone and sniffer the air. A new tool and method was first publicly demonstrated today at DEFCON that creates bluetooth robota Man In The Middle Attack for Bluetooth Smart enabled devices.

"Sniffing is so hard and it really sucks," security researcher, Damien Cauquil said.

So rather than sniffing, what the BtleJuice Framework tool does is it looks for open bluetooth connections and attempts to connect to the device, it then creates a dummy device with the same services and characteristics. Finally BtleJuice waits for new connections, which it then takes over, as the Man in The Middle, enabling an attacker to inject new commands.

Cauquil has a number of interesting use cases for BtlJuice and demonstrated a live attack against a Bluetooth controlled robot. Additionally he noted that he has tested the attack against Bluetooth smart locks with a very high degree of success.
The project is entirely open-source and available today on Github at: https://github.com/DigitalSecurity/BtleJuice

Sean Michael Kerner is a senior editor at nternetNews.com. Follow him on Twitter @TechJournalist

DEFCON: Samsung Pay Hacked

By Sean Michael Kerner   |    August 05, 2016

LAS VEGAS. The era of smartphone based payment systems is now here, but it might be a little insecure. In a presentation at DEFCON 24 here, researcher Salvador Mendoza detailed a litany of design and process flaws in how Samsung Pay work that could potentially enable an attacker to abuseSamsungPay the system.

Being DEFCON, Mendoza also had a demo, albeit a recorded one, but it was done in Vegas and recently tool. In the demo he places his sniffing devices near a beverage vending machine. After a user of Samsung Pay attempts to use their phone to buy a drink, Mendoza's device caputres the authentication token and is then able to reply them back to the vending machine and get himself a drink - for free.

Overall, Mendoza noted that Samsung Pay does have some levels of security it still could be a target for malicious attacks. He added that Samsung Pay has limitation in the tokenization process which could affect customers' security.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

Black Hat: Google Project Zero Researcher Details the Year in Flash Flaws #BHUSA

By Sean Michael Kerner   |    August 04, 2016

LAS VEGAS. Few people have ever found as many bugs in Adobe's Flash as Google Project Zero security researcher Natalie Silvanovich. In a session at the Black Hat USA conference here Silvanovich detailed the year in Flash bugs and what a year it has been.Natalie Google

In December of 2015 over 79 bugs were found and even more flaws found in the first six months of this year. That said. Silvanovich emphasized that it's now harder than ever before for security researcher to actually find flaws in Flash.

"I used to find a bug a day in Flash, now it's more like one a week," Silvanovich said.

She added that while some bug classes are drying up,other are taking their place. Flash mitigations are now making it more difficult to exploit bugs,  especially low-quality bugs.

The timing however isn't favorable for Flash as all major browser vendor have announced plans to deprecated Flash support in the coming year. Once that happens Silvanovich expect that she'll at some point have to move on to a new area of security research.

"Personally i think the next thing will be browsers so that's what i'll look at next," Silvanovich said.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

10th Annual Pwnie Awards Recognize Mudge and Taviso

By Sean Michael Kerner   |    August 03, 2016

LAS VEGAS. This year marks the 10th annual Pwnie Awards (i've been to 9 of them - first year I didn't know about the event but quickly corrected my error), recognizing the best bugs, the most epic fails and the best researchers in the business.mudge

Looking at the more whimsical pwnies - the Pwnie for Best Branding went to Mousejack from Bastille, while the pwnie for the most Overhyped bug went to BadLock.

The backdoor in Juniper's ScreenOS was the big winner of the night picking up not one but two pwnies - one for the best backdoor and another for epic 0wnage.

The pwnie for best stunt hack truly was no contest as Charlie Miller and Chris Valasek, literally put lives at risk with their 2015 Jeep hack.

While there are a lot of different categories, for me the most noteworthy this year for two individuals that are quite literally living legends. Google Project Zero researcher Tavis Ormandy won the Pwnie for Epic Achievement while Peiter 'Mudge Zatko won for lifetime achievement.

Ormandy is somehow able to crack any security system, while Mudge, welll…after being hacker that testified before congress, running L0pht and now in the Government to help make us all secure? the man truly is a living legend and deserves every accolade he receives.

Oh and if you want to see Tavis Ormandy pick up his shiny Pwnie - here you go:

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist