Skip to content

Category: Hackerterrorcybercyber

Plex and TLS vs. beA and failure

Filippo Valsorda wrote an article “How Plex is doing https for all its users” two years ago. In the article, Filippo explains how the self-hosted media server Plex can offer TLS to secure all connections, including those to the user’s servers.

Plex is a server software running on your machine, and a discovery service somewhere out on the internet. Using your login, you connect to the discovery service, and then connects directly to your server, using XHR.

The XHR part means you are on a page, and because that is a https page, the XHRs also need to be encrypted and trusted. That means your server needs to be able to do https, and that means your server needs to have a valid certificate to do this.

How does your server get this cert?



#define MH_PIE 0x200000                 /* When this bit is set, the OS will
                                           load the main executable at a
                                           random address.  Only used in
                                           MH_EXECUTE filetypes. */

If that flag is on, MacOS will enable ASLR and the binary will have different load addresses for code, data, heap and stack every time it is running.

$ sudo otool -h '/Library/Application Support/TrendMicro/TmccMac/iCoreService_tmsm'
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777223          3  0x80           2    20       2656 0x00018085

Check the ‘flags’ for this. No 0x200000, no ASLR. Not here, and not on any other binary with “TrendMicro” in the pathname. And that is why you can’t have nice things.


So how badly is WPA2 broken?

It’s all over the news since yesterday: »WPA2 Wifi-Encryption is broken.« German news stations are asking people to not do online-banking via Wifi (that’s nonsense, but more about that later).

So what is WPA2? Wifi connections are connections over the air, radio signals in the 2.4 GHZ and 5 GHZ band. Because radio waves propagate everywhere around the antenna, they can be listened in by everybody. In order to give the over-the-air piece of the Internet connection some privacy, a simple encryption protocol had been cooked up, WEP. The WE in WEP stood for “Wire equivalent”, so the encryption wasn’t supposed to be milspec, it was supposed to give privacy comparable to a wire.

WEP was broken a long time ago, and it did not provide much of anything for a decade now. The successor protocols were WPA and later, WPA2. WPA2 was actually proven to be correct and secure, and that proof remarkably still stands.

So how is that possible?

1 Comment

The inherent Asymmetry of online attacks

Katie Moussouris explains teh Cyber and how it is asymmetric:

»”#Cassandra moment: Explaining that determining “cyber norms” in today’s world order misses emerging capabilities & motivations of new actors.

Forget “attribution”. Not what I mean. Deterrence, state responsibility, etc in existing state context assumes most want to keep stability.

Plenty of non-terrorist smaller states & non-state-non-criminal actors have or can acquire capabilities & would not be sanctionable, for example when we think through deterrence strategies, consider not just world order we have that prefers stability, but those who prefer destability.

We’re erroneously trying to defend against a magnetic power reversal of the N & S poles, but the cyberwar powers are everywhere & unaligned.

We miss the point if we think the answer is to contain those weapons/tools. We hurt defense when we limit their distribution for analysis.”«

1 Comment

A (sad) security user story

Here is a user story for implementors of security systems and platform hardening initiatives:

As any user,

I never want to get a “denied” message, but a “in order to do what you want you are missing the X permission” message in order to be able to track down the root cause and request the appropriate permissions more easily.

It’s not that hard, really.

GitLab: You are not allowed to push code to this project.

Well, it’s harder for some, apparently. That’s one hour of my life I am not getting back.

1 Comment

The Great DOM Fuzz-off of 2017

I generally recommend people use a current stable Chrome. It’s the most secure browser. Please also install uBO and use 1Password.

Turns out, that recommendation can also be backed up by data. Check the “Results” headline.

Note also how they did not test Safari on Apple, because that hurts too much:

Instead of fuzzing Safari directly, which would require Apple hardware, we instead used WebKitGTK+ which we could run on internal (Linux-based) infrastructure. We created an ASAN build of the release version of WebKitGTK+. Additionally, each crash was verified against a nightly ASAN WebKit build running on a Mac.

Yup, Apple development and testing happening on Linux.

Leave a Comment

Jumping Airgaps…

So this paper operates on the premise that there is a high security installation. Because of that it has an isolated network, and also physical protection, in the form of common cameras with the ubiquitous IR lighting.

Turns out, so the developers of “aIR-Jumper“, you can code data into flashes of IR camera lights, and you can read input using the security cameras. So after the initial infection (which would have to take an different route) you can talk to your implant using the security features of the isolated network.

1 Comment

The Chaos breaks german elections, again

Actually, the election was broken before, and the Chaos Computer Club just happened to be the only one looking closely enough, again. (German PDF)

Ten years ago, they broke the digital elections in Hamburg, which were to be based on the Digitaler Wahlstift. Because of that, and Wij vertrouwen stemcomputers niet there is actually a completely offline paper record that can be used to rebuild election results from hand.

So this time CCC looked at the electrion result collection and tabulation software, PC-Wahl 10. And found something uses default passwords of the calibre test/test, using FTP based unsigned software updates, and using no secure way whatsoever to transmit and validate election results.

„Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

If there is ever a valid use case for the Blockchain
Merkel Merkle Trees, it’s probably this.

1 Comment