Developers Club geek daily blog

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

1 year ago
The Chaos Communication Congress conference became an important event of the end of December. Materials from it can be found on a key word 32c3 where 32 — sequence number of action, since 1984. In Hamburg there were many interesting researches on action. For example, experts Felix Domke and Danielle Lange in detail told about a technical aspect of "dizelgeyt", including features of work of modern managing systems of cars. And here it is possible to look at the monumental 110-page presentation about vulnerability of railway systems and to come to a conclusion that IT in trains is applied widely, much, everywhere differently, and it is frequent using standard software (Windows XP) or standard protocols of a wireless communication (GSM) which shortcomings from the point of view of safety are widely known and are actively operated (fortunately, so far in other places).

And here news (the presentation and the link to research work inside) that unique features of programming style filter even into compiled code. Though this subject also is rather highly specialized, I see in it something bigger: perhaps in the near future the picture will finally lose relevance on the right. Not because all will monitor all, and thanks to the behavioural analysis — the user can be identified how it vzamodeystvut with the website, the application or something else the same as the programmer — how that writes a code. Here by the way Apple purchased the startup specializing in the analysis of human emotions just yesterday. Generally, the 2016th year begins interestingly. And we continue supervision. The previous series are available here.

Read more »

Security Week 52-53: a backdoor at Juniper with a thick layer of cryptography, vintage Java, gopo-bug bounty

1 year ago
While the fir-tree already costs, but salads are not cut yet, it is a high time to talk last time this year about safety news. Last week I reported on "non-standard" best news of year, and in general for the remained time anything special did not occur. Though is not present, there is one news which is worthy the separate narration. Two backdoors found on December 17 in software for the network devices Juniper could fill up the long, but undistinguished list of bugs, exploits and incorrect configurations in routers and house routers. But later it became clear that in this history there is a mass of nuances, it touches not only upon a subject of a safe koding, but also enciphering, and even hints on participation of intelligence agencies appeared.

Generally, interesting the termination of year turned out. In addition to Juniper, two more popular news go to a subject of okolobezopasny policy more. Traditional rules: every week edition of the news website Threatpost selects three most significant news to which I add the expanded and ruthless comment. All episodes of series can be found on a tag. The first episode of new year will come out the countries on January 8!

Read more »

Non-standard top of events in the field of IT safety of 2015

1 year ago
Here also time to repeat exercise which I the first time executed exactly a year ago came. Then I took 10 most popular news from our website Threatpost and tried to find out — why they, actually, drew public attention — both specialists, and normal users. Such method has obvious shortcomings — on popularity of articles a lot of things influences, and is not obligatory at all that the most popular news about incidents in the cyberworld are at the same time and the most important. But there are also advantages: events in the field of information security there is a huge number, and each participant of their discussion, depending on specialization and personal interests, will select "very best". And here — if not the most objective, then the independent tool of an assessment.

This year the selection of the most visited news successfully is divided into five main categories:
— Low-technology threats for users
— "Vulnerabilities in unexpected places": safety of "Internet of things", home and industrial network devices,
— Data encryption problems
— Loud vulnerabilities in key platforms and "high tech" of cyberthreats — examples of the most advanced attacks
— Routine, but dangerous vulnerabilities in widespread software

Here on them we will also walk.

Read more »

Security Week 50: DDoS of root DNS servers, APT Sofacy life, is a lot of cryptography

1 year, 1 month ago
Serious changes happen exactly while something to change percent of persons interested exceeds a certain critical mark. No, I now not about policy, chur me also am sacred-is Saint, and about IT in general and IT safety. Also want in general all a miscellaneous: the companies — that not DDoS-or also did not break, users — that did not steal passwords and did not steal accounts, security-vendors — the new relation to safety at all interested persons, regulators — well it is clear, want to regulate.

Here short pressing of predictions of our experts next year: evolution of APT (it is less than technologies, decrease in costs there is more mass character and in general), attacks to new financial instruments a la ApplePay and stock exchanges — is closer to places of high concentration of digital bank notes, attacks to IB-researchers via the tools used by them, cracking of the companies for the sake of pure damage of reputation (an a.k.a. posting of dirty linen), deficit of trust to any IT tools (can crack anything), including the entrusted certificates, botnets from routers and other IoT, large-scale crisis of cryptography.

In predictions of this year there is no uniform point "for growth", any improbable scenario of development. Well unless it is possible to refer attacks to the cars managed by the computer to those and that is about cracking of infrastructure on which they depend — cellular and satellite networks. All this, in a varying degree, will come true, a problem that somehow there is no wish. Whenever possible it would be desirable to avoid all this. And if there is a wish not only to us, but also in general to all (though differently) whether then also the 2016th can become year of progress in collective IT safety? I am never an expert, but there is a wish to believe that yes. We pass to news of week. The previous releases are available on a tag.

Read more »

Security Week 49: second-hand certificates, theft of data from children's toys, Microsoft blocks unwanted software

1 year, 1 month ago
This week nothing occurred. Well as, the news flow about safety in IT was normal — here cracked, vulnerability, here a patch there — but without some serious revelations. When I only began to keep the weekly digest, it seemed to me that will be a lot of such weeks, but so far, since August, it turned out only two: present and one more. But you look what this consists allegedly vacuum of:

— Stole data of millions of clients, a lot of personal information on children owners of "smart" devices with cameras from the vendor of toys and we designate.
— Thousands of modems, routers and similar devices at many vendors use identical certificates and keys for access on SSH.
— The USA violently discusses requests of FBI in style "give us data and tell nobody about it" which parts were for the first time promulgated since 2001 when such practice was entered.

Normal it "nothing" though yes, no supercracking existed, nothing capitally fell, and that is good. However, our experts, summing up the results of year on the loudest events of an infobezopasnost, no decrease of the activity is seen, it is rather on the contrary. Well and we will not relax, winter close. Traditional rules: every week edition of the news website Threatpost selects three most significant news to which I add the expanded and ruthless comment. All episodes of series can be found on a tag.

Read more »

Security Week 48: the melancholy with certificates at Dell, a backdoor in modems, Truecrypt returns

1 year, 1 month ago
Every time when in the field of safety there is the next failure, from air two eternal questions materialize: what to do and who is guilty. And the first is more important: even more often we deal with incidents which here it is so simple, a patch or something similar, it is impossible to solve. Unfortunately, it belongs not only to superdifficult attacks. Fortunately, the speech usually goes about theoretical threats. Let's look at latest news of this week:

— In Dell notebooks found the self-signed root certificates;
— In 600 thousand modems of the American company Arris found a backdoor;
— The German state agency undertook audit of TrueCrypt, found nothing, but all the same nobody trusts the utility thrown by developers for enciphering any more.

Anything new. The first two histories — in general from the heading "never it was and here again" well-loved by me. Tens of vendors of software and iron step on special IT Security a rake, and it seems that there will never be to it neither end, nor edge. But the solution is, and in today's digest I will try to explain in general what. All episodes of series — here.

Read more »

Security Week 46: Versatile Java-bug, life of kriptoloker, 17 patches of Adobe Flash

1 year, 2 months ago
In a new episode of our series:

— Serious vulnerability in Apache Commons Collections library endangers the services based on Java of several companies, such as Oracle WebLogic and IBM WebSphere at once. As well as any other vulnerability in the extended and widely used libraries, this patchat under hard words about what to do and who is guilty. Generally vulnerability was found in January, but as for it it was not thought up the abrupt name and the logo was not drawn, nobody paid attention.

— Cryptowall — the trojan encoder recognized recently by the most profitable representative of family changes behavior. Now, in addition to enciphering of contents, under distribution also names of files got that chances of interpretation of data without the redemption leave even less (though so there was a little). Extends, including, by means of enough obvious infected attachments in e-mails.

— Flash is patched again, vulnerabilities again serious. We continue the heading "crucial drudgery".

Cats are not included in the package. Rules: every week edition of the news website Threatpost selects three most significant news to which I add the expanded and ruthless comment. All episodes of series can be found on a tag.

Read more »

Security Week 45: escape from a sandbox, EMET bypass through WOW64, cracking 000webhost

1 year, 2 months ago
Quotes from Evgeny Kaspersky's book which I put to each news digest well show a landscape of threats as of the beginning of the 90th years of the last century, to be exact — a subject IB arrangement in relation to other world. Approximately before two-thousand, before emergence of the first mass epidemics of still quite simple malwares, information security was perceived as something even more difficult, than IT in general. Good there were times, but they ended. In the middle of the tenth cyberthreats discuss everything: scientists, parliamentarians and even entertainment stars. It is well noticeable by October digests of the most popular news: at first we hit in the theory of cryptography, and then suddenly jumped in the legislation. And, yes, it is necessary: all this anyway influences a cyberspace, let and not right now.

But generally, generally, practical safety both was difficult purely technical subject, and remained. The landscape of threats cannot be evaluated adequately if to look only at reaction of society or only to scientific researches. Those bills — they are important, but with practice have a little general. They and in general are connected with IT only because their text was typed into the computer in a Word. It not that great opening, but explicit hint: it would be quite good to observe balance. It is pleasant that this week all most popular news — just from the practical sphere. Any policy, any threats, potentially operated years through fifteen. In total here and now, as we love. To the moderate hardcore is well. Uiiiya!
The previous series live here

Read more »

Security Week 44: legislators and safety, cryptography and investigation

1 year, 2 months ago
If there is in the field of information security a subject more difficult than cryptography, then this legislation. Any research work on enciphering, its main outputs and possible effects can be understood. In many cases for this purpose will be required few years of intensive training in the main and to the accompanying subjects, and a decade more of work as the expert in safety. But it is possible to understand. Not always it is possible to understand what effects the law regulating the sphere of information security will have even if it is attentive to read it. Even if you well know language in which it is written.

Nevertheless, it is necessary to understand because the legislation can seriously affect safety issues, in this or that party. Good, suitable initiatives motivate the companies better to be protected from cyberthreats, protect clients of banks from loss of money in case of on-line fraud, improve safety of the government institutions and our data processed by them, fight against crime. Bad laws at best do not change a landscape of threats in any way, in the worst — allow cybercriminals to be released, even after arrest and in the presence of convincing proofs of fault, complicate work of researchers, and do private data by slightly less private, than it would be desirable.

In this series of the digest we will talk about two important news in the field of the American IB-legislation, and also we will continue discussion of cryptography, this time — thanks to the NSA agency which decided to participate in discussion of questions of enciphering. What, however, too nearby left from policy. Rules: every week edition of the news website Threatpost selects three most significant news to which I add the expanded and ruthless comment. All episodes of series can be found on a tag.

Read more »

Manual editing of uboot-elf for the sake of DHCP and SSH

1 year, 2 months ago
Somehow time the piece of iron of AEWIN SCB-3240 which should nevermore have lodged in a server rack with the purpose forever fell of me into hands to touch it. It was going to use it not directly, and for the purpose of testing of our product. The Kaspersky Lab has a tradition — to let out anti-virus SDK for all imaginable platforms if only there was something there, capable to compile a code on C. Respectively, SDK are necessary anti-virus bases which in spite of the fact that they are uniform for all products, nevertheless should be tested — for an error case in SDK, or the loader of bases, or some features of a platform, or … Generally, one million reasons. And that we learned about problems a little earlier, than from new cases in support, tens of pieces of iron checking each set of anti-virus bases for working capacity stand the last line of defense.

That is, not possibilities of AEWIN on work with a network, and only its essence in the form of MIPS/Linux were of interest. The problem was that the piece of iron did not provide any adequate accession. All that was offered to me — console port, telnet and any dhcp.

Unfortunately, the most terrible concerns were not vain. The device had no permanent storage, and it lived only from inclusion before reset, every time developing a referensny image.

Total, that it was necessary for me. To teach to receive the address on DHCP, to teach her to accept connections on SSH and to try not to break on the road.

Read more »