* Posts by Binnacle

24 publicly visible posts • joined 2 Feb 2014

RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level


Re: Silver Bullet

>No it will not.

>Heap overrun exploits.


Heap-overrun exploits are written using ROP code. Heap regions are non-executable and ROP the only way to exploit "use-after-free" vulnerabilities.

This feature will close the door on the nastiest technical vector employed in attacking remote systems and may "tip" the state of overall Internet security to a much better place. Obviously people are stupid and this will not change, but various shades of code white-listing is gradually mitigating the unwashed morons who aggressively "click through any and all warnings." So far no lasting Apple-product botnets, right? 2FA and password quality enforcement has already made a significant dent in the stupid-password problem. Costly and embarrassing hacks have shamed dumb companies and their programmers into applying proper salted hashing to stored passwords.

Botnets are the single biggest factor in Internet malevolence and sending them off will end the careers of typical cyber-criminals.


Silver Bullet

A pleasure if this turns out to be the long awaited silver bullet against malware attack.

Perhaps it deserves the label "Platinum Bullet" considering the engineering effort required to make it happen. A world without botnets, a world with unemployed Russian cyber-criminals, a world where governments can't so easily barge uninvited into everyone's lives--quite a picture.

Yay! It's International Patch Your Scary OpenSSL Bugs Day!



Yo! CVE-2016-2108 was fixed in APRIL of LAST YEAR, that is 201*5*

Bunch of illiterates.

OpenSSL patch quashes rare HTTPS nasty, shores up crypto chops


Must be Joking

OpenSSL should follow the example of CVEs and provide an "impact" rating to go with the "severity" rating. This one qualifies as severity HIGH, impact ZERO.

Took 20 minutes to figure out how to invoke the vulnerable code:

openssl genpkey -genparam -algorithm DSA -out dsap.pem -pkeyopt dsa_paramgen_bits:1024 -outform dh_rfc5114

The number of folks who have employed this are counted on one hand.

Oracle plugs flaw used in attacks on NATO and the White House



The researcher, in typical fashion, fails to mention

that if one browses primarily with FireFox and

has "click_to_play" enabled in the browser, that

j2launcher.exe is never invoked and the exploit

will fail.

Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Thumb Up

per NSA slide (publicly disclosed)

Impact to production

MAJOR Loss/lack of insight to majority of target communications, presence

OTR, Tor, . . .TrueCrypt

one worse "CATASTROPHIC" category for when multiple techniques are used in combination

MIT boffins identify Tor hidden services with 88 per cent accuracy


the BIG IF -- headlines, lies and statistics

"That means that an adversary who lucked into the position of guard for a computer hosting a hidden service"

Right, so you have to become a HS's guard node and you can correlate it's traffic.

This is not news--correlation attacks are the always-known weakness of all low-latency anonymity routing systems. So it's 88% multiplied by what? 1%? 5%? 10% or maybe 0%? Good HS operators are aware of this issue and take steps to establish/protect/rotate safe entry guards.

But is is news and is interesting that they have found a way to improve the system.

OpenSSH server open to almost unlimited password-guessing bug


no problem for "not stupid"

For the "not stupid" crowd who disable SSH password authentication and rely on certificates, is a non-issue.

Tried the provided command and got exactly one (not 10000)

Permission denied (publickey).

Java jockeys join Flash fans in the 0-day exploit club


further ignorance

1.7 lives, and anyone with any sense runs the older more stable version


Recommended Version 7 Update 79

Release date April 14, 2015

Apple splats Safari flaw affecting a BEELLION iThings

Thumb Down

where's the fix for iPhone 4 iOS 7.1.2?

So ancient 3GS phones get a fix, but no fix for merely old iPhone 4's?

Cisco FREAKs out, starts epic OpenSSL bug-splat


Most unusual. Cisco has posted three or four different "interim" version of ASA firewall 8.4 firmware with successive series of bug fixes--none regression tested. It's a case of "pick your poison". Haven't seen them hustle like this over a vulnerability before. The downgrade attack is a big worry only if one thinks GCHQ, NSA or China is on their tail, in which case the damage was probably done years ago. We'll wait a couple of days and let the dust settle.

Patch now: Design flaw in Windows security allows hackers to own corporate laptops, PCs


not a serious vulnerabality

For ten or more years all decent wifi APs have isolated client stations so they cannot see each other's traffic. Today one would be hard pressed to find even a consumer grade wifi router that does not have client isolation active by default.

And while we've seen a lot of stupid corporate security, I doubt even Sony fails to require encrypted VPN tunnels for remote laptop connectivity.

Also has been ten or more years since anti-ARP-spoofing became standard on corporate switches.

MITM is not so simple these days.

Unless you're the NSA, GCHQ, etc. with limitless resources for mounting multilayered attacks (e.g. hacking Cisco switches, building black boxes to circumvent wifi isolation, etc), this weakness was not of much use.

Trouble comes in threes: Yet ANOTHER Flash 0-day vuln patch looming


Re: uninstall it -and hope chrome keeps up to date

I once ran Chrome in lieu of IE when Firefox had trouble rendering a site, but lately have not required it. For Chrome users who loath Flash despite the PepperFlash sandbox, it can be disabled in the "about:plugins" or "chrome://plugins" page.


Re: uninstall it -and hope chrome keeps up to date

Chrome has a superior "PepperFlash" sandbox (Google strong-armed Adobe into supporting it) that has prevented the recent 0-days from breaking out of the browser process. Worst case is a temporary infection of a padded cell with no access to anything. An occasional browser restart will vanish any that might get so far.

Flash is integrated into IE 10 and IE 11 (where M$'s lame sandbox has prevented nothing). Search on "group policy disable flash" for a procedure that absolutely prevents Flash from running in IE. I prefer simply setting "Deny all add-ons unless specifically allowed. . ."

Thumb Down

Flash be gone!

After the last two 0-days, I read with joy that

YouTube has tipped the balance away from

Flash and to HTML5. Installed Firefox 36 beta,

*uninstalled* Flash from *every* system, and

disabled IE-bundled Flash in the group policy

for good measure.

Time for everyone to uninstall this vermin

infested corpse!

Snowden SLAMS iPhone, claims 'special software' tracks users


documented undocumented backdoor APIs

Snowden is correct, as security researcher Jonathan Zdziarski revealed last summer:



The backdoor APIs require installation of a RAT for actual exploitation, but of course the NSA and various LEAs have either their own or commercially provided tools of this nature. Physical access to the target phone or social engineering of the device's owner is presumably required to install the tools, but (esp w/r/t the NSA) you can never be certain.

Perhaps with iOS 8 the APIs have been removed or--due to comprehensive encryption--rendered ineffective. The FBI has squealed like a stuck-pig over it, so it could be the case.

EFF: VPNs will crumble Verizon's creepy supercookie stalkers


do-not-track possibly solves the issue

I've had the "do not track" setting active on my iPhone since it was introduced. Three different UIDH sites show no evidence of the header when my phone accesses them via the Verizon data network, so perhaps Verizon observes this header and suppresses their perma-cookie header. Either that or the UIDH header is not injected for 3G-only phones, which is what I have.

iMessage SPAM floods US mobile networks


ancient news

Got hit with this back in July and reported the spam via Apple's email reporting channel. Hopefully Apple has mitigated iMessage spam for the future (rarely do they acknowledge taking such actions) as the service is otherwise excellent.

Microsoft hacks out new EMET, spits out Adobe Flash

Thumb Up

EMET 5.0 appears to work with XP

Installed it and it seems just fine. Uninstalled 4.1 beforehand.

Since XP Embedded is still under support and some customers are paying for past-EOL support on desktop XP, it would be surprising if it did not.

But don't expect MS to take the call if you encounter a problem.

Cisco patches OSPF bug that sends traffic into black holes


fixed for one year

Fixed versions of firmware starting appearing 12 or more months ago.

Most shops will already have the vulnerability patched.

32,000 motherboards spit passwords in CLEARTEXT!


no fix for H8DG6-F

SM has not posted a revised firmware for their H8DG6-F mainboard. Is vulnerable.

BB10's 'dated' crypto lets snoops squeeze the juice from your BlackBerry – researcher



One must remember that RIM takes an extremely conservative approach to crypto--by design. Their primary customers are now governments that require this. For example FIPS is dated and some of the ciphers compromised, but the overall FIPS approach and framework is highly secure and that's what the customer demands.

BEAST is for the most-part mitigated on the server side by all significant web sites. The case against RC4 is far from convincing, as the very-pointy-headed folks at Google have discerned--Google continues to prefer it.


"Better the devil you know than the one you don't" as the saying goes. No doubt the latest EC crypto is great stuff, but it's still relatively young and not enough rocks have been thrown yet for utter confidence.

HP offers $150,000 for 'exploit unicorn' in Pwn2Own hacker competition


HP must be joking. Who in their right mind would reveal an exploit that bypasses EMET and Win8 for a lousy 150k? Should pull $500k from the NSA or GCHQ via the grey market. Possibly much more. Perfectly legal cash and enough to, after taxes, buy a decent house, provide an adequate retirement or a purchase new Ferrari to crash shortly thereafter.