Las Vegas – Where Black Hats and Black Ducks Meet

Black-Hat-2015-660x228Last week the Black Duck team attended Black Hat 2015.  This multi-day conference and tradeshow is where security researchers, hackers, vendors, and other showmen meet to review thelast year in breaches and exploits, share security insights, and preview tools and services for keeping companies and networks safe across today’s hostile cyber threat landscape.

The exhibit hall boasted over 160 vendors with wares ranging from application firewalls to intrusion detection to anti-malware solutions.  Especially interesting was Innovation City, a special area for startups to showcase cutting-edge products and solutions and engage with the security/vendor community.  We greatly enjoyed engaging with new companies there with unique approaches to monitoring, testing, and securely deploying enterprise apps. I expect to see several promising startups we met there headlining over the next 1-2 years.

We encountered open source security among a range of product features and requirements, and almost everyone we spoke to was excited by recent Black Duck announcements featuringnew capabilities in the Black Duck Hub, Binary Analysis capabilities in Protex, and the Black Duck vulnerability plug-in for Jenkins.

The conference briefings proved to be a mixed bag of hardcore technical presentations and security-focused flying circuses.  Personally, I benefited greatly from talks about open source mobile platform, Android, including Google’s Android Security State of the Union and another on new ways to root and exploit Android-based smartphones.  Also informative were IoT-centric talks like Tobias Zillner and Sebastian Strobl’s session focusing on Zigbee securitymodels and vulnerabilities.

Read More (originally posted on Open Source Delivers on 08/12/15)


Open Source and the Internet of Things – A Reality Check

Every time I turn around, a company or consortium announces another Internet of Things (IoT) platform. And, while only some of the touted IoT underpinnings are open source, there is a popular consensus that the Internet of Things will only rise if built upon pillars of open source software (OSS).

The Gartner 2014 Hype Cycle places the Internet of Things at the very Peak of Inflated Expectations:

Gartner 2014 Hype Cycle

While open source is instrumental for building out the IoT, its role is also overhyped.  The presence and utility of open source is not universal, nor uniform, across all elements and layers of the emerging IoT.

The purpose of this blog is not to dampen the enthusiasm for open source in IoT, but rather to de-hype the discussion with a reality check.

Read More (originally published on Open Source Delivers on 08/10/2015)

Is Your Android Device At Risk Of ‘Stagefright?’ 950 Million Devices Exposed By New Security Vulnerability

StageFright-v2Yesterday, stage fright became more than just a common phobia. It is now a very real security threat to most Android-based devices.

Discovered by Joshua Drake at Zimperium zLabs, vulnerabilities uncovered in the Stagefright Android-native media player allow attackers with access to an exposed Android phone’s number to gain control of the device using methods that do not require any user action. Attackers can trigger the playback of audio-visual content by sending vulnerable devices MMS messages or can simply kick off a Google Hangout to gain access to an Android device.  Once they have launched an exploit taking advantage of the Stagefright vulnerabilities, malefactors can initiate remote code execution (RCE) to run malware, extract data, and take over the device for a range of purposes, all without detection by users, operators, and by most Mobile Device Management (MDM) software used by companies to govern employee access to corporate networks.

The Zimperium team elaborated on the covert nature of this threat, stating,

Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Read More (originally published in Open Source Delivers on 07/28/2015)

Securing Open Source – Many Eyes, the Triple Fence and the Community Development Model

The open source development model is based on interactions across communities and among community members – project developers, platform creators, and end users. These interdependent communities constitute a ‘triple fence’ that keeps projects free of malicious and exploitable code in different yet complementary ways. Ideally, the various Eye-digital-660x228communities of developers, integrators, and end users work together to monitor, curate, and improve code quality over time – catching security flaws in the process.

The triple fence is an intriguing concept. Unfortunately, it’s not clear whether it’s enough to secure many significant open source projects – Bash, SSL/SSH and glibc, to name a few. In theory, many eyes look at open source code as it’s developed, integrated, and deployed; however, in practice, too many of these eyes are busy elsewhere and too few are security savvy. What’s missing is ongoing curation. Developers and end users take for granted the security of many projects, but the reality is that too few people maintain piles of code that may be months or even years overdue for security review.

The open source software development process, while outwardly straightforward, can be fraught with complexity. Code might be presumed mature, but could rely on technology developed a decade or more ago and might still contain significant vulnerabilities. Open source security vulnerabilities can arise from many causes, including misconfiguration by end users, programming errors, and short-sighted protocol design. Given this reality, a holistic view of security is critical for organizations that rely on open source software.

Read More (originally published on Open Source Delivers on 06/04/2015)

NetUSB Vulnerability Means Trouble For Linux-Based Home Routers: What To Do Now?

router-Sean-MacEntee-CC-BY-2.0-660x228Just a day after the disclosure of the Logjam SSL exploit, yet another serious open source vulnerability has surfaced. Dubbed “NetUSB” for the driver in which it resides, this vulnerability affects Linux-based networking equipment, home routers in particular, that support “USB over IP” – remote mounting USB flash drives and support for other USB peripherals, such as printers and keyboards, over a local network.

Given the ubiquitousness of SOHO routers, this vulnerability most likely impacts tens of millions of devices in homes, small offices, and other locales. It is doubly concerning because these settings (as opposed to enterprise IT) typically lack security oversight, with many device owners lacking sufficient expertise to remedy NetUSB and other similar vulnerabilities, even through vendor-supplied updates.

The vulnerability arises from that most familiar of sources – a potential buffer overflow in the 64-byte string that conveys the name of the client computer (running Windows and/or MacOS) to the driver. By cramming more than 64 bytes of data into that buffer, black hats can crash the router (for denial of service) and in some cases, cause malicious code to run on the router itself (remote code execution).

The most distressing attribute of NetUSB is that the vulnerability resides in a Linux kernel driver, which, in theory, is among some of the most visible and best-curated code in all of open source. The code originates with Taiwanese vendor KCodes and has found its way into hardware from D-Link, Netgear, TP-Link, Trendnet ZyXE and likely dozens of others, affecting over 90 router products. (See the full list in advisory here.)

Read More (originally published on Open Source Delivers on 05/26/2015)

AFNetworking Vulnerability Exposts Thousands of iOS Apps to Attack

Alerts have emerged regarding a flaw in the open source AFNetworking library that enables Apple iOS and OS X developers to implement various networking functions in desktop and network applications. By failing to validate security certificates correctly, the bug lets black hats spoof security measures present in the device and masquerade as otherwise trusted web sites. Essentially, cyber thieves need only present any VALID certificate, not the certificate associated with the site in question. This flaw can be exploited to enable man-in-the-middle attacks and by-passing of SSL security – meaning presumed secure data streams from financial services, e-commerce, e-health, and other valuable personal information can be potentially exposed.

What’s interesting about the AFNetworking vulnerability is that it goes beyond the “usual” enterprise concerns to encompass the universe of Apple desktop and mobile appliciphone-hacked_bwana-CC-BY-NC-SA-2.0ations developers and end-users. This vulnerability affects at least 25,000 iOS applications on the iTunes App Store and comes on the heels of another HTTPS bug in iOS libraries that affect an estimated additional 1500 apps, in total exposing data streams from devices of tens of millions of users

Read More (originally published on Open Source Delivers on 04/30/2015)

Predictions for the Internet of Things in 2015

As 2014 came to a close, I sat and pondered what will come to pass in 2015. Although last year brought numerous debates, collaborations, and advancements in the Internet of Things(IoT) and the role open source will play in its expansion, I believe the New Year will incite incremental shifts in IoT’s demographics and uptake.

Key IoT frameworks (AllJoyn, OpenIoT, etc.) will stretch their wings in increasing numbers of proof-of-concept rollouts.

Today, the IoT is a vibrant but fragmented place.  As companies, communities, and governments begin proof-of-concept launches, we’ll see increasing trials of emerging IoT frameworks and protocols in a global “bake-off,” as well as a strong uptick in IoT protocol adoption by existing device manufacturers.

Read More (originally published on Open Source Delivers on 01/01/2015)

Open Source Delivers: MWC OSS Report



Excerpt from my OSD blog post:

Every year the movers and shakers of the mobile/wireless industry converge upon the industry’s mecca, the Mobile World Congress (MWC).  This year’s ecosystem extravaganza in Barcelona drew 1,500 exhibitors and over 72,000 visitors.  Attendees spanned the gadget gamut, from mobile chipset vendors and software platform suppliers to device manufacturers and network operators, from app developers, ISVs and services providers to journalists and end-users in consumer and enterprise IT markets.


Following is a roundup of highlights from this mobile mega event, and it is no surprise that every key announcement and trend coming out of MWC 2013 involved open source software.

Read More

Raspberry Pi Diary : December 27, 2012

Late Night Hacking

Since my wife decided to spend the evening cleaning out the bedroom closet, using the bed as buffer space for old clothes and other detritus, I HAD TO stay up and play with my RPi some more.   Since I have guests sleeping in my office, I set about doing some remote hacking from upstairs.

I moved a few steps closer to making the PI more useful:raspberry_pi

  • Without any additional configuration, I used SSH to login to the Pi from my upstairs desk.  Most excellent that no additional messing about was necessary
  • Used apt-get to update the distro and installed PHP5, Apache, vsftpd and a few other tidbits.  Started playing with building content – totally standard Apache configuration.  Again, the CL tools are easier to use than the utilities included in Raspian.
  • Discovered that I can’t address the RPi using local DNS (.local addresses), but both the Ethernet and WiFi interfaces (10.0.0.x) serve just fine.   Tried pinging a variety of clients using the .local syntax.  Some resolve, some don’t.  Need to grok this issue in fullness.

 What to do Next?

So, I have a very cute and reasonably powerful ARM-based system to play with.  I don’t want it to just sit on the shelf next to my MIPS-based ShivaPlug, so I am mulling over some real-world applications for it:

  • Use it as a caching/loop storage server for IP cameras I originally installed to watch our puppies from Hawaii
  • Build a home-brewed smart thermostat – think Nest with wires hanging out
  • Experiment with Lua (very doable, even if the RPi community is focused on Python), among other things to diddle the bits on the GPIO port
  • Use it to learn Python 😉
  • Employ the RPi to teach my younger daughter about embedded systems, web programming, etc.

Other suggestions welcome!

Incidentally, I backed Karl Lattimer’s HotPi project on Kickstarter.  I plan to have fun with the HotPi daughterboard once it arrives – it’ll help with the Nest clone project.

RaspberryPi.local – Avahi Daemon!

Without even meaning to, I tripped over a useful blog post by Matt Richardson – 10 Tips for New Raspberry Pi Owners.  To enable local DNS-style naming of my RPi (raspberrypi.local), I needed to install the Avahi Daemon.   Impressive dependency set – bless apt-get.  Worked immediately.

Raspberry Pi Diary : December 26, 2012

Gosh, my last post to this blog was back in April 2011.  Well, here goes.

I received a Raspberry Pi (B) as a holiday gift, along with a case and a wireless nub.  I had commented in the media on several occasions about the RPi phenom, but had never laid hands on actual kit until this week.Image

Well, I downloaded the Raspian image and rolled up my sleeves.

  • Burned Raspian on an SD card using my MacPook Pro – don’t bother with the graphical UI – dd works just fine.  Set bs=2m for better performance.
  • Hooked the cute little card up to my giant monitor using HDMI, inserted the SD card,  plugged in an old IBM USB keyboard/hub, ran a short CAT5 cable to the nearest Ethernet switch, and connected a borrowed Nexus charger/power supply.  And . . . nothing.  No boot msgs, no diagnostics.  Bubkes.
  • A little research revealed that the SD card (Sandisk Ultra 8 GB) I used was marginal, at least for the RPi (works great in cameras).    Bought a handful of alternate cards (after consulting  Gotta love post-holiday sales. The next one I tried, a PNY 4 GB Class 6, worked fine – gave the rest of the cards to my kids for use in Xmas presents.
  • The RPi booted right up, albeit slower than I would have liked (700 MHz ARM).  Nice clean Debian distro, familiar in some ways, alien in others.  Awkward config utility – need to go back and reconfigure a few key items
  • Discarded the IBM keyboard (too much key bounce) in favor of an ancient Compaq I dug out of the garage.  Added an equally antediluvian MS mouse.
  • Having run out of USB slots, I dug out a nice little powered 7 position USB hub.  Moved the KB and mouse over, jettisoned the Nexus charger, and now draw power from the hub (up to 2A).
  • Stuffed a wireless nub in the now-available RPi USB slot.  Rebooted, ran the wireless config util and voila – everything just works.  Only issue – both the wireless and Ethernet interfaces present the same MAC address to my router.  Hmmm.

More later.