Bill Weinberg offers Analysis and Commentary on Mobile and Embedded Linux

Last week the Black Duck team attended Black Hat 2015.  This multi-day conference and tradeshow is where security researchers, hackers, vendors, and other showmen meet to review thelast year in breaches and exploits, share security insights, and preview tools and services for keeping companies and networks safe across today’s hostile cyber threat landscape.

The exhibit hall boasted over 160 vendors with wares ranging from application firewalls to intrusion detection to anti-malware solutions.  Especially interesting was Innovation City, a special area for startups to showcase cutting-edge products and solutions and engage with the security/vendor community.  We greatly enjoyed engaging with new companies there with unique approaches to monitoring, testing, and securely deploying enterprise apps. I expect to see several promising startups we met there headlining over the next 1-2 years.

We encountered open source security among a range of product features and requirements, and almost everyone we spoke to was excited by recent Black Duck announcements featuringnew capabilities in the Black Duck Hub, Binary Analysis capabilities in Protex, and the Black Duck vulnerability plug-in for Jenkins.

The conference briefings proved to be a mixed bag of hardcore technical presentations and security-focused flying circuses.  Personally, I benefited greatly from talks about open source mobile platform, Android, including Google’s Android Security State of the Union and another on new ways to root and exploit Android-based smartphones.  Also informative were IoT-centric talks like Tobias Zillner and Sebastian Strobl’s session focusing on Zigbee securitymodels and vulnerabilities.

Read More (originally posted on Open Source Delivers on 08/12/15)

Yesterday, stage fright became more than just a common phobia. It is now a very real security threat to most Android-based devices.

Discovered by Joshua Drake at Zimperium zLabs, vulnerabilities uncovered in the Stagefright Android-native media player allow attackers with access to an exposed Android phone’s number to gain control of the device using methods that do not require any user action. Attackers can trigger the playback of audio-visual content by sending vulnerable devices MMS messages or can simply kick off a Google Hangout to gain access to an Android device.  Once they have launched an exploit taking advantage of the Stagefright vulnerabilities, malefactors can initiate remote code execution (RCE) to run malware, extract data, and take over the device for a range of purposes, all without detection by users, operators, and by most Mobile Device Management (MDM) software used by companies to govern employee access to corporate networks.

The Zimperium team elaborated on the covert nature of this threat, stating,

Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Read More (originally published in Open Source Delivers on 07/28/2015)

Just a day after the disclosure of the Logjam SSL exploit, yet another serious open source vulnerability has surfaced. Dubbed “NetUSB” for the driver in which it resides, this vulnerability affects Linux-based networking equipment, home routers in particular, that support “USB over IP” – remote mounting USB flash drives and support for other USB peripherals, such as printers and keyboards, over a local network.

Given the ubiquitousness of SOHO routers, this vulnerability most likely impacts tens of millions of devices in homes, small offices, and other locales. It is doubly concerning because these settings (as opposed to enterprise IT) typically lack security oversight, with many device owners lacking sufficient expertise to remedy NetUSB and other similar vulnerabilities, even through vendor-supplied updates.

The vulnerability arises from that most familiar of sources – a potential buffer overflow in the 64-byte string that conveys the name of the client computer (running Windows and/or MacOS) to the driver. By cramming more than 64 bytes of data into that buffer, black hats can crash the router (for denial of service) and in some cases, cause malicious code to run on the router itself (remote code execution).

The most distressing attribute of NetUSB is that the vulnerability resides in a Linux kernel driver, which, in theory, is among some of the most visible and best-curated code in all of open source. The code originates with Taiwanese vendor KCodes and has found its way into hardware from D-Link, Netgear, TP-Link, Trendnet ZyXE and likely dozens of others, affecting over 90 router products. (See the full list in advisory here.)

Read More (originally published on Open Source Delivers on 05/26/2015)

As 2014 came to a close, I sat and pondered what will come to pass in 2015. Although last year brought numerous debates, collaborations, and advancements in the Internet of Things(IoT) and the role open source will play in its expansion, I believe the New Year will incite incremental shifts in IoT’s demographics and uptake.

Key IoT frameworks (AllJoyn, OpenIoT, etc.) will stretch their wings in increasing numbers of proof-of-concept rollouts.

Today, the IoT is a vibrant but fragmented place.  As companies, communities, and governments begin proof-of-concept launches, we’ll see increasing trials of emerging IoT frameworks and protocols in a global “bake-off,” as well as a strong uptick in IoT protocol adoption by existing device manufacturers.

Read More (originally published on Open Source Delivers on 01/01/2015)

Late Night Hacking

Since my wife decided to spend the evening cleaning out the bedroom closet, using the bed as buffer space for old clothes and other detritus, I HAD TO stay up and play with my RPi some more.   Since I have guests sleeping in my office, I set about doing some remote hacking from upstairs.

I moved a few steps closer to making the PI more useful:

• Without any additional configuration, I used SSH to login to the Pi from my upstairs desk.  Most excellent that no additional messing about was necessary
• Used apt-get to update the distro and installed PHP5, Apache, vsftpd and a few other tidbits.  Started playing with building content – totally standard Apache configuration.  Again, the CL tools are easier to use than the utilities included in Raspian.
• Discovered that I can’t address the RPi using local DNS (.local addresses), but both the Ethernet and WiFi interfaces (10.0.0.x) serve just fine.   Tried pinging a variety of clients using the .local syntax.  Some resolve, some don’t.  Need to grok this issue in fullness.

 What to do Next?

So, I have a very cute and reasonably powerful ARM-based system to play with.  I don’t want it to just sit on the shelf next to my MIPS-based ShivaPlug, so I am mulling over some real-world applications for it:

• Use it as a caching/loop storage server for IP cameras I originally installed to watch our puppies from Hawaii
• Build a home-brewed smart thermostat – think Nest with wires hanging out
• Experiment with Lua (very doable, even if the RPi community is focused on Python), among other things to diddle the bits on the GPIO port
• Use it to learn Python 😉
• Employ the RPi to teach my younger daughter about embedded systems, web programming, etc.

Other suggestions welcome!

Incidentally, I backed Karl Lattimer’s HotPi project on Kickstarter.  I plan to have fun with the HotPi daughterboard once it arrives – it’ll help with the Nest clone project.

RaspberryPi.local – Avahi Daemon!

Without even meaning to, I tripped over a useful blog post by Matt Richardson – 10 Tips for New Raspberry Pi Owners.  To enable local DNS-style naming of my RPi (raspberrypi.local), I needed to install the Avahi Daemon.   Impressive dependency set – bless apt-get.  Worked immediately.