Archive for August, 2015

Las Vegas – Where Black Hats and Black Ducks Meet

Black-Hat-2015-660x228Last week the Black Duck team attended Black Hat 2015.  This multi-day conference and tradeshow is where security researchers, hackers, vendors, and other showmen meet to review thelast year in breaches and exploits, share security insights, and preview tools and services for keeping companies and networks safe across today’s hostile cyber threat landscape.

The exhibit hall boasted over 160 vendors with wares ranging from application firewalls to intrusion detection to anti-malware solutions.  Especially interesting was Innovation City, a special area for startups to showcase cutting-edge products and solutions and engage with the security/vendor community.  We greatly enjoyed engaging with new companies there with unique approaches to monitoring, testing, and securely deploying enterprise apps. I expect to see several promising startups we met there headlining over the next 1-2 years.

We encountered open source security among a range of product features and requirements, and almost everyone we spoke to was excited by recent Black Duck announcements featuringnew capabilities in the Black Duck Hub, Binary Analysis capabilities in Protex, and the Black Duck vulnerability plug-in for Jenkins.

The conference briefings proved to be a mixed bag of hardcore technical presentations and security-focused flying circuses.  Personally, I benefited greatly from talks about open source mobile platform, Android, including Google’s Android Security State of the Union and another on new ways to root and exploit Android-based smartphones.  Also informative were IoT-centric talks like Tobias Zillner and Sebastian Strobl’s session focusing on Zigbee securitymodels and vulnerabilities.

Read More (originally posted on Open Source Delivers on 08/12/15)


Open Source and the Internet of Things – A Reality Check

Every time I turn around, a company or consortium announces another Internet of Things (IoT) platform. And, while only some of the touted IoT underpinnings are open source, there is a popular consensus that the Internet of Things will only rise if built upon pillars of open source software (OSS).

The Gartner 2014 Hype Cycle places the Internet of Things at the very Peak of Inflated Expectations:

Gartner 2014 Hype Cycle

While open source is instrumental for building out the IoT, its role is also overhyped.  The presence and utility of open source is not universal, nor uniform, across all elements and layers of the emerging IoT.

The purpose of this blog is not to dampen the enthusiasm for open source in IoT, but rather to de-hype the discussion with a reality check.

Read More (originally published on Open Source Delivers on 08/10/2015)

Is Your Android Device At Risk Of ‘Stagefright?’ 950 Million Devices Exposed By New Security Vulnerability

StageFright-v2Yesterday, stage fright became more than just a common phobia. It is now a very real security threat to most Android-based devices.

Discovered by Joshua Drake at Zimperium zLabs, vulnerabilities uncovered in the Stagefright Android-native media player allow attackers with access to an exposed Android phone’s number to gain control of the device using methods that do not require any user action. Attackers can trigger the playback of audio-visual content by sending vulnerable devices MMS messages or can simply kick off a Google Hangout to gain access to an Android device.  Once they have launched an exploit taking advantage of the Stagefright vulnerabilities, malefactors can initiate remote code execution (RCE) to run malware, extract data, and take over the device for a range of purposes, all without detection by users, operators, and by most Mobile Device Management (MDM) software used by companies to govern employee access to corporate networks.

The Zimperium team elaborated on the covert nature of this threat, stating,

Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Read More (originally published in Open Source Delivers on 07/28/2015)

Securing Open Source – Many Eyes, the Triple Fence and the Community Development Model

The open source development model is based on interactions across communities and among community members – project developers, platform creators, and end users. These interdependent communities constitute a ‘triple fence’ that keeps projects free of malicious and exploitable code in different yet complementary ways. Ideally, the various Eye-digital-660x228communities of developers, integrators, and end users work together to monitor, curate, and improve code quality over time – catching security flaws in the process.

The triple fence is an intriguing concept. Unfortunately, it’s not clear whether it’s enough to secure many significant open source projects – Bash, SSL/SSH and glibc, to name a few. In theory, many eyes look at open source code as it’s developed, integrated, and deployed; however, in practice, too many of these eyes are busy elsewhere and too few are security savvy. What’s missing is ongoing curation. Developers and end users take for granted the security of many projects, but the reality is that too few people maintain piles of code that may be months or even years overdue for security review.

The open source software development process, while outwardly straightforward, can be fraught with complexity. Code might be presumed mature, but could rely on technology developed a decade or more ago and might still contain significant vulnerabilities. Open source security vulnerabilities can arise from many causes, including misconfiguration by end users, programming errors, and short-sighted protocol design. Given this reality, a holistic view of security is critical for organizations that rely on open source software.

Read More (originally published on Open Source Delivers on 06/04/2015)

NetUSB Vulnerability Means Trouble For Linux-Based Home Routers: What To Do Now?

router-Sean-MacEntee-CC-BY-2.0-660x228Just a day after the disclosure of the Logjam SSL exploit, yet another serious open source vulnerability has surfaced. Dubbed “NetUSB” for the driver in which it resides, this vulnerability affects Linux-based networking equipment, home routers in particular, that support “USB over IP” – remote mounting USB flash drives and support for other USB peripherals, such as printers and keyboards, over a local network.

Given the ubiquitousness of SOHO routers, this vulnerability most likely impacts tens of millions of devices in homes, small offices, and other locales. It is doubly concerning because these settings (as opposed to enterprise IT) typically lack security oversight, with many device owners lacking sufficient expertise to remedy NetUSB and other similar vulnerabilities, even through vendor-supplied updates.

The vulnerability arises from that most familiar of sources – a potential buffer overflow in the 64-byte string that conveys the name of the client computer (running Windows and/or MacOS) to the driver. By cramming more than 64 bytes of data into that buffer, black hats can crash the router (for denial of service) and in some cases, cause malicious code to run on the router itself (remote code execution).

The most distressing attribute of NetUSB is that the vulnerability resides in a Linux kernel driver, which, in theory, is among some of the most visible and best-curated code in all of open source. The code originates with Taiwanese vendor KCodes and has found its way into hardware from D-Link, Netgear, TP-Link, Trendnet ZyXE and likely dozens of others, affecting over 90 router products. (See the full list in advisory here.)

Read More (originally published on Open Source Delivers on 05/26/2015)

AFNetworking Vulnerability Exposts Thousands of iOS Apps to Attack

Alerts have emerged regarding a flaw in the open source AFNetworking library that enables Apple iOS and OS X developers to implement various networking functions in desktop and network applications. By failing to validate security certificates correctly, the bug lets black hats spoof security measures present in the device and masquerade as otherwise trusted web sites. Essentially, cyber thieves need only present any VALID certificate, not the certificate associated with the site in question. This flaw can be exploited to enable man-in-the-middle attacks and by-passing of SSL security – meaning presumed secure data streams from financial services, e-commerce, e-health, and other valuable personal information can be potentially exposed.

What’s interesting about the AFNetworking vulnerability is that it goes beyond the “usual” enterprise concerns to encompass the universe of Apple desktop and mobile appliciphone-hacked_bwana-CC-BY-NC-SA-2.0ations developers and end-users. This vulnerability affects at least 25,000 iOS applications on the iTunes App Store and comes on the heels of another HTTPS bug in iOS libraries that affect an estimated additional 1500 apps, in total exposing data streams from devices of tens of millions of users

Read More (originally published on Open Source Delivers on 04/30/2015)

Predictions for the Internet of Things in 2015

As 2014 came to a close, I sat and pondered what will come to pass in 2015. Although last year brought numerous debates, collaborations, and advancements in the Internet of Things(IoT) and the role open source will play in its expansion, I believe the New Year will incite incremental shifts in IoT’s demographics and uptake.

Key IoT frameworks (AllJoyn, OpenIoT, etc.) will stretch their wings in increasing numbers of proof-of-concept rollouts.

Today, the IoT is a vibrant but fragmented place.  As companies, communities, and governments begin proof-of-concept launches, we’ll see increasing trials of emerging IoT frameworks and protocols in a global “bake-off,” as well as a strong uptick in IoT protocol adoption by existing device manufacturers.

Read More (originally published on Open Source Delivers on 01/01/2015)