The Weekly Ink #26
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at firstname.lastname@example.org.
GHOST in the glibc
Tuesday wasn't a fun day for the sysadmins (and DevOps engineers) of the world, as word filtered out of a new internet-breaking vulnerability, discovered by Qualys, in glibc's hostname-resolution functions. Well, I guess rather than "new", I ought to say "newly-discovered"; like some other recent discoveries, the vulnerability is well over a decade old. This one was especially painful to patch: because almost every bit of software on a Linux system uses glibc in some way, most systems needed a full reboot. But hey, at least this time it didn't have anything to do with SSL, right?!
Painful as it may be, bugs - even the internet-breaking-vulnerability sort - happen. As security researchers and practitioners, we can't stop this, but we do often have the opportunity to make sure that vulnerabilities get patched and disclosed in a responsible manner. So, how did Qualys do? Well...
That's right, according to RedHat's bug tracker, the details of CVE-2015-0235 were made public by a (French-language) mailing-list post from Qualys' PR team. Worse, this post leaked many hours before several major distributions (including RedHat Enterprise Linux) had published updated glibc packages! Okay, as we've seen before, it's really difficult to coordinate public disclosure of a vulnerability that affects basically every Linux system on the planet. Still... we can do better.
Finally, do check out Rob Graham's talking points. Also, is it just me, or is it actually weird that inet_aton() will accept things like 00000000.00000000.00000000.000000000 as valid IPv4 addresses?
You're gonna need an IDS for your IDS...
Sometimes, the security products that claim to keep us safe can introduce vulnerabilities of their own. This week, Yahoo's Pentest team disclosed multiple vulnerabilities in the Bro Intrusion Detection System. If you're using this product, we'd definitely recommend patching as soon as possible!
Incidentally, this is the first public outing from Yahoo's Pentest team since they announced their disclosure policy back in December. You might notice that it sounds a lot like Google's Project Zero - especially the 90-day disclosure window. Project Zero, meanwhile, has been taking some heat for publishing 0-day vulnerabilities in Windows without heeding Microsoft's protests (although they're not playing operating-system favorites; last week saw them release 3 active vulnerabilities for Mac OS X as well). Many are now questioning whether Project Zero's rigid 90-day policy is really for the best, but I don't doubt it will ultimately drive the industry toward better security - even if it's painful in the short term.
No, it's not a Flash-back...
So, shake off that feeling of Déjà vu and update all your Flash installations, yesterday! But beyond that, don't worry: it's not the same cat[astrophic vulnerability].
The Trial of the Dread Pirate Roberts
It's actually been pretty hard to miss this one, if you're paying any attention to the media. For example, Ars Technica alone has authored nearly 20 articles on the subject in the last few weeks! As a security geek, perhaps the most interesting part of the story (so far) is the way it illustrates the limitations of privacy tools like Tor: while they may successfully anonymize certain aspects of your internet traffic, it's still really easy to screw up and give away your identity. If we are to believe the prosecution, then Ross Ulbricht practiced some pretty damn poor opsec.