Category Archives: Security

Ssshhhh. Security by obscurity is not practiced here. So don't disturb us, we're being vigilant.

Barcodes And Security – Notice

Kreb’s On Security has all the info. What’s in a Boarding Pass Barcode? A Lot.

It isn’t just that the barcode told of the persons future flight, the information granted an unauthorized person enough info to get online and change that data. Think of the repurcussions for any barcodes used in your facility, and how it is outside sources like this that allowed sensational breaches such as Target and Home Depot custormer data being exposed.

 

Barcodes And Security – Notice

Kreb’s On Security has all the info. What’s in a Boarding Pass Barcode? A Lot.

It isn’t just that the barcode told of the persons future flight, the information granted an unauthorized person enough info to get online and change that data. Think of the repurcussions for any barcodes used in your facility, and how it is outside sources like this that allowed sensational breaches such as Target and Home Depot custormer data being exposed.

 

Update: Apple Fixes: Bash is vulnerable!

Urgent Urgent~! Don’t look the other way from this one.

What is BASH? That’s an easy one: Bourne-Again SHell. A pun in that Bourne was the name of an originator of the predecessor Shell.

What is a Shell? Easy as well. An interface, basically, that allows one to directly speak to an operating system and give it instructions that it will follow. If you have done a ping or ipconfig, you have probably done it through a shell. Most every computer running a variant of Unix will likely have Bash since it is the open source version that nearly everyone picks.

But, let’s be clear here…if you did an ipconfig it was likely on a Windows computer and it isn’t running Bash.

But at this time your mac is running Bash, and it is vulnerable. Are you connected on a network? Are you certain that your sharing isn’t set up incorrectly?

Do you have a website running on a Linux server?

Either way, run this command in your terminal program:

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

If the response is Bash is vulnerable, then you’ll be wanting to fix that. There are already bots running around exploiting this flaw.

Here is the link that Digital Ocean sent to their clients:

How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Drop everything. At least make your servers safe, because there are already botnets running around with exploits.

For the truly bold – your author just did this successfully with his OSX 10.9.5 MacBook Pro – there is a solution to rebuild bash at:

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X « Mac Tips

Another:

security – How do I recompile Bash to avoid Shellshock (the remote exploit CVE-2014-6271 and CVE-2014-7169)? – Ask Different

The other side of the panic for those with personal computers is that you have to logged in and that is with a password, right?

Update: Apple Fixes: Bash is vulnerable!

Urgent Urgent~! Don’t look the other way from this one.

What is BASH? That’s an easy one: Bourne-Again SHell. A pun in that Bourne was the name of an originator of the predecessor Shell.

What is a Shell? Easy as well. An interface, basically, that allows one to directly speak to an operating system and give it instructions that it will follow. If you have done a ping or ipconfig, you have probably done it through a shell. Most every computer running a variant of Unix will likely have Bash since it is the open source version that nearly everyone picks.

But, let’s be clear here…if you did an ipconfig it was likely on a Windows computer and it isn’t running Bash.

But at this time your mac is running Bash, and it is vulnerable. Are you connected on a network? Are you certain that your sharing isn’t set up incorrectly?

Do you have a website running on a Linux server?

Either way, run this command in your terminal program:

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

If the response is Bash is vulnerable, then you’ll be wanting to fix that. There are already bots running around exploiting this flaw.

Here is the link that Digital Ocean sent to their clients:

How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Drop everything. At least make your servers safe, because there are already botnets running around with exploits.

For the truly bold – your author just did this successfully with his OSX 10.9.5 MacBook Pro – there is a solution to rebuild bash at:

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X « Mac Tips

Another:

security – How do I recompile Bash to avoid Shellshock (the remote exploit CVE-2014-6271 and CVE-2014-7169)? – Ask Different

The other side of the panic for those with personal computers is that you have to logged in and that is with a password, right?

Update: Apple Fixes: Bash is vulnerable!

Urgent Urgent~! Don’t look the other way from this one.

What is BASH? That’s an easy one: Bourne-Again SHell. A pun in that Bourne was the name of an originator of the predecessor Shell.

What is a Shell? Easy as well. An interface, basically, that allows one to directly speak to an operating system and give it instructions that it will follow. If you have done a ping or ipconfig, you have probably done it through a shell. Most every computer running a variant of Unix will likely have Bash since it is the open source version that nearly everyone picks.

But, let’s be clear here…if you did an ipconfig it was likely on a Windows computer and it isn’t running Bash.

But at this time your mac is running Bash, and it is vulnerable. Are you connected on a network? Are you certain that your sharing isn’t set up incorrectly?

Do you have a website running on a Linux server?

Either way, run this command in your terminal program:

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

If the response is Bash is vulnerable, then you’ll be wanting to fix that. There are already bots running around exploiting this flaw.

Here is the link that Digital Ocean sent to their clients:

How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Drop everything. At least make your servers safe, because there are already botnets running around with exploits.

For the truly bold – your author just did this successfully with his OSX 10.9.5 MacBook Pro – there is a solution to rebuild bash at:

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X « Mac Tips

Another:

security – How do I recompile Bash to avoid Shellshock (the remote exploit CVE-2014-6271 and CVE-2014-7169)? – Ask Different

The other side of the panic for those with personal computers is that you have to logged in and that is with a password, right?

To USB, or Not To USB…

What would it mean in the projection booth? DCI hardware, software and firmware requirements are pretty redundant and keep many secrets deep in their mechanisms. The biggest trick would be to get enough data from one trusted device and be able to carry it to a different machine in such a way that it becomes a trusted device.

 

The way they talk about this USB incursion doesn’t seem to lend that capability any more than if a knowledgable manufacturer tried to do that in their own offices. That route hasn’t been done or, if done, exploited. The proof would be duplicated uncompressed movies with no forensic marking – which hasn’t happened.

But giving away copyrighted materials isn’t the only bad thing that could happen to a network with a projector on it. As the US Defense Department learned, an entire network can be infiltrated from one USB incursion.

All the more reason for firm policies/inspections/reports of locked doors and no even authorized persons allowed to roam around the facility.

To USB, or Not To USB…

What would it mean in the projection booth? DCI hardware, software and firmware requirements are pretty redundant and keep many secrets deep in their mechanisms. The biggest trick would be to get enough data from one trusted device and be able to carry it to a different machine in such a way that it becomes a trusted device.

 

The way they talk about this USB incursion doesn’t seem to lend that capability any more than if a knowledgable manufacturer tried to do that in their own offices. That route hasn’t been done or, if done, exploited. The proof would be duplicated uncompressed movies with no forensic marking – which hasn’t happened.

But giving away copyrighted materials isn’t the only bad thing that could happen to a network with a projector on it. As the US Defense Department learned, an entire network can be infiltrated from one USB incursion.

All the more reason for firm policies/inspections/reports of locked doors and no even authorized persons allowed to roam around the facility.

To USB, or Not To USB…

What would it mean in the projection booth? DCI hardware, software and firmware requirements are pretty redundant and keep many secrets deep in their mechanisms. The biggest trick would be to get enough data from one trusted device and be able to carry it to a different machine in such a way that it becomes a trusted device.

 

The way they talk about this USB incursion doesn’t seem to lend that capability any more than if a knowledgable manufacturer tried to do that in their own offices. That route hasn’t been done or, if done, exploited. The proof would be duplicated uncompressed movies with no forensic marking – which hasn’t happened.

But giving away copyrighted materials isn’t the only bad thing that could happen to a network with a projector on it. As the US Defense Department learned, an entire network can be infiltrated from one USB incursion.

All the more reason for firm policies/inspections/reports of locked doors and no even authorized persons allowed to roam around the facility.

TrueCrypt and NSA Lessons on Updating Projector Software

Science and R&D says it will keep moving data from the mystery to the usable.

Security expertise tries to promise the same, with the same infinite number of possible failures. Fortunately there are life lessons that we can apply to our projection room and attached networked devices from the latest exposition of these failures.

From the NAB videos of John Hurst’s logical pleas (posted at CineTechGeek) to Bruce Schneier’s Disclosing vs. Hoarding Vulnerabilities article to the flurry of Heartbleed to the news of the well-used TrueCrypt’s announcement…we should get the message: No matter the trauma, or threat of trauma, Upgrade Your Software and Firmware.

TrueCrypt and NSA Lessons on Updating Projector Software

Science and R&D says it will keep moving data from the mystery to the usable.

Security expertise tries to promise the same, with the same infinite number of possible failures. Fortunately there are life lessons that we can apply to our projection room and attached networked devices from the latest exposition of these failures.

From the NAB videos of John Hurst’s logical pleas (posted at CineTechGeek) to Bruce Schneier’s Disclosing vs. Hoarding Vulnerabilities article to the flurry of Heartbleed to the news of the well-used TrueCrypt’s announcement…we should get the message: No matter the trauma, or threat of trauma, Upgrade Your Software and Firmware.