Lawrence’s List 062416

This week is going to be sort of short. I get to go on vacation! I’ll still be trying to do some minimal posts during the next two weeks, but I’m mostly going to be concentrating on a book and a hammock, so forgive me if they’re short. All in all, this week was pretty quiet for infosec related things. I’ve add a few blurbs about projects I like that I felt like many people may not know about, as well as some things that are maybe tangentially related to security, but more about programming.

“Sophisticated” password attack. Citrix reset all of its passwords for gotomypc after claiming that there were password reuse attacks happening against client accounts. While this doesn’t really qualify as sophisticated in my book I thought it interesting that a company that makes its money on providing remote access to computers isn’t requiring two factor authentication. For those of you who do use gotomypc here’s how to set up 2fa: http://support.citrixonline.com/en_US/gotomypc/all_files/gtc070021

And here’s the announcement as to why you should.

http://status.gotomypc.com/incidents/s2k8h1xhzn4k

PyCon 2016 had a talk that caught my attention. Every once in awhile I come accross the problem of wanting to transfer one simple file from one of my machines to another (usually a vps system in Digital Ocean) and don’t want to mess with scp for one reason or another (to lazy to upload the key while also being too paranoid to turn on password auth) and for those moments I came up with this: https://github.com/lawrencehoffman/spit which is a simple python script to encrypt data across sprunge (a pastebin like service.) It’s secure enough for most of my personal projects in that it uses AES. Then I saw this project called magic-wormhole. It’s great! I haven’t finished my personal security review yet, so I won’t be using it for any official business until I have looked over the code and feel like I can be confident that correct measures are being taken with the crypto, but for personal stuff it seems good enough to me.

https://github.com/warner/magic-wormhole

Long story short, the dev preview came out for iOS 10 with an unencrypted kernel. Some people thought this was a mistake, to put it simply, there was no way this was a mistake. Now Apple has confirmed as much. After having removed vulnerable user data out of the kernel Apple has left the kernel unencrypted for a performance gain.

https://techcrunch.com/2016/06/22/apple-unencrypted-kernel/

Some work has been being done by Tom Herbert over at Facebook get Transports over UDP added to the Linux kernel. What is it? Transport over UDP (outlined here https://tools.ietf.org/html/draft-herbert-transports-over-udp-00) would allow developers to create network protocols encapsulated in UDP where the stack exists in user space. This is interesting because this very activity is historically frowned upon by the Linux kernel team. It is reasoned that rather than implementing new protocols over UDP one should prefer to improve the Linux kernel’s current systems. Facebook’s motivation here is that it takes too long to get a new protocol into the hands of many users, once in the kernel mainstream distributions of the kernel (like those included in Android) must enable the module, which often doesn’t happen for years. Herbert claims that with TOU developers will be able to roll out a new feature which relies on a custom protocol stack in months rather than years.

https://lwn.net/Articles/688529/