Sunday, October 26, 2014

Massive Critical Security Patch Released by Oracle Impacting Most Versions of MySQL

Oracle has released a Critical Security Patch for a long list of Oracle products. For MySQL specifically, the patch purports to resolve a multitude of vulnerabilities that allow remote execution without authentication, and impact nearly all versions of the database software.

Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details.

I've included a copy of that Matrix for readers to review below.

As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for the recent Shellshock bash vulnerability). 24 of the patches are for MySQL.

I highly advise anyone using MySQL or any Oracle product, including Java, to  update their software immediately.



Oracle MySQL Risk Matrix


CVE#ComponentProtocolSub-
component
Remote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2014-6507MySQL ServerMySQL ProtocolSERVER:DMLNo8.0NetworkLowSinglePartial+Partial+Complete5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-6491MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes7.5NetworkLowNonePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6500MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes7.5NetworkLowNonePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6469MySQL ServerMySQL ProtocolSERVER:OPTIMIZERNo6.8NetworkLowSingleNoneNoneComplete5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-0224MySQL ServerMySQL ProtocolSERVER:SSL:OpenSSLYes6.8NetworkMediumNonePartialPartialPartial5.6.19 and earlierSee Note 1
CVE-2014-6530MySQL ServerMySQL ProtocolCLIENT:MYSQLDUMPNo6.5NetworkLowSinglePartial+Partial+Partial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6555MySQL ServerMySQL ProtocolSERVER:DMLNo6.5NetworkLowSinglePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6489MySQL ServerMySQL ProtocolSERVER:SPNo5.5NetworkLowSingleNonePartialPartial+5.6.19 and earlier
CVE-2012-5615MySQL ServerMySQL ProtocolSERVER:PRIVILEGES AUTHENTICATION PLUGIN APIYes5.0NetworkLowNonePartialNoneNone5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6559MySQL ServerMySQL ProtocolC API SSL CERTIFICATE HANDLINGYes4.3NetworkMediumNonePartial+NoneNone5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6494MySQL ServerMySQL ProtocolCLIENT:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6496MySQL ServerMySQL ProtocolCLIENT:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6495MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6478MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes4.3NetworkMediumNoneNonePartialNone5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4274MySQL ServerMySQL ProtocolSERVER:MyISAMNo4.1LocalMediumSinglePartial+Partial+Partial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4287MySQL ServerMySQL ProtocolSERVER:CHARACTER SETSNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6520MySQL ServerMySQL ProtocolSERVER:DDLNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier
CVE-2014-6484MySQL ServerMySQL ProtocolSERVER:DMLNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6464MySQL ServerMySQL ProtocolSERVER:INNODB DML FOREIGN KEYSNo4.0NetworkLowSingleNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6564MySQL ServerMySQL ProtocolSERVER:INNODB FULLTEXT SEARCH DMLNo4.0NetworkLowSingleNoneNonePartial+5.6.19 and earlier
CVE-2014-6505MySQL ServerMySQL ProtocolSERVER:MEMORY STORAGE ENGINENo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6474MySQL ServerMemcachedSERVER:MEMCACHEDNo3.5NetworkMediumSingleNoneNonePartial+5.6.19 and earlier
CVE-2014-6463MySQL ServerMySQL ProtocolSERVER:REPLICATION ROW FORMAT BINARY LOG DMLNo3.3NetworkLowMultipleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6551MySQL ServerMySQL ProtocolCLIENT:MYSQLADMINNo2.1LocalLowNonePartialNoneNone5.5.38 and earlier, 5.6.19 and earlier


Rep. Joe Garcia (D-FL) Picking His Earwax and Eating It


Words fail me.

Saturday, October 25, 2014

Coincidence? Perhaps Not.

Observe, if you will, the following clear cut photographic evidence that something is amiss in Washington.



Henry Waxman. Powerful Congressman, member of the House of Representatives. Former Chair of the Energy and Commerce Subcommittee on Health and the Environment. Chairman of the House Energy and Commerce Committee. Rumored to snort cocaine without the aid of a straw or similar apparatus. Claims the ability to "smell fear".







Edward Tattsyrup. Star of BBC television documentary "League of Gentlemen". Owner of Royston Vasey's Local Shop. Brother and husband of Tulip "Tubbs" Tattsyrup. Committed to the interests of both his Local Shop and the Local People of Royston Vasey.



The genetic link between these two individuals is clear. Have Royston Vasey politics leapt across the pond? Royston Vasey is a Local Shop for Local People - there is nothing for Americans, there. How have the Tattsyrup's bizaare opinions regarding transportation and fossil fuels issues played a rule in the House Energy and Commerce Committee?

Kids These Days

I don't get them.

Kreayshawn with silly cartoon gloves

Thursday, October 23, 2014

Why is the Washington Post Publishing Pro-Surveillance Propaganda? Can Government Surveillance Revelations Decrease Encryption Adoption?

For the last few days I've had great fun watching James Comey and his pack of Keystone Cyber Cops failing to convince the world that they should be CC'd on everyone's calls, tweets and texts and generally exposing himself as the incompetent, braying ass that he is.

James Comey, Braying Jackass, josh wieder
Keep in mind the camera adds 10 pounds
Dan Froomkin and Natasha Vargas-Cooper over at The Intercept exposing each of the examples that Comey used to indicate the necessity for breaking cell phone encryption as fabricated - the cases were real, but none of them relied on cell phones or computers to obtain a conviction.

In one case of infanticide, the parents who were eventually found guilty had been previously convicted of child cruelty and had the deceased child previously taken from their custody for neglect. Not only did the state not need to read the parents' phones for evidence, if they had read their own files and demonstrated some inter-agency cooperation they could very likely have prevented the killing entirely.

In another case, the defendant confessed to a hit and run when cops pulled him over for a DUI and noticed his car had just been in an accident almost immediately following discovery of the victim.

Comey has been calling in a few favors for his little power play. Assistant Attorney General Leslie R. Caldwell testified before Congress on July 15th, relying on some rather dramatic and almost Zoroastrian language to convince legislators of the evils of privacy advocacy:

"All the while, technological advances, including advances designed to protect privacy, such as anonymizing software and encryption, are being used to frustrate criminal or civil investigations and, perversely, protect the wrongdoers. Our cyber crimefighters must be equipped with the tools and expertise to compete with and overcome our adversaries."

Perhaps we should forgive Caldwell as a clearly incompetent simpleton. Its more difficult to understand what was going on over at the Washington Post when they published a now completely discredited op-ed in support of the Comey Conspiracy. 

Last month the Post printed a piece penned by Ronald T. Hosko. Ronald is currently the President of the Law Enforcement Legal Defense Fund (LELDF), whose primary mission is to pay for expensive lawyers for police who kill innocent and/or unarmed people. Without groups like LELDF, police officers might one day be held accountable for their crimes - but not while Ronald's on the case! In addition to his current hobby, Ronald is the former Assistant Director of the FBI Criminal Investigative Division. He was named Assistant Director in July of 2012. Before that, he was special agent in charge of the Washington Field Office (WFO) Criminal Division. Ronald has been a life-long cop, joining the FBI 30 years ago in 1984, with his first big assignment coming with his transfer to the FBI's Chicago Division, where he investigated white-collar and financial crimes in addition to serving on the SWAT team. One paragraph of his CV sticks out:

In 2003, Mr. Hosko was promoted to assistant special agent in charge of the Philadelphia Division, where he was responsible for investigations into criminal matters. While in this role, he led the division’s surveillance and technical operations, and he served as the program supervisor for crisis management. In 2005, Mr. Hosko served as the on-scene commander of FBI personnel deployed to Afghanistan in support of Operation Enduring Freedom. Later that year, he served as deputy to the senior fellow law enforcement official following Hurricane Katrina.

In other words, Ronald developed his surveillance bona-fides during the early years of the Bush Jr administration; an administration that is responsible for sparking he current FBI trend of creating fake terrorist plots to entrap young muslim men who they cajole and bribe into cooperation. Ronald was one of the "on-scene" FBI commanders in Afghanistan who failed to locate Osama Bin Laden or his top lieutenants before being shipped back to the states in time to play a law-enforcement role in the Hurricane Katrina disaster - the only hurricane in the United States in recent memory that is well known for police murdering residents trying to escape the flood zone and escaping any legal consequences for the killings

Ronald Hosko is no stranger to controversy. Rumors of Ronald Hosko's ever-present appearances at Furry conventions are all over the Internet. Of course the rumors of Hosko's Furry compulsions play no part in this debate. The Washington Post, if for no other reason, should be applauded for disregarding rumors of Ronald T. Hosko being an incorrigible fan of Furry Love. People who can only achieve arousal by dressing up as cartoon animals, as Ronald T. Hosko is frequently alleged to, have political opinions just as valid as the rest of us. I, for one, think these rumors are completely without merit. Even if I am wrong and Ronald T. Hosko is, in fact, a Furry, any rumors about his personal life are completely inappropriate and shouldn't play a role in this or any other debate. 

In his op-ed, Ronald ran through Comey's part line: The introduction of encryption in consumer devices are allowing violent criminals to walk free. Not all of the piece is bogus. Comey admits, for example that:

"Encrypting a phone doesn’t make it any harder to tap, or 'lawfully intercept' calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself."

In spite of this admission, Ronald still makes it clear that tapping the phone isn't enough. The data, contacts, photos and email are pivotal for convictions. To illustrate his point, Ronald relies on an example: the case of a kidnap victim in Wake Forest, North Carolina. The kidnappers were tracked down through a lawful intercept of their cell phone's SMS. In the original version of his op-ed, Ronald argues that without the ability to intercept SMS messages, police may never have been able to to identify and arrest the kidnappers. This is another point that is only fair to concede to Ronald. It is quite clear that without the texts the kidnappers could have very well escaped.

That said, Ronald's conclusion is  that encryption would have prevented the police's ability to track the text messages, is completely fantastic. Even a basic understanding of mobile networks and SMS connections forces us to realize that encryption would play no role in the Wake Forest investigation. 

Let's consider how the police got the text messages and what they did with them. First and foremost we must note that police sought and obtained a search warrant for the text messages. The search warrant enabled the police to go to the cell phone companies and request the SMS messages and the location of the handset when they were sent. SMS connection data is transmitted to the cell phone company, where it is stored. Police obtained the SMS data from the cell phone company, not from the cell phone hand set. Remember: at the time the police requested the warrant, they had no idea where the hand set was. The encryption policy that Apple implemented that is the target of Comey and his buddies ire encrypts information stored on the phone hand set, not information transmitted to and from the cell phone company. SMS messages transmitted using a mobile carrier will typically be stored by that carrier for some time. While some GSM carriers encrypt their SMS traffic while it is in transit, they do so using a stream cypher (typically A5/1 or A5/2). A5 stream cyphers are instrinsically weak; Cryptanalysis work containing resource-conservative attacks are well circulated and published. Such cyphers have been in use since the adoption of GSM SMS messaging years ago, and have nothing to do with Comey's attacks on encryption standardization. FBI agents who, unlike Ronald T. Hosko, know sh*t about computers would find breaking such cyphers to be a trivial task if asked to do so as part of an ongoing investigation. 

But all that is a bit besides the point. The FBI had a warrant for SMS data in the Wake Forest case. All of the data they received was provided to them by the cell phone company, including the geographic location of the handsets, which the cell phone company stores along with unencrypted logs of the SMS messages (because cell phone executives don't care about you or your privacy and when they do they have a funny way of ending up in prison).

The kidnappers could encrypt their phone all day long, and the FBI could still have gone to the cell phone carrier and gotten the information they needed to find them. At worst, such a claim is a deliberate lie. At best, Ronald T. Hosko, former FBI Philadelphia Division's director of "surveillance and technical operations", lacks a basic understanding of how the FBI uses cell phones to apprehend suspects. 

The Washington Post didn't bother to fact check Hosko's op-ed. They went ahead and published it, a shocking concession to a government official seeking to greatly expand government surveillance powers and shooting off a bunch of half-truths to justify it. Eventually someone with technical experience read the article and pointed out the piece's complete lack of credibility. As a result, the Post rewrote some of the more incredulous claims and providing readers with this non-apology to its readers: 

* Editors note: This story incorrectly stated that Apple and Google’s new encryption rules would have hindered law enforcement’s ability to rescue the kidnap victim in Wake Forest, N.C. This is not the case. The piece has been corrected.

The editors note was placed below the fold, at the very end of the article. A more ethical correction would place the editors note above the fold, at the beginning of the article to ensure that readers are not mislead and that the large percentage of readers who do not read the entire piece understand what happened. 

So what did these "corrections" consist of? In the original story, Ronald had not just incorrectly made the case that encryption would have hindered the ability of the FBI to locate the kidnappers. Hosko breathlessly alleged that: "Had this [encryption] technology been used by the conspirators in our case, our victim would be dead". The message is clear. Apple and Google, the two companies that Hosko cites in the lead as examples of companies using this dangerous encryption, will have blood on their hands if they continue to protect their user's privacy. 

Here is the original graph compared next to the still-incorrect "corrected" graph, which online periodical Techdirt first pointed out on their coverage of this debacle: 
Last week, Apple and Android announced that their new operating systems will be encrypted by default. That means the companies won’t be able to unlock phones and iPads to reveal the photos, e-mails and recordings stored within.

It also means law enforcement officials won’t be able to look at the range of data stored on the device, even with a court-approved warrant. Had this technology been used by the conspirators in our case, our victim would be dead. The perpetrators would likely be freely plotting their next revenge attack.
 Thats the first version.
Last week, Apple and Google announced that their new operating systems will be encrypted by default. Encrypting a phone doesn’t make it any harder to tap, or “lawfully intercept” calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself.

Had this technology been in place, we wouldn’t have been able to quickly identify which phone lines to tap. That delay would have cost us our victim his life.The perpetrators would likely be freely plotting their next revenge attack.
And that is the "corrected version". Note how the writer (at this point its unclear who wrote the corrected version, Hosko or a Post employee) *still* hangs on to the disproved claim that SMS data subpoena'd from a cell phone carrier has anything to do with an encrypted filesystem on a cell phone by saying that the FBI "wouldn’t have been able to quickly identify which phone lines to tap".

Its at this point that I find it very difficult to forgive the Washington Post for their involvement in this. Not only have they allowed the FBI to manipulate their readers by betraying the public trust developed by actual journalists who have provided real reporting for the Post over the years; they have stood by their man in his hour of need, despite obvious evidence provided by a multitude of technology experts.

Corrections should correct a story, not reword lies to make them more palatable. Yet that is exactly what the Washington Post has done here.

Since the Snowden revelations, evidence of government malfeasance in their approach to surveillance supporting both foreign intelligence and domestic law enforcement has continued to mount. A significant number of Americans have made it clear that they support even the most totalitarian excesses of the intelligence-gathering community, dismissing centuries-long traditions of English-speaking rule of law with slogans like "I have nothing to hide". Authoritarianism has always been popular with a certain type.

What I have to admit is completely unexpected is evidence that I have found of individuals whose response to disclosures of government surveillance have lead them to dismiss the use of encryption as untrustworthy.

In the comments section of the Washington Post story discussed above, for example, one user added the following to the fray: 

Washington Post, Josh Wieder, encryption, user comment

Take note: ALL encryption is compromised! Those mathematicians? They're all on the payroll! There is a certain theatrical flourish that always seems to accompany the conspiracy theory. A "You May Think You're Smart But You're Not" sneer behind the 9/11 truth videos, the reptile photographs, the rest of it. We have all been fooled.

But there are reasons for concern that are not based in psychosis. A Web of Trust; one of the original components of Phil Zimmerman's PGP, can be viewed as a proto social network. Police love Facebook because it shows the people you trust and communicate with. A public key Web of Trust provides all the same data to the state just as readily. Public Webs of Trust should only be used with great care; and in a number of circumstances, should be abandoned entirely.

Another skepticism is that of the hosted provider using encryption. Apple and Google, whatever ire may be directed to them by the FBI now, are two of the founding corporate members of the NSA's PRISM program. Neither company has stopped responding to FISA court requests. If anything, encrypted storage seems like a concession - a way to change the narrative being foisted on consumer tech companies; a way to remind users that such companies are on the side of their customers and not the state; a way to do all these things without actually fighting any legal battles or compromising pre-existing relationships with agencies more politically connected than even the FBI.

The sense of compromise is pervasive, and leads to statements like this one: 

Hacker News, Josh Wieder, Ycombinator, encryption

So many companies have promised privacy to their users, and lied; encryption strikes users as just another scheme.

Added to this is the constant wave of half-explained media coverage of open source security research. How many readers, unfamiliar with internet technology, are struck by reports of  the discovery of the Poodle vulnerability as a bad thing - a failure? Encryption can easily appear to the layman as a flawed technology that depends on dishonest corporations for development and application.

Finally, we have a new wave of mobile applications and their associated startups. The vast majority of such startups are promising their users a new safety and privacy online through the use of whatever snake-oil they happen to be selling, and providing it using the same free-from-upfront-payment model that all of the most dangerous companies rely on. Satan requires no upfront payment, either. Is it any surprise that these companies engage in the same surveillance practices as the firms before them? Whisper, of course, stands out among firms that promise privacy while stealing it. It is my suspicion that Whisper's practices are nothing special.

As our knowledge of surveillance scandals continues to expand, confidence is shaken not just in the state. The public knows that the intelligence community and law enforcement has established extra-legal partnerships in the business community, using their customers as pools of data. The public knows that the intelligence community and law enforcement recruits from the same universities that develop encryption algorithms, providing cryptographers with the highest-paying jobs in the field and generously financing research and handing out grants. 

Is it possible to encourage skepticism in organizations whose approach to technology has been corrupted, while building trust that the same technology can protect us from those organizations?

There's only one thing I know for sure, no matter what anybody else may have to say about the matter. Ronald T. Hosko is not a furry.