Interview with RIM cofounder Jim Balsillie about his advocacy against the rise of surveillance capitalism in Canada and the Sidewalk Toronto smart city project (Brian J. Barth/The Walrus)

About This Page This is a Techmeme archive page. It shows how the site appeared at 6:25 PM ET, April 13, 2019. The most current version of the site as always is available at our home page. To view an earlier snapshot click here and then modify the date indicated. From Mediagazer Angelina Rascouet / Bloomberg: Ren LaForme / Poynter: Christine Schmidt / Nieman Lab: Source: http://www.techmeme.com

April 13, 2019
Read More >>

Hashcat Macbook > kali

Hello guys, A friend told me that in one module of his forensics course, they had to crack some hashes using hashcat. But just 2 of the students had a macbook and they could retrieve the hashes faster than others. My friend and i have no idea of how th…

April 13, 2019
Read More >>

[THOUGHT EXERCISE] Syslog-NG Store Box License count bypass with Custom Parsing

Background on Syslog-NG

Syslog-ng was originally released in 1998 as an open source implementation for syslog on unix/unix-type systems extending standard syslog capabilities by adding filtering and flexible configurations. In 2000, Balabit was co-founded by syslog-ng’s author and extended into enterprise implementations for the log management suite of products by introducing the premium edition of syslog-ng, syslog-ng PE, and the syslog-ng store box, SSB. The suite of tools allows for filtering and log maninulation, including rewrites of specific fields through replacement or appending. The vendor has implemented a flexible licensing model to allow for extreme flexibility and easy integration of new syslog sources. The licensing for the enterprise solution, SSB, leverages a host-count based license as interpreting the syslog header’s host field.

How the SSB works

The SSB stores event logs and provides some basic reporting and visualization capabilities. Log-spaces are set up for storing logs together based on administrator defined criteria. The criteria is set up via filtering, both inclusion and exclusion filters. These log-spaces are also have data retention attributes to ensure that data can be retained long enough to meet regulatory requirements or to ensure that disc space is maintained below a certain level. Included with the SSB licensing is access to the syslog-ng PE and open source versions, both of which are managed via service and configuration file without the added bells and whistles provided by the SSB.

As syslog-ng has receiving and forwarding capabilities, they are often used as syslog feed aggregation points to then forward to an SSB. The SSB receives the logs from the aggregation points and based on the automatic host detection based on syslog host field, each host sending to the syslog-ng aggregation point will be counted as a host hitting up against the allotted license while also including each aggregator as a host as well as the SSB, effectively reducing the available licensing by a small amount of hosts.

On the visualization front, the SSB has some out of the box parsing capabilities but for any logs that come in with a more customized format, additional parsing can be configured. These key-value pairs are configured via the GUI and allow for both defining the field name as well as extracting the value comprehensively or only when certain conditions are met by using regular expressions.

Rewriting capabilities

The syslog-ng family of products has a very flexible log manipulation capability, including appending details to the log message and replacing certain elements of the message as necessary. This can come in handy when needing to tag certain messages for severity or priority levels, or to append certain regulatory tags if this is how an organization manages those requirements.

This includes taking incoming events and adjusting them based on dynamic fields based on the inbound messages prior to sending out the newly manipulated log to the destination file, log space or network host. Leveraging these capabilities it is possible to manipulate log messages in such a way so as to bypass the licensing model by manipulating the host field in the message.

My thoughts were to see whether or not it would be possible to aggregate multiple sources to appear as coming from a single source while still being able to identify the original source. The following configuration file was used as a POC:

@version: 7.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # https://www.balabit.com/support/documentation # @include "scl.conf" options { keep-hostname(yes); stats_freq(0); }; ###### # sources source s_local { # message generated by Syslog-NG internal(); system(); monitoring_welf(); }; source s_net { udp(); tcp(); syslog(); }; ##### # Rewrites rewrite r_rewrite_message{set("$MESSAGE from device=$HOST", value("MESSAGE"));}; rewrite r_rewrite_host{set("syslogngpe-pr0fx", value("HOST"));}; ###### # destinations destination d_ssb0 { tcp("xxx.xxx.xxx.xxx"); }; destination d_ssb1 { tcp("xxx.xxx.xxx.xxx"); }; ###### # logging log { source(s_local); source(s_net); destination(d_ssb1); }; log { source(s_local); source(s_net); rewrite(r_rewrite_message); rewrite(r_rewrite_host); destination(d_ssb0); }; 

Tests leveraging this configuration confirmed my hypothesis. See the linked screenshot and note the list of 5 devices which are the true sources while ‘Active Hosts’ under the ‘System Monitor’ indicates 3, including the SSB itself, and the the forwarding syslog-ng PE instance. Adding a key-value pair and additional parsing as an option in the SSB allows for an extracted field to indicate the true source.

Note:

All license limitations are covered by the “Software Transaction Agreement” and the corresponding “One Identity Product Guide” and any violation of this can lead to legal action against those attempting to bypass this in a production environment under license with One Identity. I have informed One Identity of this and they have confirmed that they are covered by their Software Transaction Agreement.

Version tested: SSB 5.2.0

Current version: 5.3.0

submitted by /u/pr0fx
[link] [comments]

April 13, 2019
Read More >>

Amazon and Google Fight Bill That Prohibits Secretly Recording You

An anonymous reader quotes Vice: On Wednesday, the Illinois State Senate passed the Keep Internet Devices Safe Act, a bill that would ban manufacturers of devices that can record audio from doing so remotely without disclosing it to the customer. But after lobbying from trade associations that represent the interests of Google, Amazon — makers of the microphone-enabled Google Home and Alexa smart speakers, respectively — and Microsoft, among other…

April 13, 2019
Read More >>

Fair burden-sharing in NATO

The silly idea that NATO members should allocate 2% of their national income to deterrence and defence annoyed me a lot for a long time. It’s not only too much given the modest conventional threat, but it also distracts.  Total military power is o…

April 13, 2019
Read More >>

PAK SCAN: Was it US’ F-16 Or China’s JF-17 That ‘Downed’ MiG-21 Bison Piloted By Abhinandan?

Both F-16 and JF-17 were equally capable, as was France’s Mirage-V, of which Pakistan has plenty. These days, air platform matters relatively little

by Pervez Hoodbhoy

To this touchy question — touchy for political and legal reasons — the answer is that it scarcely matters. Either aircraft, the US supplied F-16 or the Chinese origin JF-17, was equally capable of downing the Soviet

April 13, 2019
Read More >>

Did India Shoot Down An F-16 of The Pakistan Air Force?

by Dinakar Peri

The story so far: In the early hours of February 26, the Indian Air Force (IAF) conducted precision air strikes on a Jaish-e-Mohammad (JeM) training camp at Balakot in Pakistan. In response the next day, Pakistan Air Force (PAF) jets targeted Indian military installations across the Line of Control (LoC), but the attack was thwarted by IAF jets. In the engagement that

April 13, 2019
Read More >>