In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep.
Stay up-to-date with us on X (formerly known as Twitter) for the latest show clips and updates! Find us @SecWeekly and stay connected with our cybersecurity community.
Paul Asadoorian
- Feds find over $1b Silk Road BTC in popcorn tin, hidden safe
LOL: "The DoJ noted that it found Zhong's holdings "in an underground floor safe; and on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet" when it raided his home in November 2021."
- Linux Moving Ahead With Enabling Kernel IBT By Default
I researched this topic, spoke with a former Intel engineer, and traced back some research from Joao Moreira (https://twitter.com/lvwr/status/1587907509897297920); they both are positive on these changes. There are a few factors at play, such as for some protections, you must have an Intel CPU with CET support, and there are further efforts to build in control flow enforcement into the Linux kernel independent of hardware. I believe this is a step in the right direction to make code execution more difficult. (Further reading: https://lwn.net/Articles/889475/ and further viewing: https://www.youtube.com/watch?v=6Y-cNa-NNhk (How has this talk only gotten like 500 views?!?!?)
- Red Cross Eyes Digital Emblem for Cyberspace Protection
"When Red Cross staff work in conflict zones, their recognizable red-on-white emblems signal that they and those they are helping should not be targeted. Now, as warfare and attacks increasingly move into cyberspace, the organisation wants to create a digital emblem that would alert would-be attackers that they have entered computer systems of the Red Cross or medical facilities." - I get the concept; however, there is no reason why attackers would follow the rules. "Don't hack me" won't work, even if it's the Red Cross (unfortunately).
- UK Security Agency to Scan the Country for Bugs
"We design our requests to collect the smallest amount of technical information required to validate the presence/version and/or vulnerability of a piece of software. We also design requests to limit the amount of personal data within the response" - No need to panic, we're here from the government to scan your systems, everything will be fine. Japan a few years ago announced they were scanning IoT devices as part of a similar program. There are other volunteer programs as well. I believe this should be done in cooperation between the government, non-profits, and volunteers to keep the balance.
- Fizz previously compromised its users’ privacy. It may do so again.
Here's the story: Stanford dropouts create a social network for college students called "Fizz", claiming it's an anonymous way to communicate with fellow students safely (and do heavy moderation to prevent bullying, etc...). You need a .edu email address to join (sound familiar?). Security researchers figure out that the data is not protected in the cloud, and they can basically see all user data and even modify it. They report it to Fizz. Fizz says, "Thanks!" and then sues the researchers. The EFF represents the researchers, the flaws get fixed, but how can you trust Fizz?
- Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
This research combined static and dynamic analysis, which is not new; however, they combined and refined multiple methods for finding vulnerabilities and did it at scale. The results are pretty impressive (albeit limited to a specific subset of bug classes that lend themselves to static+dynamic analysis): "We evaluate ARBITER on 76,516 binary programs, which are collected from x86-64 Ubuntu 18.04 software repositories. We also demonstrate its precision by analyzing the 436 CWE131 alerts that ARBITER raises in 366 programs, the 159 CWE252 alerts across 126 programs, the 158 CWE-134 alerts across 119 programs, and the 377 CWE-337 alerts across 370 programs. These results demonstrate that ARBITER scales to real-world scenarios, and can detect bugs, including 0-day vulnerabilities, in real-world software. For example, we found and reported an exploitable vulnerability (CVE-2018-18311) in the Perl runtime and a heap error that affects all 32-bit programs compiled by the OCaml compiler." - Code is open-source and available here: https://github.com/jkrshnmenon/arbiter
- Intel AEX Notify Support Prepped For Linux To Help Enhance SGX Enclave Security – Phoronix
Seems we are always trying to fix the shortcomings of SGX, through microcode updates and kernel fixes.
- Hard user separation with NixOS
NixOS seems really cool, something I have to try for sure. This article details a complete build of essentially one operating system and two separate user environments, like chroot, but with much better separation.
- BYODC – Bring Your Own Domain Controller
While this is not new, it's not widely documented or publicized, but according to experts "highly effective".
- Safety in Non-Memory-Safe Languages
Good overview, seems CHERI has some good adoption (and has been worked on by some super smart people): "CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization. The CHERI memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted to provide strong, compatible, and efficient protection against many currently widely exploited vulnerabilities. The CHERI scalable compartmentalization features enable the fine-grained decomposition of operating-system (OS) and application code, to limit the effects of security vulnerabilities in ways that are not supported by current architectures." - https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
- Path traversal in Java web applications – announcing the Invicti technical paper
This is really well-written: "Due to their architecture, Java web applications have a significant security advantage: their file system access is inherently more secure than, say, that of a PHP application running on Apache. Since Java applications are usually packaged as servlets, the application treats the application context root as the only file system it can access. In most cases, there is simply no way for an attacker to reach the underlying file system unless this is explicitly done in application code by using absolute paths and suitable access control. However, it is easy to be blindsided by this secure-by-design characteristic of Java. Many developers assume that since you cannot reach files in the underlying operating system, there is no need to sanitize code or use input validation to protect against potential path traversal attacks" - Given that fact, attackers can enumerate all sorts of goodies in Java applications. Check out the tool here: https://github.com/Invicti-Security/web-inf-path-trav. Ultimately this leads to downloading the entire application and de-compiling it.
- Intel ME-Enabled System Needed For Updating Arc Graphics GSC Firmware – Phoronix
Intel uses ME as a swiss army knife. Most are familiar with Intel MEs ability to monitor and manage the system remotely. However, remote access aside, ME plays a role in some of the core hardware security protections, such as fusing circuits or applying firmware or microcode updates. In this case, as of this writing, Intel uses ME exclusively to update firmware on their new Arc graphics cards. This means if you are running a non-Intel platform, you don't have ME and, therefore, cannot update the firmware. I don't believe Intel will keep this limitation as they likely want to sell as many graphics cards as possible, and excluding AMD users contradicts that mission. I do worry, for security's sake, that this type of limitation exists...
- Webcast: Firmware Enumeration Using Open Source Tools w/ Paul Asadoorian – Black Hills Information Security
In case you missed it, I covered a lot of ground, including How to update your Secure Boot dbx (new and better method than before), enumerate Intel ME on your systems, and how to determine if your flash chip is protected (or not).
- Boffins rekindle one-time program cryptographic concept
"[Most agree] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used." - Turns out its really hard to use cryptography to allow a computer program to run only once. The idea was introduced as early as 2008, but had significant challenges such as how do you: " only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob. No such tokens were ever made, so the whole idea has lain dormant for more than a decade." The new research suggests using lockboxes, the technology in your phone that can lock after unsuccessful passcodes, however its still challenging: "researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome."
- urlscan.io’s SOAR spot: Chatty security tools leaking private data
The problem is when automates systems send URLs to urlscan.io to check if they are safe and urlscan.io stores the URL information, which could include tokens, password reset data and more. There is a list of "dorks" on the PT site that allows you to start reviewing urlscan.io for leaked information. The problem is the "fix," or "fixes," have to come from multiple parties. urlscan.io should try to prevent this by not storing sensitive information (even though it's given to them), the sites being submitted should do things such as have short password reset time windows, and the organizations sending the data should be careful not to send sensitive information from URLs being monitored. An attack scenario could include sending password reset emails, knowing those URLs will end up on urlscan.io, and taking over accounts.
- The Company You Keep – Preparing for supply chain attacks with Talos IR
This is a great article, perhaps one of the best I've read on supply chain, highlighted by this quote: "Why would an adversary spend weeks building out a cyber kill chain that includes custom malware and a complex social engineering campaign when they could compromise a softer target – a vendor or partner in the supply chain – and have direct, trusted access to the primary target in a much shorter time? They won’t. They will choose the path of least resistance. For this reason, the concept of an organization’s attack surface has grown beyond its protected environment to include assets and entities that it does not own or control." While they do not mention firmware, this speaks to me: "Visibility beyond that first degree of separation begins to get hazy and an organization may not have any knowledge of its supply chain at all beyond the second degree of separation. This leaves security teams with the elusive task of managing a set of risks about which little is known."
- Pwned Balancers: Commandeering F5 And Citrix For Persistent Access & C2
What if you actually wanted to persist on a load balancer? Load balancers tend to run this firmware-like OS, based on Linux. Nate found ways to persist on these devices through reboots and device upgrades by hiding in the backup archives an unique and interesting ways.
- Practical Client Side Path Traversal Attacks
Interesting research...
- Zero-day are exploited on a massive scale in increasingly shorter timeframes
- Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT
- Google ad for GIMP.org served info-stealing malware via lookalike site
- Hackers get into Dropbox developer accounts on GitHub, access 130 code repositories and more
- Prototype pollution bug exposed Ember.js applications to XSS
Lee Neely
- FBI Report: Hacktivists Use of DDoS Activity Causes Minor Impacts
The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification warning that hacktivists are launching distributed denial-of-service (DDoS) attacks. The document includes recommendations for mitigating the effect of the attacks. Targets have included financial institutions, emergency services, airports, and healthcare-related facilities.
- Cyberattack at Boeing Disrupts Flight Planning
Boeing subsidiary Jeppesen has “experienced a cyber incident affecting certain flight planning products and services.” The incident affected some flight planning products and services. The incident began on November 2; Jeppesen says that as of November 5, notice to air mission (NOTAM) bulletins were reactivated in their hosting environment.
- Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
Researchers from Phylum have found nearly 30 malicious packages in Python Package Index (PyPI) that attempt to infect developers’ systems with the W4SP Stealer Trojan. The packages are clones of popular software packages with names that make them seem legitimate. The malicious packages have been downloaded 5,700 times.
The attackers used various techniques to import their Trojan by modifying the init.py or setup.py script, which are subtle and hard to spot. That import statement creates a temporary file which is executed, downloading obfuscated code from multiple sites which contains a compressed object which is, actually, the W4SP Stealer, which is designed to steal information from users’ systems including browser passwords, crypto wallets and interesting files with financial related information.
- Microsoft Digital Defense Report 2022
Microsoft’s Digital Defense Report 2022 addresses the state of cybercrime, nation state threats, devices and infrastructure, cyber influence operations, and cyber resilience.
- Google Patches High-Severity Privilege Escalation Vulnerabilities in Android
Rolling out this week, Android’s November 2022 security updates patch over 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.
- Nigerian scammer sentenced to 11 years in US prison
A Nigerian influencer who attracted millions of followers on Instagram by showing off luxury cars and high-end clothing was sentenced on Monday to 11 years in prison for his role in business email compromise schemes and money laundering.
- Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws
Today is Microsoft's November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws. Odds are the updates were already pushed - remember to reboot so any open/busy files are replaced....
