PSW #764 – Jesse Michael

My question is, does this work regardless of how the password is auto-filled? I'm thinking the recommendation should be to turn off autofill in the browser and any password managers. There we go again, sacrificing convenience for security! (Mandy = Interesting other points "after discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:." and "Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials. Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker's server." Reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.)

Oh, and here you can see Maddie being awesome, huge fan!

"Repositories differ on how researchers can be contacted, with some having few if any instructions. In such cases going public can seem the only alternative, which opens the door to miscreants also finding and exploiting the data." - Interesting, I would have thought most repos had an issue tracker where people would submit bugs, or at least a pull request, but that assumes you know how to fix it and actually proposed a fix in said pull request. All of that is still public. Private reporting is important as we want the vulnerability to be secret for a period of time. Any information, even hints, lead to security researchers and threat actors digging into the code or binaries and looking for a vulnerability. At least one case, that is super impressive, is where Maddie Stone found a bug in Android (I believe) based on the marketing materials from a threat actor group!

The first problem with labeling is allow people to understand what the label is saying. How many times have you Googled an ingredient on a nutrition label? Yea, I didn't know what erythritol was either until Google told me. The same goes for IoT devices, does the end user care to understand the kernel version of if the device is using GNUTLS or OpenSSL? Bring it up a level and it may help, such as looking at the number of ingredients and where they come from.

"The internal FBI documents and legal briefs submitted on behalf of the bureau give the most complete picture to date of the bureau’s interest in deploying Pegasus. While heavily redacted, the internal documents show that, from late 2020 until the summer of 2021, the FBI had demonstrated a growing interest in potentially using Pegasus to hack the phones of FBI targets in criminal investigations."

Great points in this talk include: 1) "known attacks against open source repositories have increased by 633% year-over-year, and there has been an annual, overall increase of 742% since 2019." 2) Not everyone will patch in a timely manner, and we see you pulling those vulnerable versions, tempted to suggest we just pull them evil grin 3) More people rely on open-source libraries: "2015 and 2022 there had been trillions of download requests across various package managers, with Java downloads soaring 3,870%, JavaScript rising 13,900%, and .NET jumping 34,100%." easily adding 10,000 lines of code to a typical application 4) Purge your build system as it could be caching vulnerable libraries.

"The talk covers how we managed to execute arbitrary code on the Starlink User Terminal using a custom modchip that performs voltage fault injection. The modchip can be used to bypass signature verification during execution of the System-on-Chip (SoC) ROM bootloader (BL1)"

Interesting IBT has to be supported by the driver: "Additionally, the driver now supports Indirect Branch Tracking (IBT) when enabled by the kernel on supported platforms."

I love this stuff, its the hacker mind at work. I often look at images and see what I can find that may reveal things that were not intended to be revealed. This post is great and shows how a Russian missile crew's location was determined by analyzing an image.

Strong statement: "While the use of added protections to nonmemory safe languages and the use of memory safe languages do not provide absolute protection against exploitable memory issues, they do provide considerable protection. Therefore, the overarching software community across the private sector, academia, and the U.S. Government have begun initiatives to drive the culture of software development towards utilizing memory safe languages."

Also, bug fixes and new features. I strongly encourage all Linux users to adopt LVFS; the project is well-run and gaining traction. I also encourage distros to include LVFS by default. As a user or administrator, use fwupdmgr to update the database ("fwupdmgr get-updates") and apply them ("fwudpmgr update"). Add this to your regular update processes!

"Flow computers calculate oil and gas volume and flow rates; these measurements are critical not only to process safety, but are also used as inputs in other areas, including billing. Team82 is disclosing details on a path-traversal vulnerability in ABB TotalFlow flow computers and controllers. An attacker could exploit a vulnerable system to inject and execute arbitrary code."

This limits the scope of this vulnerability: "By placing a malicious json content in a webserver and redirecting the router to download it (either by DNS redirection or TCP redirection), an attacker can execute arbitrary code." However, there has been a series of vulnerabilities that exploit IoT devices when they attempt to pull data from remote sources. I expect this trend to continue.

Keep in mind you may have read the word "Driver" and thought Windows driver or Linux kernel driver. What is being referenced here are DXE drivers (Driver eXecution Environment) that execute before the OS is loaded and are responsible, along with other processes and stages, for initializing the hardware such that the OS and OS drivers can interface with the hardware.

I guess it just depends on what you're selling: "Yet, Synopsys found that, despite those concerns, vulnerabilities in supply-chain security and open-source software components accounted for only about a quarter of issues. The Vulnerable Third-Party Libraries in Use category of security weaknesses was uncovered in 21% of the penetration tests and 27% of the static analysis tests, the report said." - The rest of the article is based on my old quote: "Mis-Configuration leads to compromise". There is a gap, as proven by this research, and frustrating as many solutions exist to help solve this problem.

"Having more than 19,000 stars on Github, Backstage – a CNCF incubated project by Spotify, is one of the most popular open source platforms for building developer portals. It restores order to your microservices and infrastructure, thus enabling your product teams to ship high-quality code quickly without compromising autonomy. "

"Static analysis tools are typically used to identify vulnerabilities. GuardDog makes use of this same technique to identify malicious packages. Because GuardDog provides heuristics that identify common attacker techniques rather than package signatures, you can use it to identify malicious packages that have never been seen before."

"Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to Prevent exfiltration of credentials, Detect tampering of source code during build, Detect compromised dependencies and build tools"

Don't take snapshots and make them public. I don't believe, based on the data and my assumptions, this is not a common practice.

The CDC and the Army leveraged code from Pushwoosh for their own apps as they believed Pushwoosh was a U.S. company. Pushwoosh's social media profile states they are indeed a U.S. company, but Reuters discovered they are actually a Russian company headquartered in Siberia. Upon discover of the origin of the Pushwoosh code, the Army removed the app, and the CDC removed the software from their public facing applications due to security concerns.

Analysts from VMware’s Carbon Black Managed Detection and Response are tracking a malware campaign involving the BatLoader downloader. The analysts have detected 43 successful infections over the past three months.

BatLoader appears to be drawing from the Conti malware playbook, leveraging some of the same resources and techniques. A common entry point is leveraging SEO to get users to download malicious .MSI installer/updater for products such as LogMeIn, Zoom, TeamViewer and AnyDesk.

Microsoft reported that after installing updates released on the most recent Patch Tuesday on Nov. 8, security teams might have issues with Kerberos authentication on Windows Servers with the Domain Controller role.

The issue may raise a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller, and is most likely tied to where you have set the This account supports Kerberos AES 256 bit encryption' or 'This account supports Kerberos AES 128-bit encryption' Account Options for your AD users.

This feature is slowly rolling out as more states bring support for adding your driver's license or ID card to your iPhone or Apple Watch. Currently works with Arizona, Colorado and Maryland DL/ID cards.

Question: Because we can - should we?

Employees are often warned about the data exposure risks associated with the likes of phishing emails, credential theft, and using weak passwords. Here are eight unusual, unexpected, and relatively strange ways employees can accidentally expose data, along with advice for addressing and mitigating the risks associated with them.

PSA: Black Friday offers opportunities to bag discount deals - and cyber criminals know online shoppers might let their guard down in the rush.

The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.

Visitors to Qatar are required to download two apps to their smartphones: a COVID-tracking app called Ehteraz, and the official World Cup app, Hayya.

The Ehteraz app asks users to allow remote access to pictures and videos, make unprompted calls, and read or modify device data while the Hayya app asks for full network access and unrestricted access to personal data. It also prevents the device from going into sleep mode and views the phone’s network connections.

Michigan, Wisconsin and Ohio are among the frontrunners in an effort to build teams of volunteers dedicated to conducting cybersecurity assessments and/or incident response activities on systems and networks within their borders. As these models mature, they are revealing the advantages of such a system for public and private sector entities, the volunteers themselves and the states’ residents. Understanding the strengths and weaknesses of these programs can also inform the adoption of similar solutions around the country to better confront the cyber threat.

17. In 2022, businesses around the globe face a ransomware attack every 11 seconds.

18. 53% of Canadian companies that experienced ransomware paid the hackers. (Source: Blakes)... is this because Canadians are friendly? But look! 47% aren't

19. Almost 80% of cyber attackers target government agencies. (Source: Forbes) Shout out to blue team and gov't defenders

The team has discovered that time-triggered Ethernet (TTE), a feature that lets critical systems sit alongside minor ones on the same networking hardware, is vulnerable to a spoofing attack. An intruder can send fake sync messages by conducting electromagnetic interference through copper Ethernet cables into network switches, creating a "gap" in a switch's activity that lets bogus data slide through.

This is a proposal. Adopting this change would mitigate or extinguish around 10% of exploits against security-relevant codebases.

Red Hat's products are distributed through numerous methods, including RPMs, ISOs and zip files. Over the past several months, we have been working across the organization to design and implement a plan to provide signatures for all zip file types so that our customers have greater assurance that Red Hat actually creates the products they receive.

We use passive and active network measurements to analyze organically-occuring faults in billions of digital signatures generated by tens of millions of hosts.We find that a persistent rate of apparent hardware faults in unprotected implementations has resulted in compromised certificate RSA private keys for years. They found more than 100 private keys, including Baidu.com and Cisco VPN products.

The exercise presented a number of sobering conclusions.

First, a few days, a few weeks, or even, likely, a few months would be too late to detect a destructive space rock headed to Earth for a deep impact.

Second, people have become so distrustful of authority, whether it’s from the political class or the media, that an announcement of a killer asteroid on the way would not be believed by a significant number of people.

Hardcoded passwords, unsanitized input fields, outdated Linux kernels, superfluous services, etc. Companies are rushing to deliver products and neglecting security. In one case, researchers managed to sniff out and interrupt charging using a software defined radio with less than 1W of power from 47 meters away "on all seven vehicles and 18 EVSEs that they investigated."