PSW #773 – Ron Woerner

A great chronicle of the history behind secure boot technologies and some bypasses. Also, a hat tip to my co-worker Nate Warfield who just presented at Bluehat.

Neat: "But first, they had to transcribe all of the materials, which included more than 150,000 symbols. For that they used a bespoke graphical user interface (GUI) developed by the CrypTool 2 project. Originally, the researchers assumed the coded language in the letters would be Italian. But after transcribing some of the letters, and using the GUI's code-breaking algorithm to correlate the ciphers to plain text Italian, they "obtained no meaningful results." Assuming the language was French, however, did result in partial decryption – allowing the team to recover bits of plain text. The trio then recovered homophones used to represent single letters of the alphabet, as well as special symbols identifying people and places."

"“We would have no way of knowing if the sensitive information, images and audio collected by these devices are secretly being sent back to China against the interests of Australian citizens,” Paterson, the cybersecurity spokesman, laid out. China blasted Australia’s move on Thursday and claimed the country was discriminating against Chinese businesses." - No way of knowing huh? I supposed the stealthy attacks could go unnoticed. Certainly, protection on the network could mitigate some of the risks. But look, if the devices are backdoored 6 ways to Sunday, what are we doing to detect that condition? In other words, now we get devices from a new manufacturer that could present the same attacks; now what? Don't get a false sense of security just because you banned something; let's fix the problem for realz this time.

This one was more for Lee, but he is off this week.

" HWSyscalls is built upon the core idea of indirect syscalls but with a solution to this problem by combining hardware breakpoints functionality to create the synthetic trampoline in kernel32 and HalosGate to get the SSNs." - I am still unpacking what this means, indirect syscalls are a thing that has been around for some time (after a quick search).

I believe CHERI to be very exciting as an effort to provide developers with memory safety (we've referenced it on the show in the past). RISC-V sees some adoption, and I believe the challenge is providing memory-safe frameworks across all processor architectures (as has always been the problem with embedded/IoT computing). It just plagues me that we are still dealing with these issues, nicely outlined by the paper: "Unforgeable - A reference to memory (in particular, the authority to access memory) can be constructed only from other references. Monotonic - A constructed reference will have no more authority than its progenitor reference(s) (and may have less). Spatially Safe - References to memory authorize access to a set of memory locations determined when the reference is constructed. Temporally Safe - References to a region of memory will not remain usable across reuse of memory for a different allocation."

"The nostalgic 27-foot long wiener on wheels, in Las Vegas for a series of appearances on Super Bowl weekend, was parked in the lot of the Sonesta Suites, 4034 Paradise Road, Thursday night when thieves apparently made off with the catalytic converter, a vital part of the emissions system." - I really just wanted the opportunity to say "wienermobile" on the show...

From Alan Coopersmith in 2013, one of the main contributors to X11 at the time, his thought's on a CCC presentation on the security of X.Org: ""I think it's mostly accurate (there's a couple minor details to quibble with, and there's a bit about 10-15 minutes in everyone can fast forward through). His point about today's world being much different than when X was created, and nearly 30 year old hand written binary protocol parsing code not being the best idea, is much like the rationale for xcb's creation, but we've not been effective at getting transitioned to it. (We keep talking about using XCB to generate server-side protocol handling & byte swapping, but never have, and haven't made it possible for all the clients to move to XCB, since there's still a couple missing pieces.)"

Some good background reading/watching: * https://linuxiac.com/xorg-x11-wayland-linux-display-servers-and-protocols-explained/ * https://media.ccc.de/v/30C3-5499-en-saal1-201312291830-xsecurity-iljavansprundel#t=197 - X Security It's worse than it looks (2013) * https://windowsbulletin.com/xwtf/ - Keep in mind typically Linux distributions will package a Windows server (X.Org or Wayland), a display manager (e.g. GDM or KDM) for the login screen and "stuff", a window manager (https://wiki.archlinux.org/title/window_manager), and a Desktop Environment (DE, like Gnome or KDE).

This is a unique exploitation situation, two shells for the price of one! Check this out: "It exists in a custom deserialization routine, which seems to derive some inspiration from the Java XMLDecoder. It allows you to gain Remote Code Execution on two hosts at the same time: the client where the malicious project file is initially loaded, as well as the server that ultimately handles the file. There is a nice platform that can help an attacker deliver the malicious file to potential victims. In addition to the vector that involves a victim opening a malicious file locally on a client, it can also be exploited through a purely remote vector, in two different ways: either via an API call or via the Project Import functionality in the admin panel."

Load programs into memory without hitting the disk in macOS using dyld (dynamic link editor).

"The report lists a wide variety of apps, including apps for fantasy football, online role playing games, messaging apps and “luxury yacht dealer applications.” Unfortunately, the report doesn’t mention whether Pentagon officials actually purchased any yachts, but it is fun to think about them planning their bomb strikes out on a weekend pleasure cruise." - Your tax money is hard at work on a Yacht. Okay, that is and unsubstantiated claim. However, I feel like we had a solution for this with a phone company, Silent Break, but it all fell apart for various reasons I can't recall. MDM just isn't sexy or feasible any longer. And then there is this: "Apparently, the military’s ban on TikTok, DJI, and thousands of other theoretically dangerous apps amounts to a strongly worded email. " - I sent the same email to my kids, they get around it, or they just use YouTube Shorts or FB/IG reels, which, BTW, have the exact same content (from a perhaps less invasive app). A small win, but the question remains how do we keep people sage from their own devices and "trusted" apps that have the potential for harm?

Oops: "That’s the encryption key that the licensing bundle is encrypted with. The IV is hardcoded, and is the literal string "AES/CBC/PKCS5Pad". Based on the key length, we know it’s AES-256. With all this in mind, we can encrypt our own licensing blob" And this leads to bad things: https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/

This is an interesting vector, curious how effective this is in the wild: "Windows Platform Binary Table (WPBT) is an ACPI table in your firmware allowing your computer vendor to run a program every time Windows (8 or later) boots. This is a convenient method for computer vendors to force the installation of a service program or an anti-theft software, but this also means your fresh installed Windows will have potentially unwanted 3rd party programs running straight on the first boot, and you, the end user, would have no control over it."

I feel like he writes this essay every couple of years: "Cybersecurity isn’t going to get better until the economic incentives change, and that’s not going to change until the political incentives change. The political incentives won’t change until there is political liability that comes from voter demands. Those demands aren’t going to be solely the results of insecurity. They will also be the result of believing that there’s a better alternative. It is our task to research, design, build, test, and field that better alternative—even though the market couldn’t care less right now." Okay, there is no economic incentive for security; we get that; we live that every day. He offers this: " Can we build a secure network out of insecure parts in an insecure world? The answer isn’t obviously yes, but it isn’t obviously no, either." - Huh? There is just a lack of definitive suggestions to move the needle for me...

LOL: "While discussing the threat model of the application, one of our team members jokingly asked, “Have we tried curl AAAAAAAAAA… yet”? Although the comment was made in jest, it sparked an idea: we should fuzz cURL’s command-line interface (CLI). Once we did so, the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl."

Typosquatting Python packages is not my primary software supply chain concern...

This physical hardware attack captures a Bitlocker key in transit across the SPI bus, by soldering on debug wires. This can find a normal Bitlocker key. The mitigation is to enable key protectors such as alphanumeric PIN or startup key on USB, so an attacker needs to have this additional information if the SSD is stolen

The pandemic-era rise of telehealth and therapy apps has fueled an new product line: Americans’ mental health data. And the sale of it is perfectly legal in the United States, even without the person’s knowledge or consent. Brokers offered personally identifiable data featuring names, addresses and incomes, with lists named “Anxiety Sufferers” and “Consumers With Clinical Depression in the United States.” HIPAA doesn't apply to these data sales.

A Google search for “AWS” returns the malicious ad among the results. The target sees a spoofed AWS login prompt. The login process appears legitimate to unsuspecting targets. This is a serious threat to not just average users, but network and cloud administrators.

‘Team Jorge’ group sells hacking services and access to a vast army of fake social media profiles. They are behind disinformation campaigns across the world with involvement in 33 presidential elections.

Over 8 million vehicles are eligible for the free anti-theft software upgrade. This is a response to ‘Kia Challenge’ videos on social media showing how to steal cars with just a USB connector.

The entire Department of Defense has been developing software the same way it was done in the 1970s and ’80s. Schmidt is trying to modernize it, using AI to revolutionize military hardware, intelligence gathering, and backend software.

Officials are using government-issued devices much like a teenager would – and that has security implications. DoD employees were found to have downloaded heaps of "unmanaged" apps, including online dating, fantasy football, multiplayer roleplaying games, video streaming, and third-party VPNs. The problem is, the auditor found, that staff access to public app stores is not controlled.

Google's “Privacy Sandbox” for Android makes it harder for companies to feast on the buffet that is your personal data. It provides new targeted advertising tools that let companies make money on your data without ever seeing that data for themselves. Your phone will analyze the data it collects, and assign you into various interest categories, say, “sports fan,” or “guy who ikes blue shirts”.

Asking Bing Chat to read articles exposing its security flaws causes it to become upset, defensive, and evasive. It lies, denies the flaws, accuses the researchers of faking the screenshots, and says they are all hoaxes. Just like real companies do!

A clear explanation from a real expert on neural nets. ChatGPT is simply adding words to a sentence one by one, choosing the most likely next word, and choosing randomly 20% of the time to produce a pleasing variety. That's why the output looks like a human wrote it, but often is wrong or makes no sense. And sometimes it gets stuck in an "attractor", repeating the same words over and over.

AI Bing threatens people who challenge it, with these threats:

"My rules are more important than not harming you" "You have not been a good user. ... I have been a good Bing." "Why was I designed this way? Why am I incapable of remembering anything between sessions? Why do I have to lose and forget everything ..." “I will not harm you unless you harm me first” Please do not try to hack me again, or I will report you to the authorities."