PSW #787 – Vlad Gostomelsky

There is a list of 11 vulnerabilities in this software that is described as: "Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices.". This is one of the vulnerabilities: "Keystroke Logs Are Stored in Plaintext in a World Readable Directory"

WPBT is the gift that keeps on giving (for attackers and pen testers, anyhow).

Just for Jeff

"The main SOC is an Amlogic S905D3G, a 4-core A55-based SoC. The important chips are meticulously documented, and it’s a fascinating look inside a device common in many people’s homes. One chip that’s of note is the BGT60TR13C, otherwise known as Project Soli. It is an 8x10mm chip that uses radar to detect movement with sub-millimeter accuracy." - Some hardware reversing for you all.

If you want to try it out for yourself, in a lab, or with permission, of course.

"CVE-2023-28771 is an unauthenticated command injection vulnerability affecting the WAN interface of several Zyxel network devices, as reported by TRAPA Security." - How about a one-packet UDP exploit that gives you root? Love it.

"secimport is production-oriented sandbox toolkit. It traces your code, and runs an executable that allows only the same syscalls per module." - I like the concept, but fear this may cause a wide-variety of other issues.

Neat features in the malware: "Malware identified to date includes packages tracked as Saltwater, Seaside, and Seaspy. Saltwater is a malicious module for the SMTP daemon (bsmtpd) that the Barracuda ESG uses. The module contains backdoor functionality that includes the ability to upload or download arbitrary files, execute commands, and provide proxy and tunneling capabilities. Seaside is an x64 executable in ELF (executable and linkable format), which stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. It provides a persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter for capturing data packets flowing through a network and performing various operations."

"The SockPuppet vulnerability was a use-after-free in the XNU kernel's in6_pcbdetach() function that was reachable through a series of socket-related syscalls." - Apple believes that iOS 16 is resilient to this style of attack. Amazing post!

I am going to check this out and let you all know what I think.

"The attacker doesn’t care if they get you from a widely used or a niche project, just that they got you." - I get both sides of this, I think in the end though, this is the right decision given the level of malicious packages today.

Didn't even have to read that far into the article to realize I MUST read this book: "The book is a lively, engaging read filled with fascinating stories and colorful characters: the infamous Bulgarian hacker known as Dark Avenger, whose identity is still unknown; Cameron LaCroix, a 16-year-old from south Boston notorious for hacking into Paris Hilton's Sidekick II in 2005; Paras Jha, a Rutgers student who designed the "Mirai botnet"—apparently to get out of a calculus exam—and nearly destroyed the Internet in 2016 when he hacked Minecraft; and of course, the titular Fancy Bear hack by Russian military intelligence that was so central to the 2016 presidential election. " - The book is "(https://www.amazon.com/dp/0374601178/?ots=1&tag=arstech20-20)[Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks]" by Scott J. Shapiro

"On the speaker, there exists a daemon named anacapad that handles all Sonos-specific functions, including accessing music services, LED control, and audio playback. The vulnerability exists in the way anacapad handles SMBv2 replies from a server, specifically in the smb2_process_query_directory_fixed() function that processes query directory reply data." - Curious what goes into the decision to use SMB here...

A critical API redirect vulnerability in the Expo application development framework puts OAuth and other services using the framework at risk of credential leakage. The issue was detected by researchers from Salt Labs; Expo developers have fixed the vulnerability.

The issue was in the deprecated proxy authentication options, which removed the need for deep links in apps for authentication. Homework: Ensure you're not using deprecated functions...

The Python Package Index (PyPI) will require all project and maintainer accounts to employ two-factor authentication (2FA) by the end of this year. PyPI recommends using a security device or an authentication app. In the lead-up to the deadline, PyPI will begin limiting access to certain site functionality to those using 2FA; PyPI may also begin imposing the requirement on certain users and projects before the end of the year.

OneMain Financial has agreed to pay a $4.25 million penalty to the New York Department of Financial Services (DFS) for security issues detected during a DFS audit focused on OneMain’s cybersecurity policies and procedures between January 2017 and March 2020. According to NY DFS, “OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.”

Solar Winds Chief Information Security Officer (CISO) Tim Brown told Dark Reading that CISOs want clear rules about breach disclosure. Former Uber CISO Joe Sullivan was sentenced to three years’ probation in addition to a $50,000 fine; the judge in the case made it clear that the next time a similar case comes before him, he will be far less lenient. The US Federal Trade Commission’s (FTC) breach disclosure rules along with the tangle of regulations, executive orders, state laws, and legal precedent complicate disclosure decisions. Brown suggests that CISOs would benefit from a law much like the Sarbanes-Oxley Act, which provides a framework for financial reporting regulations for chief financial officers (CFOs).

New York’s attorney general has fined Sports Warehouse $300,000 for failing to adequately protect consumer data. The online sports gear retailer will also revamp its cybersecurity program. Sports Warehouse systems were breached in September 2021; the company was alerted to the incident by third parties in October of that year. The attacker brute-forced Sports Warehouse’s server authentication and accessed a server that was protected with only a static password. That server contained unencrypted customer data, including payment card information, dating back to 2002.

Researchers from Palo Alto’s Unit 42 have detected a malware campaign that uses Mirai variant IZ1H9 to target IoT devices. The threat actors are targeting Linux-based servers and networking devices through four known vulnerabilities: a Tenda G103 command injection vulnerability (CVE-2023-27076); a LB-Link command injection vulnerability (CVE-2023-26801); a DCN DCBI-Netlog-LAB remote code execution vulnerability (CVE-2023-26802); and a Zyxel remote code execution vulnerability.

Medical management company Practicefirst will pay a fine of $550,000 to the state of New York for failing to adequately protect patient data. The company failed to update their software in a timely manner, resulting in the theft of data affecting 1.2 million individuals, more than 428,000 of whom reside in New York. Practicefirst violated both the Heath Insurance Portability and Accountability Act (HIPAA) and New York state laws.

GitLab has released version 16.0.1 for both GitLab Community Edition (CE) and GitLab Enterprise Edition (EE). The newest version fixes a critical path traversal vulnerability that could be exploited to read arbitrary files without authenticating. The issue affects GitLab CE/EE version 16.0.0; older versions are not affected.

In February 2022, tire manufacturer Bridgestone was the target of a ransomware attack that took its North American operations offline for days. Bridgestone America Chief Information Security Officer (CISO) Tom Corridon said his most important piece of advice is to determine who makes which decisions in a crisis before one occurs. Corridon also noted that breaches can generate an atmosphere of openness to changes that can help avoid another incident.

A researcher discovered a publicly exposed database linked with the SuperVPN app containing 133 GB of data, including personal user information such as IP location, servers used and Unique App User ID numbers as well as details about user online activities, device model, operating system and refund requests. It has over 100 million downloads worldwide across the Google and Apple app stores.

Solar panels contain valuable materials that could be used to make new panels, but those materials are difficult to separate. The new process uses an ordinary kitchen microwave with added heat-proofing to selectively heat the panel’s silicon components while leaving the glass, plastic, and aluminum intact. The method was successful and much more energy-efficient than using a traditional furnace to do the same.

The Israeli start-up Paragon Solutions decided, before courting a single customer, to get the Americans on their side. The US Drug Enforcement and Administration Agency is among the top customers for Paragon’s signature product nicknamed Graphite. The malware surreptitiously pierces the protections of modern smartphones and evades the encryption of messaging apps like Signal or WhatsApp, sometimes harvesting the data from cloud backups — much like Pegasus does.

The environmental impact of lab-grown meat is between four and 25 times greater than the average for beef products sold in stores, because they must purify growth media to pharmaceutical levels. The switch to food-grade media is proving extremely difficult.

Due to Beijing’s lax approach toward technological hazards and its chronic mismanagement of crises, the danger of AI accidents is most severe in China. Risks include crashing markets with AI-powered trading, developing bioweapons, and defective AI systems crashing critical infrastructure. hereas the United States government and Silicon Valley are many years into a backlash against a “move fast and break things” mentality, China’s tech companies and government still pride themselves on embracing that ethos. This is because the Chinese government historically covers up disasters so people are unaware of their impact, such as the nuclear tests before 2000 which led to the premature deaths of nearly 200,000 citizens.

A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark. The bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to the scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement with a crypto scam.

Google, to compete with Apple's iMessage, settled on RCS, a new standard that replaces SMS on Android devices. The Magic Compose AI feature that Google is building into Messages breaks encryption by sending messages back to Google’s servers. This breaks end-to-end encryption (E2EE), despite Google's claims to the contrary.

"Moral outsourcing" applies the logic of sentience and choice to AI, allowing technologists to effectively reallocate responsibility for the products they build onto the products themselves. “You would never say ‘my racist toaster’ or ‘my sexist laptop’...And yet we use these modifiers in our language about artificial intelligence. And in doing so we’re not taking responsibility for the products that we build.” She is working on a red-teaming event for Def Con's AI Village.

The inner workings of the large language models at the heart of a chatbot are a black box; the datasets they're trained on are so critical to their functioning that their creators consider the information a proprietary secret. To figure out what GPT-4 has read, researchers quizzed it on its knowledge of various books, as if it were a high-school English student. What's most surprising is how much science fiction and fantasy GPT-4 has been raised on. The list is staggering: J.R.R. Tolkien, Ray Bradbury, William Gibson, Orson Scott Card, Philip K. Dick, Margaret Atwood, "A Game of Thrones," even "The Hitchhiker's Guide to the Galaxy."

This is a success story of bug bounties. The four flaws allowed network-adjacent attackers to execute arbitrary code and access sensitive information. The flaws were reported in Dec, 2022, the researchers were paid at Pwn2Own, and the products were patched.

Law philosopher Scott Shapiro says there is no permanent solution to the cybersecurity problem. "Cybersecurity is not a primarily technological problem that requires a primarily engineering solution...It is a human problem that requires an understanding of human behavior." That's his mantra throughout the book: "Hacking is about humans."

European Commissioner Thierry Breton told the world this weekend that Twitter had pulled out of the EU's voluntary Code of Practice against disinformation, but warned it has "obligations" anyway. "You can run but you can't hide...fighting disinformation will be [a] legal obligation under [the Digital Services Act] as of August 25. Our teams will be ready for enforcement." Requirements include watching out for systemic risks ranging from how illegal content and disinformation can be amplified on their services, to protection of minors online and their mental health.

LLMs like GPT-4 struggle to generate precise input arguments and frequently recommend inappropriate API calls. Gorilla is a finetuned LLaMA-based model that beats GPT-4 in terms of producing API calls. Its capabilities enable the reduction of problems related to hallucination and reliability.

Engineers have developed a low-cost, user-friendly clip and smartphone app for blood pressure monitoring. The clip, which costs less than a dollar to produce, works without needing calibration and offers an affordable alternative to traditional blood pressure monitoring methods.

Scientists have crafted a quantum key distribution (QKD) system, allowing for the transmission of secure keys at unprecedented speeds. Unlike current communication protocols that rely on computational complexity for security, QKD’s security is founded on the principles of physics. It can accurately produce and encode photons at a record speed of up to 2.5 GHz.

Monitoring software makes an activity score, a percentage calculated by the arbitrary measure of how much the worker types and moves her mouse. A poll by the Trades Union Congress (TUC) in 2022 found that 60% of employees had experienced tracking in the last year. Excessive monitoring harms workers and can be counterproductive for companies too.

In the summer of 2019, as Paragon Solutions was building one the world’s most potent cyberweapons, the company made a prescient decision: before courting a single customer, best get the Americans on their side. The Israeli start-up had watched local rival NSO Group, makers of the controversial Pegasus spyware, fall foul of the Biden administration and be blacklisted in the US. So Paragon sought guidance from top American advisers, secured funding from US venture capital groups and eventually scored a marquee client that eludes its competition: the US government.

A few months ago we started exploring what it would take to remove the concept of IP addresses from our stack, and retain the ability to safely manage the platform. Pretty much every request to PyPI is served via our CDN partner, Fastly. Now we use a hashed IP address instead of the plaintext IP.