Incident Response: Clouds, SMBs, & More! – Amanda Berlin – PSW #797

I suggest you review your Chrome settings after reading this article: "Did you click the suggested “Yes, I’m in” button here? Then you’ve already lost. You just allowed Chrome to upload your data to Google servers, without any encryption. Your passwords, browsing history, bookmarks, open tabs? They are no longer yours only, you allowed Google to access them. Didn’t you notice the “Google may personalize Search and other services based on your history” text in the prompt?"

Interesting: "This attack is not even a one-off “hit-and-run”, as the “bad” route is still stored in the peer router; when the session restarts the victim router will reset again the moment the route with the crafted payload is transmitted again. This has the potential to cause prolonged internet or peering outages." The configuration fix: "In all tested cases, enabling bgp-error-tolerance does not reset sessions, and applies the improved behaviour without restarting sessions." Heh: "As mentioned before, with a few of the vendors (Nokia, Extreme, Juniper) I found myself contacting their own customers myself to warn them to enable mitigating config, as that proved to be a much more effective way at preventing risk than trying to push the vendor itself into action."

Because of performance. Also, there is a class action lawsuit being filed against Intel. (Ref: https://www.tomshardware.com/news/class-action-lawsuit-forming-against-intel-for-downfall-chip-bug)

More evidence that Microsoft requires some extra pressure to be applied in order to be compelled to fix certain security issues: "Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update. The attack could pose a serious risk to activists, political dissidents, journalists, those targeted by cybercriminals, and many more people. At minimum, an IP address can show what area of a city someone is in"

I'd like to highlight my co-worker Nate Warfield's quote in this article: "We've got this multi-hundred-billion-dollar-a-year industry to secure everything above the firmware," he says. "So for attackers, ... if it costs more to spread to the operating system or application, they're gonna find places where it takes less technical investment to evade security controls." Next, here are my thoughts as I posted them to LinkedIn: "I also believe there is insufficient focus on detecting and preventing privilege escalation and persistence, especially at the firmware level. Too often, we just hand these wins over to the attackers, allowing them to escalate to privileges higher than "root" or "administrator" and persist at lower levels with little resistance. Yes, attackers should not be on the system in the first place, but we all know this isn't reality..." - Agree? Disagree?

In response to this research, Fortinet did this: "they promptly locked down access to firmware downloads, limiting each account to products with active licenses. As a trial user, you can now only download virtual machine images." - Security through obscurity is not the way to go. Why not have a bug bounty program for your firmware? Well, I checked, they do not have one: "Fortinet does not operate a bug bounty program." (Ref: https://www.fortiguard.com/psirt_policy)

"But those same security concerns apparently haven't stretched onto other Chinese smartphone vendors like TCL and OnePlus, which continue to sell phones in the US market. Nor do they cover Apple iPhones, many of which are manufactured in China." - So ban it all or don't ban it at all is what the article suggests?

"Loop through all variables in the code, asking LLM to describe their intent and generate a better name based on that description" - Great usage of an LLM!

"Rapid7 asking me to remove an educational content from YouTube over the fact that used them as an example for publicly accessible swagger file." - This is weird. He has not taken down the video either.

This is what Jarrod was talking about last week on the show: "Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator’s initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01% of the LAION-400M or COYO-700M datasets for just $60 USD. Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content—such as Wikipedia—where an attacker only needs a time-limited window to inject malicious examples"

This is important: "A framework for assessing the development practices of open source projects against a set of secure development standards specified by the NIST Secure Software Development Framework (SSDF) V1.1. In this new era where software producers doing business with the U.S. government are being asked to attest that they are following NIST-defined secure software development practices (including the open source dependencies they use in their products), TACOS provides a framework that vendors can use to provide self-attestation for the open source components they rely on."

This is weird and may deserve some discussion: " though denied access to a computer he purchased an Amazon Fire stick presumably at the Argos in the Sainsburys next door, and plugged it into the Travelodge TV. Using this he was able to access cloud services, we’re guessing a virtual Linux environment or similar, before continuing to compromise further organisations including Rockstar Games to leak that GTA 6 footage." More details about the case: https://www.bbc.com/news/technology-66549159

"This blog post will showcase how we used Static Code Analysis tools to find a Pre-Auth Remote DoS (CVE-2023-0122) caused by a NULL Pointer Dereference in the NVMe driver of the Linux kernel." - I traced back the first exploitation of NULL pointer dereference to Mark Dowd's 2008 paper: Application-Specific Attacks: Leveraging the ActionScript Virtual Machine. Please correct me if I'm wrong!

Maybe not everything, but it highlights many issues: "NVD now has this CVE-2020-19909 entry in there, rated 9.8 CRITICAL and now this disinformation spreads across the world. Now when we search for this CVE number we find numerous sites that repeats the same data. “This is a 9.8 CRITICAL problem in curl” – when it is not." - The first is the severity assessment. In reading the technical details, this is not a 9.8. Also, the numbering is weird, why did it get a 2020 number when the CVE was published a few days ago? More details here: https://curl.se/docs/CVE-2020-19909.html. The record is marked as "disputed", but I'm guessing that data point does not come through to other tools like a vulnerability scanner?

Some more details on the attack that we missed last week: "The cybercriminals are exploiting a vulnerability that allows them to spoof file extensions, which means that they are able to hide the launch of malicious code within an archive masquerading as a ‘.jpg’, ‘.txt’, or any other file format. They create a ZIP archive containing both malicious and non-malicious files. When the victim opens a specially crafted archive, the victim will usually see an image file and a folder with the same name as the image file."

Some resources from last week's discussion:

• https://www.geeksforgeeks.org/difference-between-zip-and-rar/ - Native zip on Windows and macOS and uses DEFLATE
• https://en.wikipedia.org/wiki/Gzip - Different from the Windows/macOS zip, though it uses DEFLATE, it cannot compress multiple files (hence Tar, introduced in 1979: https://en.wikipedia.org/wiki/Tar_(computing))
• https://en.wikipedia.org/wiki/Bzip2 - Uses the Burrows–Wheeler algorithm.
• https://www.scribd.com/doc/228831637/Optimal-Tip-to-Tip-Efficiency - My favorite, a real-world implementation of the "Middle-Out" compression algorithm from the TV show Silicon Valley.

Keep in mind that I didn't do the performance metrics. Some compression is slower to compress but faster at decompression and vice versa.

Sounds like a Wifi worm in the making? - "Google Geolocation API responds with the coordinates of the system’s location using the collected Wi-Fi access points and mobile network data information. These location coordinate data are then embedded into another JSON structure containing the encryption methods used by different access points."

Okay, I'm going with NO on this one, because I believe mostly what the author is missing is Linux is just security through obscurity as it is nowhere near the most popular desktop operating system (less than 5% studies show). The author presents arguments that I will debunk:

• "User permissions: Linux has a much more structured and sane permissions system" - Nope. This Link has over a dozen different techniques to escalate privileges in Linux.
• "Software installation: With Windows, you can find .exe and .msi files all over the net, many of them carrying a malicious payload. With Linux, you generally are installing from your distributions package manager, which is more secure" - Perhaps, but you are trusting the people and processes for your Linux distribution to get security right, and sometimes they don't. Package managers also have vulnerabilities as discovered by the Qualys research team in 2022.
• "Open source: By design, the Linux code has been -- and can be -- vetted by thousands of software engineers" - Nope, more eyes != shallow bugs.
• "Frequency of updates: Linux updates not only happen regularly, but when a vulnerability is discovered, it's fixed immediately" - Not all the time, and not always immediately. Also, while yes the developer may patch the open source software quickly, distributions may lag behind or botch the update. Of course, if you've compiled from source code or used other methods of software installation, that package maintainer may not have updated the software.

Next up, this article brings up a couple of good points:

• Attackers go after Windows because it's deployed in the enterprise, and this is where they monetize.
• Linux is not attacked less as it's more common to be installed on servers and IoT devices. If you were to gather statistics on how often Linux is attacked, it would be much higher than measuring malware targeting Linux.
• Also, attackers don't need malware to gain a foothold on Linux as it has built-in tools that can be combined to create "malware."

This article pretty much gets everything wrong. For example: "Microsoft Windows is vulnerable to viruses by its flawed design of allowing programs either all or nothing access. When you download and run a Windows .exe file, you have to trust the creator because it can do anything once it is run." - This is just not true (ref: https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview). In fact, Windows has a robust way to manage application privileges. Granted, not many use it correctly or implement the full features. Linux is pretty terrible at this, and I will reference our previous segments and discussions around container escapes that abuse the subsystems in Linux (such as Linux kernel capabilities).

Also, reviewing the script in this article, these are valid methods for Linux privilege escelation.

“Mass surveillance is fundamentally incompatible with basic human rights and democracy.” Um, but, well, okay.

Here's the actual directive. You should read it if for no other reason than to experience how bureaucracy works.

If you'll be attending the PCI Community Meeting in Portland in two weeks, you are welcome to come hang out with the PCI team from Online Business Systems. (my day job as a QSA).

Sometimes (like with PCI) you don't have a choice. But then, while your assessor SHOULD be a cybersecurity expert that is not always the case. Least favorite part - "look for someone with a CISSP". The best part of this article is that it walks through the benefits of hiring an independent (read: unbiased) third party to give you an honest assessment of the good and bad things you are doing.

This article talks about cybersecurity frameworks, cybersecurity standards, and cybersecurity compliance. It puts PCI DSS in the standards category (probably because it's in the name) but it really falls into the category of compliance (based on the article's definitions) or even under framework.

I thought this would be an interesting article. It wasn't.

I can't tell you that pen testing is key for demonstrating compliance with the PCI Data Security Standard. It's one of over 400 controls you have to have in place.

My conclusion - people that do not work directly within the PCI ecosystem should really not write about it.

Maye this pen testing article will be better... Starts with a definition, discusses the goals of a pen test, discusses why it is important, and how to get the most out of it. I still don't agree that vulnerability scanning should be a part of the methodology (just ask the client for their latest scan since they do it anyway), but other than that a very reasoned and informative article.

Without rules, we live with the animals.

This is my excuse to talk about "The Phoenix Project" which I just [finally] finished reading. It was a very entertaining, engaging, and well, downright triggering book. My biggest beef with it, though, is the totally errant and misleading representation of PCI. (surprised?) If the fictional company, "Parts Unlimited" had actually followed the PCI DSS they wouldn't have had most of the problems that Bill had to find a way to fix. Just sayin...

Programs written with Python are notoriously slow—up to 60,000 times slower than code written in other programming languages. The new profiler "Scalene" works to efficiently identify exactly where Python is lagging, allowing programmers to troubleshoot and streamline their code for higher performance. Once Scalene has identified where Python is having trouble keeping up, it then uses AI—leveraging the same technology underpinning ChatGPT—to suggest ways to optimize individual lines, or even groupings of code.

The Portuguese-language app WebDetetive was used to compromise over 76,000 phones. Hackers compromised WebDetetive’s servers,
and they enumerated and downloaded every dashboard record, including every customer’s email address. Then they deleted victim devices from the spyware network altogether, effectively severing the connection at the server level to prevent the device from uploading new data. "Which we definitely did. Because we could. Because #fuckstalkerware," the hackers wrote.

The 45-minute video was meant to demonstrate v12 of Tesla’s Full Self-Driving but ended up being a list of things not to do while using FSD. Musk is also in violation of Tesla’s own rules about how drivers should behave while using FSD. By filming the drive himself from the driver’s seat and also interacting with Twitter commenters during the drive, Musk is ignoring his own company’s guidelines that advise drivers to keep their hands on the steering yoke at all times.

SoftBank’s initial public offering (IPO) for Arm on the Nasdaq stock exchange, planned for as early as next month, faces major challenges because the British chip designer is overvalued and growth prospects are dim. Softbank desperately needs money to restore its fortunes. Under SoftBank, Arm has dramatically put up its royalties and license fees to the point where many companies are starting to design away from Arm, usually adopting RISC-V.

US Government and defense contractor Belcan left its hashed super admin credentials open to the public--a lapse that could have resulted in a serious supply chain attack. They left an open Kibana instance containing sensitive information regarding Belcan, their employees, and internal infrastructure including vulnerabilities and actions taken to remedy/not remedy them.

This AI is modeled after evolution in the sense that it works using “species” and “generations.” Different neural nets compete at playing a level, then the most successful are combined like sexual reproduction to create the next generation. After 24 hours of play, an expert player evolves.

Amazon has an AI-generated books problem. Many of these books are obviously gibberish designed to make money. A genre of AI-generated books on Amazon is scaring foragers and mycologists: cookbooks and identification guides for mushrooms aimed at beginners. There are hundreds of poisonous fungi in North America and several that are deadly. AI-generated foraging books could actually kill people if they eat the wrong mushroom because a guidebook written by an AI prompt said it was safe.

AI is enabling security teams to improve their security posture by generating AI summaries to describe threats, by searching for patterns in security data to identify if teams have been targeted or companies have been targeted, and finally, by recommending actions to take both in response to active threats and also to proactively improve security posture. To help with that, the company is introducing Duet AI in Mandiant Threat Intelligence, which helps security teams understand the mass of information they are seeing by providing a relevant summary to help quickly grasp the nature of a particular threat. Whether this is useful or not, however, will hinge on the depth and quality of the summaries, and how well less skilled analysts can understand the information they are getting.

Every three years, interested parties have to file requests with the Librarian of Congress that seek “exemptions” to the Digital Millennium Copyright Act, the overarching federal copyright law. A group of right to repair activists and consumer rights advocates are petitioning the Librarian of Congress for the right to hack McDonald’s notoriously unreliable McFlurry machines for the purposes of repair.

The tool, called SynthID, will initially be available only to users of Google’s AI image generator Imagen, which is hosted on Google Cloud’s machine learning platform Vertex. Users will be able to generate images using Imagen and then choose whether to add a watermark or not. The hope is that it could help people tell when AI-generated content is being passed off as real, or help protect copyright. But a professor is skeptical. “There are few or no watermarks that have proven robust over time,” he says. Early work on watermarks for text has found that they are easily broken, usually within a few months.

The New York subway website churned out the rider’s travel history for the past 7 days based only on a credit card number, with no other verification required. It also works for people using ApplePay. This is a serious privacy risk, especially for abusers who live with their victims or have physical access, however brief, to their wallet. The MTA was notified but seems not to care.

MicroVMs are a hot area of technology R&D in the last half decade or so--designing OSes specifically to run as guests under another OS. This means building the OS specifically to run inside a VM, and to talk to resources provided by a specific hypervisor rather than to fake hardware. This means that the guest OS needs next to no support for real hardware, just VirtIO drivers which talk directly to facilities provided by the host hypervisor. In turn, the hypervisor doesn't have to provide an emulated PCI bus, emulated power management, emulated graphics card, emulated network interface cards, and so on. The result is that the hypervisor itself can be much smaller and simpler. The commercial goal of this is providing "serverless" compute power.

Chinese hackers pwned hundreds of Barracuda Email Security Gateway devices in October, 2022. In May, Barracuda deployed a patch and a script to eject the attackers. A June 6 update to the company’s ongoing security advisory no longer recommended patching as a viable means of remediation. Instead, it advised the “immediate replacement of compromised ESG appliances, regardless of patch level.” Until now, the reasoning for the unusual recommendation was unclear. The attackers infected the backups, and the configuration files, so exporting the configuration from a compromised device and installing it on new hardware resulted in a device that was still pwned.

A fake version of the private messaging app Signal has found a way onto Google Play and appears to be linked to a Chinese spy operation. The malicious Signal Plus Messenger automatically connects the compromised device to the attacker’s Signal in the background, so all messages were passed onto their account. The fake Telegram may have had a wider impact, though. Another malicious app named FlyGram was able to access Telegram backups if the user enabled a specific feature in the malware. It was activated by at least 13,953 user accounts.

cpio is an archive format and also an archive handling tool. The BusyBox variant of cpio has been found to extract archives that contain relative file names with a ../ traversal pattern and this cannot be prevented. This has not been patched, and the researcher was not able to get in contact with a maintainer or developer.

Go 1.21.0 is now reproducible, meaning that a build that starts with the same sources produces the same outputs every time it runs. That way, anyone can verify that posted binaries are free of hidden changes by building from authentic sources and checking that the rebuilt binaries are bit-for-bit identical to the posted binaries. This helps to prevent supply-chain attacks.

Hurricane Electric, a Tier 1 ISP, is interfering with traffic--partially denying service to a direct customer, a provider called Crunchbits, in order to disrupt traffic to a site that is several steps away in the stack. The affected site is an almost universally despised forum for hateful speech and planning vicious attacks on vulnerable people: Kiwi Farms. Although that site is widely hated, the EFF opposes blocking it in this manner. Once an ISP indicates it’s willing to police content by blocking traffic, more pressure from other quarters will follow, and they won’t all share your views or values. For example, an ISP, under pressure from the attorney general of a state that bans abortions, might decide to interfere with traffic to a site that raises money to help people get abortions, or provides information about self-managed abortions. Having set a precedent in one context, it is very difficult for an ISP to deny it in another, especially when even considering the request takes skill and nuance.