A Dive into Vulnerabilities and Compliance – PSW #821

This article is amazing. I thought it was just going to be all about stupid legislation. While it does address that, it also includes accurate descriptions of how cars are stolen and how cars are not stolen from an RF/technical standpoint, with copious amounts of visual aids. Must read!

Protocol vulnerabilities are fun: Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops."

Neat stuff: "The academic researchers described their work as one of the first GPU cache side-channel attacks from within a browser. The showed how the method can be leveraged for remote attacks, by getting the targeted user to access a website hosting malicious WebGPU code and stay on the site for several minutes while the exploit is being executed." - Could be used to sniff secrets (paraphrasing), and PoC code is available.

Pure gold right here: "You can usually tell embedded security people apart from not-embedded security people, because the not-embedded security people will say things like “this is secure because the hardware does it for us” and the embedded security people will adopt this vacant, dead expression in their eyes when the not-embedded security people say things like that."

From Jetbrains: ""At this point, we made a decision not to make a coordinated disclosure with Rapid7 as we strongly believe that publishing all technical details at the same time as releasing a fix allows anyone to immediately exploit the issue before all customers have had a chance to patch their servers," - Do you agree? Is silent patching a good thing? Attackers will still figure it out? Security through obscurity?

Dashcams are vulnerable, no fix in sight: "I decided that after two years and unfortunately no positive results from BlackVue publishing this post was in the public interest, so, especially with the rise in car crime, while not directly related to BlackVue, I figured it best be brought to peoples' attention."

Reason #527 why I don't use Apple: "When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server!" - Also, Apple says this is fine. It's not fine, we're not fine, no one is fine!!!

Few details here, but these particular products are used in enterprise call centers with high volumes. Mitel also just bought up Unify, making them the 2nd largest unified communications company in the world. The security researcher in me wonders what other gems may lie and what attackers may do with them.

I can't wait to test this: *"BlueSpy is a Python script developed as a proof-of-concept exploit for this vulnerability. It only needs native Bluetooth tools available on Linux operating systems. An Arch Linux distribution has been used with a working installation of BlueZ, the Linux Bluetooth stack, and PipeWire as an audio server to record and playback the captured audio. The BlueSpy tool, with code and documentation, is published in Tarlogic Security’s GitHub repository."

I'm seeing more and more consumer routers with vulnerabilities (and exploits) for firmware and hardware that is no longer supported. No patches, no updates, and no workarounds are hit or miss. Are we just telling people to replace their routers? Who is telling them? Will they do it? Or will Mirai just continue to grow.

If you are having trouble accessing NVD, you may want to check this out.

"After all the evidence in this remarkable trial, it is clear beyond doubt that Craig Wright is not Satoshi Nakamoto,” claimed Jonathan Hough, legal counsel for COPA, as he began his closing submissions on Tuesday. “Wright has lied, and lied, and lied." - One hilarious note that I heard on the Hacked podcast is that Craig's sister testified and said that Craig used to dress up like a ninja when he was younger, and when she saw the name "Satoshi Nakamoto", she said it must be Craig! I can't even make this stuff up. I was hoping it was Craig because I know him, and then I could say I know the founder of Bitcoin, selfishly.

Make sure you patch this one and use the commands provided to check your configuration to see if you are vulnerable. Kubernetes was not designed with security in mind and still suffers from these types of configuration errors that can lead to compromise.

Might be a rhetorical question...

Japanese tech giant Fujitsu discovered that several of its systems were infected by malware and warns that the hackers stole customer data.

An investigation conducted with external cybersecurity experts revealed that 11 IMF email accounts had been compromised. The hacked accounts were ‘re-secured’ and there is no indication at this point in the ongoing probe that the attacker gained access beyond these email accounts.

"re-secured"... so they changed passwords???

...but they aren't revealing any details yet.

NSA and PCI in one article!!! (but of course, they got the PCI reference wrong...)

This is the new zero-trust information sheet from the National Security Agency.

In their keynote speech at the Gartner Security & Risk Management Summit in Sydney, Australia, Gartner researchers Chris Mixter and Dennis Xu said that it is not possible to completely prevent cybersecurity incidents; what is important, they said, is to develop robust recovery plans and rehearse them.

There are two points being made here, first that you need to train and plan for an incident, "Adrenalin does not scale." Develop plans based on tolerable impact which would allow responses to be prioritized. Second, that you need to look out for the well-being of your responders.

The US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) is in the midst of making changes to its processes, resulting in thousands of new entries lacking enrichment: vulnerability analyses and descriptions, as well as lists of affected software, CVSS scores, and links to patches and additional information. Some researchers are reporting that more than 2,000 recently-added vulnerabilities lack enrichment data.

NIST is working to bridge the gap - they are also dealing with the first budget cut in over 10 years, as well as a doubling of published CVEs comparing 2017 to 2023.

Damaged undersea cables along the West African coast have impacted Internet service in more than a dozen African countries. The incident occurred last week, and has affected Internet availability in Burkina Faso, Gambia, Guinea, Liberia, Côte d'Ivoire, Ghana, Benin, Niger, and other countries.

The impacted cables are deep, about 1.86 miles, which rules out human activity (ship anchor, fishing, drilling) leaving seismic activity as a likely source. Undersea cables are responsible for about 99% of intercontinental traffic. As we're all thinking "path diversity" we need to also consider the viability of alternate options, both bandwidth and latency. Remember when we thought we could fail over from a T3 to a T1 - until we did? Same idea with satellite - it may not be viable. Document how you're implementing your redudant connection, including path, bandwidth and latencey, and then, in a possibly resume enhancing move, schedule failovers to verify it's viable, or at least tolerable.

Impacted Submarine Cable Map: https://www.submarinecablemap.com/multiselect/submarine-cable?ids=mainone,africa-coast-to-europe-ace,sat-3wasc,west-africa-cable-system-wacs

Starting late last week, many McDonald’s restaurants across the world were forced to close temporarily due to an IT outage. The incident affected point-of-sale systems, which prevented employees from taking orders, processing payments, or opening cash registers. The outage appears to have been caused by a configuration error at a third-party provider.

Configuration error? AT&T comes to mind... 3rd party dependencies are a big thing.

The UK’s National Cyber Security Centre (NCSC) has published guidance to help organizations that use operational technology (OT) decide whether or not to migrate their supervisory control and data acquisition (SCADA) systems to the cloud.

This guide is designed to walk you through considerations and tradeoffs. First you need to decide if you're doing a full migration, fail-over or hybrid, second, determine the specific risks, including staff skillsets to manage the cloud, including OT/SCADA components, as well as detect changes, particularly to SDN and lastly, include an assessment of the suitability of technology for cloud migration. Keep in mind that even private cloud is still a software defined boundary, and like a submarine, many OT/SCADA components don't respond well to bullets.

The International Monetary Fund (IMF) is investigating a cybersecurity incident that was detected in mid-February. An ongoing investigation has determined that 11 IMF email accounts were compromised. The IMF has not disclosed additional information except for confirming that they use Microsoft 365.

Here is a good excuse for making sure you've not got gaps in your email MFA configuration, no special exceptions, and that your session token life is within risk tolerance and documented.

LLMs send words one by one to the user, exposing information about them in the size of the packets sent over the network. By passing the packet sizes into attacking AI systems, the researchers were able to reconstruct most of the data sent by the LLM.

Glassdoor is a website where current and former employees anonymously review companies. But they have begun attaching real names to visible profiles without the permission of users, exposing them to retaliation from employers.

A new generation of satellites in Very Low Earth Orbit (VLEO) will resolve details down to 10 cm. This will make it easy for anyone purchasing the data to follow people, cars, etc. around as they move, invading our privacy.

Apple will let European app developers distribute iPhone and iPad applications to users directly from a website, instead of through an app store. To qualify, devs need an app installed by 1 million users in EU the prior year. This may increase the risk of malicious apps on European iPhones.

More than 2,100 CVE entries have been published without crucial metadata information such as the name of software products impacted by the CVE, the vulnerability's CVSS severity scores, CVE and CWE data, a basic description of the bug, and patching status. It is unclear what is happening behind NIST's closed doors, but chaos is spreading across the entire vulnerability management space and the government sector alike.

Lawmakers and experts fear that the use of Chinese storage batteries could threaten the power grid, but few alternatives are in the offing, at least in the short term. The main risk is that the control units on the batteries would spread malware into the electrical grid.

The rules lay out cybersecurity requirements and strict rules on biometric use (with concessions for cybersecurity and authentication providers). Where AI systems are categorised as ‘high-risk’, the technology would need to meet mandatory requirements around issues such as risk management, data quality, transparency, human oversight and accuracy.

Many governments, along with the US, recognize the threat posed by the misuse of commercial spyware and the need for strict domestic and international controls on the proliferation and use of such technology. This seems to target spyware like Pegasus.