It’s A Minifilter! – PSW #823
pfSense switches to Linux (April Fools?), Flipper panic in Oz, Tales from the Krypt, Funding to secure the Internet, Abusing SSH on Windows, Blinding EDR, more hotel hacking, Quantum Bleed, and more!
Announcements
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
We’d like to invite our listeners to be part of our prestigious 2024 SC Awards! Entries are officially open.
The SC Awards continue to serve as a beacon of excellence, recognizing the industry’s best solutions, organizations, and people that are advancing information security. This year, there are 34 categories, many updated to reflect trends in artificial intelligence, cloud security and continuous threat exposure management. This is your chance to shine among the brightest in the cybersecurity world.
Take advantage of the early bird rate by April 12! Visit securityweekly.com/scawards to submit your entries by May 31st!
Hosts
- 1. Google fixes two Pixel zero-day flaws exploited by forensics firms
I was hoping for a universal carrier unlock, maybe: "Google has fixed two Google Pixel zero-days exploited by forensic firms to unlock phones without a PIN and gain access to the data stored within them."
- 2. A Security Exploit Is in the Air
Your camera is watching, always: "With this knowledge, the electromagnetic signals could be captured from a distance and reconstructed into video frames, all while bypassing any security measures that might be in place."
- 3. SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access
Whaaaaat? " ssh.exe is able to spawn cmd.exe and execute commands even when it has been disabled via GPO" - The demo is crazy, get the user to click a shortcut and shovel a shell and some creds. Bravo I say, Bravo!
- 4. Funding the Organizations That Secure the Internet
"Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short." and this: "In an effort to combat this dilution of responsibility and dearth of financial support, global policymakers and representatives from nonprofits, philanthropy, and fundraising organizations recently launched Common Good Cyber, an initiative aimed at building sustainable funding models to support those that secure the Internet for everyone." - My question is this: If we had funds available, who should get the funding to secure the Internet and why?
- 5. Qualcomm Security Flaws Let Attackers Takeover The Devices
I haven't seen much published about this one: "Vulnerabilities present on Qualcomm’s popular chipsets and modems are desirable to hackers intending to breach devices ranging from smartphones to IoT devices. By exploiting such vulnerabilities, attackers can evade security protocols via multiple malicious acts, which indicates an immediate response from Qualcomm."
- 6. Declassified NSA Newsletters
"Through a 2010 FOIA request (yes, it took that long), we have copies of the NSA’s KRYPTOS Society Newsletter, “Tales of the Krypt,” from 1994 to 2003."
- 7. IBIS hotel check-in terminal keypad-code leakage
"If the hotel reception is not staffed, guests can register via a check-in terminal. The terminal also supports the lookup of existing bookings. With a booking ID, guests can lookup their room number and keypad code. However, when entering a '------' as booking ID, the check-in terminal lists other people's bookings and keypad codes." - I love that a hacker, now known as Martin '------' Schobert (Pentagrid), was fuzzing a terminal and thought "What would happen if?" and entered 6 dashes into the booking ID field to see what would happen. I want the video of his reaction when this worked for the first time. Bravo Martin!
- 8. Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed!
Interesting take: "It is important to note the difference between quantum RSA decryption and non-quantum RSA cracking. The latter could, technically, have already occurred. National intelligence agencies could have achieved this – but they would keep it secret and for their own use only. Achieving full quantum computing would be too massive to hide. Knowledge would escape"
- 9. pfSense® Software Embraces Change: A Strategic Migration to the Linux Kernel
April fool's joke?
- 10. Pwn2Own Toronto 2023: Part 5 – The Exploit – Compass Security Blog
Extremely detailed account, in a five-part blog post series, on attacking a Synology BC500 camera.
- 11. Flipper Zero Panic Spreads To Oz: Cars Unaffected
The article states: "A feature of coming to adulthood for any young person in the last quarter of the twentieth century would have been the yearly warnings about the danger of adulterated Halloween treats. Stories were breathlessly repeated of apples with razor blades in them, or of chocolate bars laced with rat poison, and though such tales often carried examples of kids who’d died horrible deaths in other far-away places, the whole panic was (as far as we know) a baseless urban legend." - I put this right up there with waiting 30 minutes after you eat before swimming, Rock n' Roll is the devil's music, and consuming caffeine as a child will stunt your growth. Throw in there "the Flipper Zero is a dangerous hacking tool that people use to do things such as steal cars". None of these things, as it turns out, are actually true.
- 12. Abusing MiniFilter Altitude to blind EDR
This is really neat: "If you gain local admin privilege access to a host with an EDR solution, you can potentially evade detection by blinding the kernel callbacks that the EDR relies on. This can be achieved by exploiting a minifilter driver, such as the Sysmon driver. Although a reboot of the host is required, this approach is far easier than finding a new Bring Your Own Vulnerable Driver (BYOVD) or attempting unsigned driver exploitation, which is not always an option."
- 1. AI hallucinates software packages and devs download them – even if potentially poisoned with malware
Generative AI systems hallucinate and recommend that developers install packages with names that look reasonable, but don't actually exist. A researcher made a package with a hallucinated name and it was downloaded that installed thousands of times by developers.
- 2. Rust developers at Google are twice as productive as C++ teams
There's been a shift in awareness across the software development ecosystem about the challenges of using non-memory safe languages. The reason is that the majority of security vulnerabilities in large codebases can be traced to memory security bugs. And since Rust code can largely if not totally avoid such problems when properly implemented, memory safety now looks a lot like a national security issue. Rewriting C++ code in Rust increases efficiency: "In every case we've seen a decrease by more than 2x in the amount of effort required to both build the services in Rust as well as maintain and update those services written in Rust"
- 3. Google agrees to delete Incognito data despite prior claim that’s “impossible”
Google collects browsing data from Chrome in Incognito mode, which led to a lawsuit. Now Google has agreed to delete billions of data records reflecting users' private browsing activities.
- 4. Number of Chinese Devices in US Networks Growing Despite Bans
Despite the US ban on some Chinese equipment, the number of China-made devices in US networks has increased by more than 40% in the past year, from 185,000 in February 2023 to nearly 300,000 in February 2024.
- 5. Microsoft, Quantinuum claim breakthrough in quantum computing
A fundamental limit on quantum computing is noise in the qubits. Now Microsoft applied an error-correction algorithm that it wrote to Quantinuum's physical qubits, yielding about four reliable qubits from 30 physical ones. That is the best ratio of reliable qubits from a quantum chip that has ever been shown.
- 6. New Chrome feature aims to stop hackers from using stolen cookies
Google announced a new Chrome security feature called 'Device Bound Session Credentials' that ties cookies to a specific device, blocking hackers from stealing and using them to hijack users' accounts. DSBC links the authentication process to a specific new public/private key pair generated using your device's Trusted Platform Module (TPM) chip that can't be exfiltrated and is securely stored on your device, so even if an attacker steals your cookies, they won't be able to access your accounts.
- 7. NIST’s backlog of vulnerability analysis blamed on lack of support
Since mid-February, NIST has fallen behind in its role of adding essential enrichment information to new CVE entries--the institute analyzed only 199 of 3370 CVEs it received last month. This appears to be a result of funding cuts and lack of staff. However, they expect to restore operations within two weeks.
- 8. Feds finally decide to do something about years-old SS7 spy holes in phone networks
SS7's problems have been known about for years and years, as far back as at least 2008. It can be abused to track people's phones' locations; redirect calls and text messages so that info can be intercepted; and spy on users. Now the FCC is gathering comments as part of a process to fix these problems.
- 9. Microsoft faulted for ‘cascade’ of failures in Chinese hack
The Cyber Safety Review Board found shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency over what Microsoft knew about the origins of the breach. The 2023 Microsoft intrusions exploited security gaps in the company’s cloud, allowing MSS hackers to forge credentials that enabled them to siphon emails from Cabinet officials.