PSW #763 – Dan DeCloss

LOL: "The DoJ noted that it found Zhong's holdings "in an underground floor safe; and on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet" when it raided his home in November 2021."

I researched this topic, spoke with a former Intel engineer, and traced back some research from Joao Moreira (https://twitter.com/lvwr/status/1587907509897297920); they both are positive on these changes. There are a few factors at play, such as for some protections, you must have an Intel CPU with CET support, and there are further efforts to build in control flow enforcement into the Linux kernel independent of hardware. I believe this is a step in the right direction to make code execution more difficult. (Further reading: https://lwn.net/Articles/889475/ and further viewing: https://www.youtube.com/watch?v=6Y-cNa-NNhk (How has this talk only gotten like 500 views?!?!?)

"When Red Cross staff work in conflict zones, their recognizable red-on-white emblems signal that they and those they are helping should not be targeted. Now, as warfare and attacks increasingly move into cyberspace, the organisation wants to create a digital emblem that would alert would-be attackers that they have entered computer systems of the Red Cross or medical facilities." - I get the concept; however, there is no reason why attackers would follow the rules. "Don't hack me" won't work, even if it's the Red Cross (unfortunately).

"We design our requests to collect the smallest amount of technical information required to validate the presence/version and/or vulnerability of a piece of software. We also design requests to limit the amount of personal data within the response" - No need to panic, we're here from the government to scan your systems, everything will be fine. Japan a few years ago announced they were scanning IoT devices as part of a similar program. There are other volunteer programs as well. I believe this should be done in cooperation between the government, non-profits, and volunteers to keep the balance.

Here's the story: Stanford dropouts create a social network for college students called "Fizz", claiming it's an anonymous way to communicate with fellow students safely (and do heavy moderation to prevent bullying, etc...). You need a .edu email address to join (sound familiar?). Security researchers figure out that the data is not protected in the cloud, and they can basically see all user data and even modify it. They report it to Fizz. Fizz says, "Thanks!" and then sues the researchers. The EFF represents the researchers, the flaws get fixed, but how can you trust Fizz?

This research combined static and dynamic analysis, which is not new; however, they combined and refined multiple methods for finding vulnerabilities and did it at scale. The results are pretty impressive (albeit limited to a specific subset of bug classes that lend themselves to static+dynamic analysis): "We evaluate ARBITER on 76,516 binary programs, which are collected from x86-64 Ubuntu 18.04 software repositories. We also demonstrate its precision by analyzing the 436 CWE131 alerts that ARBITER raises in 366 programs, the 159 CWE252 alerts across 126 programs, the 158 CWE-134 alerts across 119 programs, and the 377 CWE-337 alerts across 370 programs. These results demonstrate that ARBITER scales to real-world scenarios, and can detect bugs, including 0-day vulnerabilities, in real-world software. For example, we found and reported an exploitable vulnerability (CVE-2018-18311) in the Perl runtime and a heap error that affects all 32-bit programs compiled by the OCaml compiler." - Code is open-source and available here: https://github.com/jkrshnmenon/arbiter

Seems we are always trying to fix the shortcomings of SGX, through microcode updates and kernel fixes.

NixOS seems really cool, something I have to try for sure. This article details a complete build of essentially one operating system and two separate user environments, like chroot, but with much better separation.

While this is not new, it's not widely documented or publicized, but according to experts "highly effective".

Good overview, seems CHERI has some good adoption (and has been worked on by some super smart people): "CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization. The CHERI memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted to provide strong, compatible, and efficient protection against many currently widely exploited vulnerabilities. The CHERI scalable compartmentalization features enable the fine-grained decomposition of operating-system (OS) and application code, to limit the effects of security vulnerabilities in ways that are not supported by current architectures." - https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

This is really well-written: "Due to their architecture, Java web applications have a significant security advantage: their file system access is inherently more secure than, say, that of a PHP application running on Apache. Since Java applications are usually packaged as servlets, the application treats the application context root as the only file system it can access. In most cases, there is simply no way for an attacker to reach the underlying file system unless this is explicitly done in application code by using absolute paths and suitable access control. However, it is easy to be blindsided by this secure-by-design characteristic of Java. Many developers assume that since you cannot reach files in the underlying operating system, there is no need to sanitize code or use input validation to protect against potential path traversal attacks" - Given that fact, attackers can enumerate all sorts of goodies in Java applications. Check out the tool here: https://github.com/Invicti-Security/web-inf-path-trav. Ultimately this leads to downloading the entire application and de-compiling it.

Intel uses ME as a swiss army knife. Most are familiar with Intel MEs ability to monitor and manage the system remotely. However, remote access aside, ME plays a role in some of the core hardware security protections, such as fusing circuits or applying firmware or microcode updates. In this case, as of this writing, Intel uses ME exclusively to update firmware on their new Arc graphics cards. This means if you are running a non-Intel platform, you don't have ME and, therefore, cannot update the firmware. I don't believe Intel will keep this limitation as they likely want to sell as many graphics cards as possible, and excluding AMD users contradicts that mission. I do worry, for security's sake, that this type of limitation exists...

In case you missed it, I covered a lot of ground, including How to update your Secure Boot dbx (new and better method than before), enumerate Intel ME on your systems, and how to determine if your flash chip is protected (or not).

"[Most agree] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used." - Turns out its really hard to use cryptography to allow a computer program to run only once. The idea was introduced as early as 2008, but had significant challenges such as how do you: " only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob. No such tokens were ever made, so the whole idea has lain dormant for more than a decade." The new research suggests using lockboxes, the technology in your phone that can lock after unsuccessful passcodes, however its still challenging: "researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome."

The problem is when automates systems send URLs to urlscan.io to check if they are safe and urlscan.io stores the URL information, which could include tokens, password reset data and more. There is a list of "dorks" on the PT site that allows you to start reviewing urlscan.io for leaked information. The problem is the "fix," or "fixes," have to come from multiple parties. urlscan.io should try to prevent this by not storing sensitive information (even though it's given to them), the sites being submitted should do things such as have short password reset time windows, and the organizations sending the data should be careful not to send sensitive information from URLs being monitored. An attack scenario could include sending password reset emails, knowing those URLs will end up on urlscan.io, and taking over accounts.

This is a great article, perhaps one of the best I've read on supply chain, highlighted by this quote: "Why would an adversary spend weeks building out a cyber kill chain that includes custom malware and a complex social engineering campaign when they could compromise a softer target – a vendor or partner in the supply chain – and have direct, trusted access to the primary target in a much shorter time? They won’t. They will choose the path of least resistance. For this reason, the concept of an organization’s attack surface has grown beyond its protected environment to include assets and entities that it does not own or control." While they do not mention firmware, this speaks to me: "Visibility beyond that first degree of separation begins to get hazy and an organization may not have any knowledge of its supply chain at all beyond the second degree of separation. This leaves security teams with the elusive task of managing a set of risks about which little is known."

What if you actually wanted to persist on a load balancer? Load balancers tend to run this firmware-like OS, based on Linux. Nate found ways to persist on these devices through reboots and device upgrades by hiding in the backup archives an unique and interesting ways.

Interesting research...

https://news.google.com/__i/rss/rd/articles/CBMiT2h0dHBzOi8vc2VjdXJpdHlhZmZhaXJzLmNvL3dvcmRwcmVzcy8xMzgxMDAvc2VjdXJpdHkvdHJlYXQtYWN0b3JzLXplcm8tZGF5Lmh0bWzSAQA?oc=5

https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.html

The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification warning that hacktivists are launching distributed denial-of-service (DDoS) attacks. The document includes recommendations for mitigating the effect of the attacks. Targets have included financial institutions, emergency services, airports, and healthcare-related facilities.

Boeing subsidiary Jeppesen has “experienced a cyber incident affecting certain flight planning products and services.” The incident affected some flight planning products and services. The incident began on November 2; Jeppesen says that as of November 5, notice to air mission (NOTAM) bulletins were reactivated in their hosting environment.

Researchers from Phylum have found nearly 30 malicious packages in Python Package Index (PyPI) that attempt to infect developers’ systems with the W4SP Stealer Trojan. The packages are clones of popular software packages with names that make them seem legitimate. The malicious packages have been downloaded 5,700 times.

The attackers used various techniques to import their Trojan by modifying the init.py or setup.py script, which are subtle and hard to spot. That import statement creates a temporary file which is executed, downloading obfuscated code from multiple sites which contains a compressed object which is, actually, the W4SP Stealer, which is designed to steal information from users’ systems including browser passwords, crypto wallets and interesting files with financial related information.

Microsoft’s Digital Defense Report 2022 addresses the state of cybercrime, nation state threats, devices and infrastructure, cyber influence operations, and cyber resilience.

Rolling out this week, Android’s November 2022 security updates patch over 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

A Nigerian influencer who attracted millions of followers on Instagram by showing off luxury cars and high-end clothing was sentenced on Monday to 11 years in prison for his role in business email compromise schemes and money laundering.

​Today is Microsoft's November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws. Odds are the updates were already pushed - remember to reboot so any open/busy files are replaced....