Snowden Revelations, Cult of The Dead Cow Saves The Internet, & Stealing Your Pixels – PSW #800

I've seen this crop up a few times lately: "The flaw was assigned CVE-2023-5009 (CVSS v3.1 score: 9.6) and impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4. The issue was discovered by security researcher and bug hunter Johan Carlsson, who GitLab said is a bypass of a medium-severity problem tracked as CVE-2023-3932 that was fixed in August." - Initially, a vulnerability is a low or medium severity, but then folks spend more time analyzing it, and bam it's a high severity issue. One could argue that you should patch everything...

Interesting stuff: "The NSA listed Cavium, an American semiconductor company marketing Central Processing Units (CPUs) – the main processor in a computer which runs the operating system and applications – as a successful example of a “SIGINT-enabled” CPU supplier. Cavium, now owned by Marvell, said it does not implement back doors for any government. The NSA compromised lawful Russian interception infrastructure, SORM. The NSA archive contains slides showing two Russian officers wearing jackets with a slogan written in Cyrillic: “You talk, we listen.” The NSA and/or GCHQ has also compromised Key European LI [lawful interception] systems. Among example targets of its mass surveillance program, PRISM, the NSA listed the Tibetan government in exile." - So only 1% of the "Snowden leaks" have been made public. Applebaum claims to have analyzed the 99% and that is what is summarized above. Who has the 99%? That's up for debate, some say there are copies locked away, and some say it was destroyed. Interesting read none the less. More info here: https://www.computerweekly.com/news/366552520/New-revelations-from-the-Snowden-archive-surface

Fix has been pushed into the kernel, POC released.

Neat: "Godbolt.org, also known as the "Compiler Explorer," is a web-based platform designed to help developers explore and understand the assembly output of various programming languages and compilers. While it's often used by programmers to optimize their code and gain insights into compiler behavior, it's also a goldmine for anyone interested in reverse engineering."

Let this be a warning to you: "eBPF is a powerful tool for Linux observability and monitoring, but it was not designed for security and comes with inherent limitations. Developers need to be aware of pitfalls like probe unreliability, data truncation, instruction limits, concurrency issues, event overload, and page faults. Workarounds exist, but they are imperfect and often add complexity. The bottom line is that while eBPF enables exciting new capabilities, it is not a silver bullet. Software using eBPF for security monitoring must be built to gracefully handle missing data and error conditions. Robustness needs to be a top priority." - It is tempting to use eBPF for security monitoring, but keep in mind not only does it have the limitations explained here, an attacker with control of the kernel can control eBPF.

Get your Github configuration right: "Members of the cybersecurity community have documented pull request target abuse for several years, beginning with an excellent three part write up by GitHub’s Jaroslav Lobacevski on GitHub Actions security and several follow up blog posts by Cycode, and GitGuardian. Despite the extensive documentation on pwn requests, we have seen several large projects that are vulnerable to these attacks only months after introducing the pull request capability. This means that some engineers writing CI/CD workflows are not considering the risks of abuse when writing workflows." - Several examples are included in this post.

"Speculation, including from me, quickly arose that a large number of similarities strongly suggested that the underlying bug for both vulnerabilities was the same. On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images" - More than just speculation, it was libwebp all along, and it affects a large number of software projects (https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/). But now what? Google and Apple have to do a better job moving forward of not just fixing their own products, but including all affected software. This should have been a more coordinated effort.

This was a concern for many parties when I worked for this organization. It should be an example of why you should protect the tools and solutions that are working to protect the security of your organization. Attackers will prey on the systems with the "keys to the kingdom", and software such as vulnerability scanners has access to the "keys". Of course, this depends on the deployment, but none the less make sure you work towards a secure architecture and rotate keys and passwords for really important things.

"Today, informed by the findings from Kaspersky Lab, we became aware of a past security incident from 2020. It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software." - Given the attacks started in Jan 2020 and only infected 1% of the downloads on the site, could this be Ukrainians targeting Russians?

Great work on this set of scripts to help automate tasks that typically begin a penetration test or bug bounty hunt. However, please remember to review these scripts before executing them. The requirements.sh file installs a bunch of packages from several Github repositories. If you do not validate the installation process before you trust it, you may end up pwned. The author did a nice job here and made a great contribution, but be cautious when installing tools.

The curl vulnerability we talked about a couple of weeks ago is part of a larger story, described here by Dan Lorenc: "Someone is clearly scraping old issues and commits to file these in an automated fashion, without ever getting maintainers involved. Stop doing this! CVEs are about communication, and automating it like this is literally going to DOS triage teams, the NVD itself, and open source maintainers stuck dealing with the fallout. Stop doing this!" - Part of the problem is that someone, or some organization, submitted 138 CVEs for issues that were already fixed. I think we can say that CVE is broken in many ways, but how do you fix it?

If you want to, okay you should want to, know how to rotate keys on several major platforms, this is the site for you: "Welcome to How To Rotate, an open-source collection of API Key Rotation tutorials. Each tutorial provides step-by-step instructions on how to remediate a leaked API key security vulnerability by (1) Generating a new API key, (2) Replacing the compromised key, and (3) Revoking the compromised key." - Don't forget to update you applications with the new key, or they will no longer work! Slack is one of the examples, if you regenerate a key and revoke the old one, apps will no longer work (unless they are updated).

Another take on the Webp thing.

Read the paper and such here: https://www.hertzbleed.com/gpu.zip/ - I like to read the "Related Work" section in these papers. I pulled this from that section: "Relative to the above work, this paper is the first to study the security implications of, and build compression ratio attacks underpinned by, software transparent lossless compression in the wild. Software-transparent lossless compression is an insidious new threat that opens new attack scenarios beyond what is available to an attacker exploiting software-visible compression. "

Someone has been pwning some Cisco routers and I want to know more!

The patches Apple released last week for zero-day vulnerabilities were prompted by the discovery that they had been used to introduce Predator spyware onto the mobile phone of an Egyptian politician. The vulnerabilities could be chained to infect targeted devices with spyware by redirecting them to websites using HTTP rather than HTTPS.

The three CVE's behind last week's release of iOS/iPadOS, macOS, watchOS and Safari updates. KEV directs agencies to deploy updates by 10/18. May wish to go faster. CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability

The latest BIND security updates include patches for two high-severity DoS vulnerabilities that can be exploited remotely. The first vulnerability (CVE-2023-3341) is a stack exhaustion flaw in control channel code. The second (CVE-2023-4236) is “a flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure.”BIND version 9.18.19 and BIND Supported Preview Edition version 9.18.19-S1.

Data Breaches Nearly 900 US schools are impacted by the MOVEit hack at the educational nonprofit National Student Clearinghouse.

Look for MOVEit IOCs, move off MOVEit.

Between 2011 and 2021, more than 9 million Kia and Hyundai vehicles were sold without engine immobilizers installed. The devices prevent cars from being hotwired, but their absence from the Kia and Hyundai vehicles has resulted in a significant spike in the theft of those automobiles. Kia and Hyundai are facing multiple lawsuits. Software updates have hit about half the vehicles, Reports it's not a reliable fix. Add Immobilizer to list of needed features when purchasing a vehicle.

Starting in January 2024, Google will remove Gmail basic HTML view and redirect users to Standard view. When Standard view was introduced in 2013, users had the option of switching to Basic if they had slow connections; Basic lacked some of the features available in Standard view. The “Set Basic HTML as default view” option is no longer available.

After Canadian Prime Minister Justin Trudeau recently claimed that India killed Canadian activist Hardeep Singh Nijjar for campaigning to set up an autonomous state for Sikhs in India, a group of threat actors dubbed "Indian Cyber Force" breached the network of the Ontario-based Bristol Dental Clinic and left behind messages in support of India.

Hundreds of Latin American banking customers have been targeted with a novel variant of a banking trojan called "BBTok," which creates convincing but fake versions of the website interfaces of more than 40 Brazilian and Mexican banks to trick targets into sharing their two-factor authentication (2FA) and/or payment card information.

After the chatbot answers one of your queries, hitting the Google button will “double check” your response. Bard will read the response and evaluate whether there is content across the web to substantiate it. When a statement can be evaluated, you can click the highlighted phrases and learn more about supporting or contradicting information found by Search.

The LLM's response to a prompt automatically generates a series of verification questions that test the factual claims of the baseline responses. The response is improved, incorporating any discovered inconsistencies. With CoVe, Llama 65B outperformed leading models like ChatGPT, InstructGPT, and PerplexityAI in long-form generation tasks.

Compared to older generations, younger generations have reported higher rates of victimization in phishing, identity theft, romance scams, and cyberbullying. The Deloitte survey shows that Gen Z Americans were three times more likely to get caught up in an online scam than boomers were (16 percent and 5 percent, respectively).

Veilid aims to replace the advertising giants that run social media platforms with an alternative suite of open-source, serverless, peer-to-peer and mobile-first applications. By creating an application framework that puts privacy first, Veilid tries to put tools in the hands of developers to let them build applications with a fundamentally different ethos than today’s advertising-driven internet economy. The project is aiming to release its first flagship application, VeilidChat, in the coming months.

Microsoft is looking to hire someone to lead the company’s technical assessment for integrating small modular nuclear reactors and microreactors “to power the datacenters that the Microsoft Cloud and AI reside on”. Much of the hope for the next generation of nuclear reactor technology in the U.S. is pinned on smaller nuclear reactors.

The Biden administration is looking to introduce rules that require public cloud operators to disclose to the authorities when any customer purchases a level of compute resources that come in above a certain as-yet unspecified threshold.

A viral account is using off-the-shelf facial recognition tech to dox random people on the internet for the amusement of millions of viewers. One victim said they “felt a bit violated really.” TikTok has decided to not remove it from the platform. TikTok told me the account does not violate its policies; one social media policy expert I spoke to said TikTok should reevaluate that position.

From CISA: Microsoft, Google, and Mozilla reported that around 70% of the serious vulnerabilities Microsoft assigns a CVE [Common Vulnerability and Exposure] each year are memory safety problems. Recommendations: 1-Implement memory safety mitigations in hardware; 2-Use memory safe programming languages like Rust.

Microsoft is now supporting a Rust-based platform for Windows driver development, following in the footsteps of Linux.

Chinese cyber actors known as BlackTech can modify router firmware without detection and exploit routers’ domain-trust relationships. The authoring agencies have observed PRC-linked cyber actors leveraging this exploitation of routers to pivot from global subsidiary companies to corporate headquarter networks in the U.S. and Japan.

A great summary of open-source LLMs, including CodeGen: Streamlining Software Development from SalesForce and BLOOM: Fostering Scientific Collaboration, trained on 46 natural world languages and 13 programming languages.

This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases. There's urgency for this since South Korea found "spy chips" in Chinese weather measuring equipment last month (see next article).

South Korea's National Intelligence Service (NIS) has found malicious code embedded in the chips of weather-measuring instruments made in China. The malicious code can eavesdrop on its surroundings and "steal information through radio frequencies". NIS says that while it dealt with Chinese malware (software-based backdoors) in the past, the incident marks the first time it found a "hardware backdoor" in Chinese-made equipment.

GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. GPU.zip starts with a malicious website that places a link to the webpage it wants to read inside of an iframe. Normally, the same origin policy prevents either site from inspecting the content of the other. But data compression GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.