This week in the Security News we talk: Its still not illegal to look at HTML source code, Nobelium strikes again, npm infections, gas is cheap in Iran, if you can get it, Google Tensor, going beyond the transport layer with HTTPS, buying a power plan, EBCDIC and GDPR, how children can infect parents, signing your rootkit, dates are hard, something smells funny and bird poop in your antenna, & more!
"Take the case of Bell Labs physicists Arno Penzias and Robert Wilson, who set out to map radio signals from the Milky Way and wound up being the first to measure the cosmic background radiation (CMB). Their momentous discovery made it possible to obtain information about cosmic processes that took place about 14 billion years ago, and forever changed the science of cosmology, transforming it from a specialty of a select few astronomers to a "respectable" branch of physics almost overnight." All stemmed from me watching this video, as part of my son's homework! https://www.youtube.com/watch?v=hcds5Ob59Dg - Also interesting is that they started to look into interference for some of the first satellite phones. They cleaned bird poop out of the antenna as a potential source of interference. 1% of the static on your TV with an antenna if you tune in between the channels, comes from residual big bang microwave radiation.
I can't wait: "The Google Tensor security core is a custom designed security subsystem dedicated to the preservation of user privacy. It's distinct from the application processor, not only logically, but physically, and consists of a dedicated CPU, ROM, one-time-programmable (OTP) memory, crypto engine, internal SRAM, and protected DRAM. For Pixel 6 and 6 Pro, the security core’s primary use cases include protecting user data keys at runtime, hardening secure boot, and interfacing with Titan M2TM."
I really think of HTTPS as protecting the transport layer, however, Intel is proposing extending it as: "“HTTPS cannot provide security assurances on the request data in compute, so the computing environment remains uncertain risks and vulnerabilities."
We need some further restrictions on what add-ons can do: "The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content,""
First, like wow: "According to media reports, the “cyberattack 64411” message appeared to customers that tried to get subsidized fuel at 5 cents a liter or 20 cents a gallon using government-issued cards." Also, a coordinated attack: "As news spread about the NIOPDC distribution network being under attack, digital billboards in multiple cities in Iran started to show messages reading “Khamenei! Where's our fuel?” and “Free fuel in Jamaran station.”" and this LOL: " Iranian state television confirned the reports of a cyberattack hitting gas stations and Iran's Supreme Council of Cyberspace believes the incident is state-sponsored, although it is early to say which country is behind it." - Gee I wonder who?
"Greenidge Generation runs a once-mothballed plant near the shore of Seneca Lake in the Finger Lakes region to produce about 44 megawatts to run 15,300 computer servers, plus additional electricity it sends into the state’s power grid. The megawatts dedicated to Bitcoin might be enough electricity to power more than 35,000 homes."
So, the bank could not spell a customer's name correctly, due to diacritical marks. The customer filed a GDPR complaint under Article 16 ("The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her."). The bank says this is impossible because, get this, the system they use only supports EBCDIC!
This, THIS is why I hate parent processes running as root and child processes running with lower privileges: "A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges."
I really want to know how this works: "For the past few months, Bitdefender researchers have seen a surge in malicious drivers with valid digital signatures issued through the WHQL signing process. This research focuses on FiveSys – a digitally signed rootkit that made its way through the driver certification process." - The whitepaper does not really say, unless I missed it, how the attackers managed this: "The reason for this might be the new Driver Signing requirements from Microsoft, which demand drivers to be digitally signed by Microsoft before acceptance by the operating system. This new requirement ensures that all drivers are validated and signed by the operating system vendor rather than the original developer and, as such, digital signatures offer no indication as to the identity of the real developer. It seems that malware writers managed to work around the new requirements, as Netflter and new FiveSys demonstrated."
Coding dates and time is hard: https://gitlab.com/gpsd/gpsd/-/issues/144 - Looks like in accounting for leap year they created a time machine: "trigger a 1024 week backward time jump from Saturday October 16, 2021 to Sunday March 3, 2002".
Sr. InfoSec Consultant – Online Business Systems, Director DEI at Hak4kidz, Tribe of Hackers
The cybersecurity professor who helped uncover the Missouri government's failure to protect teachers' Social Security numbers has demanded that the state cease its investigation into him and stop making "baseless accusations" that he committed a crime.
Khan hired an attorney to defend himself against the state's accusations. On Thursday last week, Khan's attorney sent a litigation hold and demand letter to Parson and several state agencies. The letter says that Parson and other state officials defamed Khan and violated his First Amendment "right to speak freely without the threat of government retaliation." The letter adds the Show Me State's investigation into Khan "would violate the prohibition on malicious prosecution."
"Professor Khan is likely to prevail on the merits of any case brought against him," the letter said. "No statute in Missouri or on the federal level prohibits members of the general public from viewing publicly available websites or viewing the website's unencrypted source code. No reasonable person would think they were unauthorized to view a publicly available website, its unencrypted source code, or any of the unencrypted translations of that source code. There is no probable cause to investigate Professor Khan, and instigation or continuation of any proceeding against him would therefore be prohibited."
Microsoft has issued a warning to organizations that the "Nobelium" hacking group behind the SolarWinds attacks has targeted some 140 technology service providers and resellers as part of a global IT supply chain attack.
Researchers say they have discovered a series of credential phishing campaigns in which hackers are leveraging a phishing kit dubbed "TodayZoo" that uses large portions of code lifted from various other phishing kits in order to steal credentials. According to Microsoft, TodayZoo was first identified in December 2020 and includes portions of code such as comment markers, dead links, and other elements found in other, previous phishing kits.
The Groove ransomware gang is calling on other extortion groups to attack US interests after law enforcement took down REvil's infrastructure last week.
Over the weekend, BleepingComputer reported that the REvil ransomware operation shut down again after an unknown third party hijacked their dark web domains.
A cyberattack crippled gas stations across Iran on Tuesday, leaving angry motorists stranded in long lines.
No group immediately claimed responsibility for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump.
An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware.
An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
In this panel discussion, we'll discuss the polarizing case of Joe Sullivan that has rattled the CISO community. Was the Sullivan case a rare anomaly? Were his actions in this scenario typical or unconscionable for the average CISO? Is it okay for Sullivan to take the fall while the rest of Uber and involved parties plead out with little to no puni...
The Security Operations Center is often the first line of engagement for security incidents. It’s essential that SOC teams are planned, practiced, and prepared to act. One of the best ways to do that? Cyber Defense Exercises. Join us as we discuss how these work and the value to the program. This segment is sponsored by Wiz. Visit https://security...
Threat actors use automation and technology to do evil at scale. Yet, even with cutting edge technology available to them, smaller organizations feel overwhelmed. Analysts struggle from the “alt-tab, swivel-chair” problem, and security products just don’t feel… powerful. So how does a SOC maximize its most valuable asset–the humans–in combination w...