Ping of Death, 500 Year Old Ciphers, Pwn The Dev, & Chatbot’s Order 66 – PSW #766
In the Security News: ping of death returns, remembering when the Internet disconnected if your Mom picked up the phone, a 500-year-old cipher is cracked, VLC is always up-to-date, SIM swapper goes to prison, Rust is more secure but your supply chain is not, if you pwn the developer you win, you have too many security tools, Chrome zero days are not news, Log4Shell what changed?, Hive social again, ChatGPT, there's a vulnerability in your SDK, and it takes 3 exploits to pwn Linux, All that, and more, on this episode of Paul’s Security Weekly!
See the original advisory here: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc. From the article: "“[t]he ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.” - Also, keep in mind I believe this happens on a reply, so someone would have to inject a malicious reply or hope that you ping a malicious server.
If you remember this, it's time to book a colonoscopy: "Online time was precious back then. Since most BBSes only had one phone line, you didn't want to hog the line for too long or the sysop might boot you. And there was extra jeopardy involved. Since we were using our regular house telephone line to connect, the odds that my mom would pick up and try to dial out—thus ruining the transfer process—remained very high." Oh, and this article on how to connect to it has me interested, something I want to try for sure: https://www.howtogeek.com/686600/remember-bbses-heres-how-you-can-visit-one-today/
Interesting story, turns out they found a letter that had been transcribed and served as the key to unlocking the code. Also, this: "And a few symbols didn't seem to serve any function at all. "Simply putting it into a computer and telling the computer to work it out would have literally taken longer than the history of the universe"
This is another area I don't trust, software update processes. Here is a good example, the latest version of VLC fixes a security flaw. VLC's servers reported that an older version was the latest; therefore, clients would not update. My imagination runs wild; what if this were put there on purpose? And if I did it on purpose, I would tell you there was an update, except I would continue to install the older and vulnerable version of the software. How about that for a supply chain attack? The Synacktiv team has a write-up of the vulnerability here: VLC : Integer overflow in vnc module <= 3.0.18 CVE-2022-41325
I remember listening to the "Dirty Coms" Darknet Diaries episode (https://darknetdiaries.com/episode/112/) and really being impressed how attackers were profitting from these coordinated attacks. Why all the effort? Well, Nicholas Truglia was convicted of stealing $20 million in cryptocurrency. Diving into how cyber criminals make money is really interesting, and reminds me of why law enforcement is famous for just following the money. The Hacked podcast just ran an
episode that details how a Microsoft employee figured out how to "print" gift cards. He also got caught. Is it greed? Is it something like a drug, the more you steal the better the "high"? Then I think about all the ones that got away with it because they are not being greedy and flying under the radar.
We should use Rust because its more memory safe. While true, it does not mean there will not be a supply chain attack, in this case against Rust, that stems from Github actions: "The “download artifacts” API (and various custom actions encapsulating it) doesn’t differentiate between artifacts that were uploaded by forked repositories and base repositories, which could lead privileged workflows to download artifacts that were created by forked repositories and that are potentially poisoned. To put it simply: in a vulnerable workflow, any GitHub user can create a fork that builds an artifact. Then inject this artifact into the original repository build process and modify its output. This is another form of a software supply chain attack, where the build output is modified by an attacker."
Interesting vulnerability, an attacker access the Redis server, tells it to replicate with an attacker server, the attacker server contains a backdoored shared object, the servers replicate, then the target server executes the shared object, then replication is terminated. The malware is interesting too, being described as: "Our investigation revealed new undetected malware written in Golang designed to target Redis servers to allow the attacking server to dominate the compromised machine."
This was really great work by the Qualys team, they combined some previous research (with multipathd) with this: "snap-confine created the temporary directory /tmp/snap.$SNAP_NAME or reused it if it already existed, even if it did not belong to root; a local attacker could race against snap-confine, retain control over /tmp/snap.$SNAP_NAME, and eventually obtain full root privileges."
Wow, the examples: "I know one security team that hired three people to chase down alerts from a CASB about open S3 buckets. Those buckets almost always contained nothing of value and were usually empty. I know another security team that recently showed us their Wiz instance and it had 884 alerts for Log4J issues. Despite the potential for that vulnerability to do serious damage, they just ignored it. They decided that the alerts were more expensive to triage than the potential risk to the" Okay, yea I'm sold on this point in the article: "If you want to sell to a security team, then you have to reduce the amount of tools they have (the best option), or replace existing tools by being a better mousetrap (the next best option). If you are adding a new tool, then good luck because you are going to need it."
I could not find the original article or episode where I think we talked about this. Is it the same one we covered a few weeks ago? Certainly sounds like it: "Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing." The response? They shut down their servers...
I believe we've reached a point where this isn't really news. Chrome is going to have vulnerabilities. Google's team will fix them. People will still continue to find them. Then Google will fix them. If you're not updating Chrome daily, you may get pwned. I do, perhaps, see a day where there are some protections against this, whether that's in the OS (sandboxing), outside the OS sandboxing (sorta like Bromium, but there are others), or just straight up exploit prevention running in the app (like Vicarious and some others).
Look, not much has changed here. People still have not patched. Software supply chain security is still a mess. There continues to be supply chain threats that weaken your overall security. One way to combat this is within the SDLC of the upstream provider and if you are making your own software (so in your SDLC). 3rd party software, software that you use but do not write yourself, is still a huge issue...
Executive Director at RM-ISAO
Product Security Research and Analysis Director at Finite State
The Chengdu-based hacking group known as APT41 stole at least $20 million in U.S. Covid relief benefits. “I’ve never seen them target government money before,” said John Hultquist, the head of intelligence analysis at the cybersecurity firm Mandiant. “That would be an escalation.” 20-40% of pandemic benefits were paid improperly.
Expanded end-to-end encryption would protect a user’s data even if Apple itself were breached.
The company will also soon support the use of physical authentication keys with Apple ID, and is adding contact verification for iMessage in 2023.
The thieves hacked into their Facebook site. Once there, they were able to tap into bank accounts associated with Arnold's Facebook. The thieves bought ads, turning money from bank accounts into Facebook advertising currency to be used in other countries. To ensure Arnold's couldn’t get back into their social media accounts, the hackers posted severely inappropriate material that got Arnold’s account banned for life.
Colorado police used a "Find My" app as evidence to obtain a search warrant, without disclosing its limitations. They then sent a SWAT team to raid a 77-year-old grandmother, looking for a stolen truck which was not there.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win...
In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means t...
Join Erik Hart, CISO at Cushman & Wakefield, and Eden Naftali, CTO Operations at Wiz, for a discussion around key trends in the cloud with the rapid pace of innovation and new technologies in IaaS and PaaS. This segment is sponsored by Wiz. Visit https://securityweekly.com/wiz to learn more about them!