Stealing Mastodon Passwords, Update Your Firmware on Linux, & Oops I Leaked Again – PSW #764
In the Security News: Stealing Mastodon passwords, reporting vulnerabilities in open-source privately, labeling does not solve problems, or does it? will it every get patched? geolocating people from photos, no meta-data required, update your firmware on Linux, hacking flow computers, when a driver isn't really a driver, well, its a driver, but not the one you may be thinking of, oops I leaked it again, misconfiguration leads to compromise, harden runner, guard dog and hacking spacecraft via Ethernet!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
- 1. Mastodon users vulnerable to password-stealing attacks
My question is, does this work regardless of how the password is auto-filled? I'm thinking the recommendation should be to turn off autofill in the browser and any password managers. There we go again, sacrificing convenience for security! (Mandy = Interesting other points "after discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:." and "Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials. Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker's server." Reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.)
- 2. [CVE-2022-40303] Integer overflow in xmlParseNameComplex (#381) · Issues · GNOME / libxml2 · GitLab
Oh, and here you can see Maddie being awesome, huge fan!
- 3. Flaws in public GitHub repos can now be reported privately
"Repositories differ on how researchers can be contacted, with some having few if any instructions. In such cases going public can seem the only alternative, which opens the door to miscreants also finding and exploiting the data." - Interesting, I would have thought most repos had an issue tracker where people would submit bugs, or at least a pull request, but that assumes you know how to fix it and actually proposed a fix in said pull request. All of that is still public. Private reporting is important as we want the vulnerability to be secret for a period of time. Any information, even hints, lead to security researchers and threat actors digging into the code or binaries and looking for a vulnerability. At least one case, that is super impressive, is where Maddie Stone found a bug in Android (I believe) based on the marketing materials from a threat actor group!
- 4. Will a Labeling System Solve IoT Security Challenges?
The first problem with labeling is allow people to understand what the label is saying. How many times have you Googled an ingredient on a nutrition label? Yea, I didn't know what erythritol was either until Google told me. The same goes for IoT devices, does the end user care to understand the kernel version of if the device is using GNUTLS or OpenSSL? Bring it up a level and it may help, such as looking at the number of ingredients and where they come from.
- 5. The FBI Came Close to Deploying Spyware for Domestic Investigations
"The internal FBI documents and legal briefs submitted on behalf of the bureau give the most complete picture to date of the bureau’s interest in deploying Pegasus. While heavily redacted, the internal documents show that, from late 2020 until the summer of 2021, the FBI had demonstrated a growing interest in potentially using Pegasus to hack the phones of FBI targets in criminal investigations."
- 6. All Day DevOps: Third of Log4j downloads still pull vulnerable version despite threat of supply chain attacks
- 7. Starlink User Terminal Modchip
"The talk covers how we managed to execute arbitrary code on the Starlink User Terminal using a custom modchip that performs voltage fault injection. The modchip can be used to bypass signature verification during execution of the System-on-Chip (SoC) ROM bootloader (BL1)"
- 8. NVIDIA Open GPU Kernel Driver Improves Firmware Handling, IBT Support – Phoronix
Interesting IBT has to be supported by the driver: "Additionally, the driver now supports Indirect Branch Tracking (IBT) when enabled by the kernel on supported platforms."
- 9. A Russian Missile Crew Was Geolocated From Just This Photo
I love this stuff, its the hacker mind at work. I often look at images and see what I can find that may reveal things that were not intended to be revealed. This post is great and shows how a Russian missile crew's location was determined by analyzing an image.
- 10. NSA Cybersecurity Information Sheet: Software Memory Safety
Strong statement: "While the use of added protections to nonmemory safe languages and the use of memory safe languages do not provide absolute protection against exploitable memory issues, they do provide considerable protection. Therefore, the overarching software community across the private sector, academia, and the U.S. Government have begun initiatives to drive the culture of software development towards utilizing memory safe languages."
- 11. Fwupd 1.8.7 Released With Linux Firmware Updating Support For More Hardware
Also, bug fixes and new features. I strongly encourage all Linux users to adopt LVFS; the project is well-run and gaining traction. I also encourage distros to include LVFS by default. As a user or administrator, use fwupdmgr to update the database ("fwupdmgr get-updates") and apply them ("fwudpmgr update"). Add this to your regular update processes!
- 12. An Oil and Gas Weak Spot: Flow Computers
"Flow computers calculate oil and gas volume and flow rates; these measurements are critical not only to process safety, but are also used as inputs in other areas, including billing. Team82 is disclosing details on a path-traversal vulnerability in ABB TotalFlow flow computers and controllers. An attacker could exploit a vulnerable system to inject and execute arbitrary code."
- 13. Worok hackers hide new malware in PNGs using steganography
- 14. Uncovering Window Security Events
- 15. The exploit recon ‘msg_msg’ and its mitigation in VED
- 16. Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux
- 17. Netgear Nighthawk r7000p aws_json Unauthenticated Double Stack Overflow Vulnerability
This limits the scope of this vulnerability: "By placing a malicious json content in a webserver and redirecting the router to download it (either by DNS redirection or TCP redirection), an attacker can execute arbitrary code." However, there has been a series of vulnerabilities that exploit IoT devices when they attempt to pull data from remote sources. I expect this trend to continue.
- 18. Aiphone Intercom System Vulnerability Allows Hackers to Open Doors
- 19. Thales Denies Getting Hacked as Ransomware Gang Releases Gigabytes of Data
- 20. Prototype pollution project yields another Parse Server RCE
- 21. Lenovo driver goof poses security risk for users of 25 notebook models
Keep in mind you may have read the word "Driver" and thought Windows driver or Linux kernel driver. What is being referenced here are DXE drivers (Driver eXecution Environment) that execute before the OS is loaded and are responsible, along with other processes and stages, for initializing the hardware such that the OS and OS drivers can interface with the hardware.
- 22. Google Pixel screen-lock hack earns researcher $70k
- 23. Gaping Authentication Bypass Holes in VMware Workspace One
- 24. Intel, AMD Address Many Vulnerabilities With Patch Tuesday Advisories
- 25. Patches for 6 0-days under active exploit are now available from Microsoft
- 26. Misconfigurations, Vulnerabilities Found in 95% of Applications
I guess it just depends on what you're selling: "Yet, Synopsys found that, despite those concerns, vulnerabilities in supply-chain security and open-source software components accounted for only about a quarter of issues. The Vulnerable Third-Party Libraries in Use category of security weaknesses was uncovered in 21% of the penetration tests and 27% of the static analysis tests, the report said." - The rest of the article is based on my old quote: "Mis-Configuration leads to compromise". There is a gap, as proven by this research, and frustrating as many solutions exist to help solve this problem.
- 27. Unauthenticated Remote Code Execution in Spotify’s Backstage
"Having more than 19,000 stars on Github, Backstage – a CNCF incubated project by Spotify, is one of the most popular open source platforms for building developer portals. It restores order to your microservices and infrastructure, thus enabling your product teams to ship high-quality code quickly without compromising autonomy. "
- 28. 17 Web Domains Were Seized by the FBI and USPS for Connection to Job Scams
- 29. Finding malicious PyPI packages through static code analysis: Meet GuardDog
"Static analysis tools are typically used to identify vulnerabilities. GuardDog makes use of this same technique to identify malicious packages. Because GuardDog provides heuristics that identify common attacker techniques rather than package signatures, you can use it to identify malicious packages that have never been seen before."
- 30. Harden Runner: Security agent for the GitHub-hosted runner to monitor the build process
"Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to Prevent exfiltration of credentials, Detect tampering of source code during build, Detect compromised dependencies and build tools"
- 31. Exploit for libxml2 xmlParseNameComplex Integer Overflow CVE-2022-29824 CVE-2022-40303
- 32. Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots
Don't take snapshots and make them public. I don't believe, based on the data and my assumptions, this is not a common practice.
- 33. Hyperpom: An Apple Silicon Fuzzer for 64-bit ARM Binaries
- 1. Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps
The CDC and the Army leveraged code from Pushwoosh for their own apps as they believed Pushwoosh was a U.S. company. Pushwoosh's social media profile states they are indeed a U.S. company, but Reuters discovered they are actually a Russian company headquartered in Siberia. Upon discover of the origin of the Pushwoosh code, the Army removed the app, and the CDC removed the software from their public facing applications due to security concerns.
- 2. BATLOADER: The Evasive Downloader Malware
Analysts from VMware’s Carbon Black Managed Detection and Response are tracking a malware campaign involving the BatLoader downloader. The analysts have detected 43 successful infections over the past three months.
BatLoader appears to be drawing from the Conti malware playbook, leveraging some of the same resources and techniques. A common entry point is leveraging SEO to get users to download malicious .MSI installer/updater for products such as LogMeIn, Zoom, TeamViewer and AnyDesk.
- 3. Microsoft identifies issues with Kerberos authentication on certain Windows Servers
Microsoft reported that after installing updates released on the most recent Patch Tuesday on Nov. 8, security teams might have issues with Kerberos authentication on Windows Servers with the Domain Controller role.
The issue may raise a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller, and is most likely tied to where you have set the This account supports Kerberos AES 256 bit encryption' or 'This account supports Kerberos AES 128-bit encryption' Account Options for your AD users.
- 4. How to add your driver’s license to the Apple Wallet app (and why you should)
This feature is slowly rolling out as more states bring support for adding your driver's license or ID card to your iPhone or Apple Watch. Currently works with Arizona, Colorado and Maryland DL/ID cards.
Question: Because we can - should we?
- 5. 8 strange ways employees can (accidently) expose data
Employees are often warned about the data exposure risks associated with the likes of phishing emails, credential theft, and using weak passwords. Here are eight unusual, unexpected, and relatively strange ways employees can accidentally expose data, along with advice for addressing and mitigating the risks associated with them.
- 6. Black Friday online shopping: How to boost your cybersecurity and stay safe from scammers
PSA: Black Friday offers opportunities to bag discount deals - and cyber criminals know online shoppers might let their guard down in the rush.
- 7. NSA Releases Guidance on How to Protect Against Software Memory Safety Issues
The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.
- 8. FIFA World Cup apps have privacy experts on edge
Visitors to Qatar are required to download two apps to their smartphones: a COVID-tracking app called Ehteraz, and the official World Cup app, Hayya.
The Ehteraz app asks users to allow remote access to pictures and videos, make unprompted calls, and read or modify device data while the Hayya app asks for full network access and unrestricted access to personal data. It also prevents the device from going into sleep mode and views the phone’s network connections.
- 1. Re-Envisioning State Cyber Response Capabilities: The Role of Volunteers in Strengthening our Systems – National Governors Association
Michigan, Wisconsin and Ohio are among the frontrunners in an effort to build teams of volunteers dedicated to conducting cybersecurity assessments and/or incident response activities on systems and networks within their borders. As these models mature, they are revealing the advantages of such a system for public and private sector entities, the volunteers themselves and the states’ residents. Understanding the strengths and weaknesses of these programs can also inform the adoption of similar solutions around the country to better confront the cyber threat.
- 2. How Many Cyber Attacks Happen Per Day in 2022?
In 2022, businesses around the globe face a ransomware attack every 11 seconds.
53% of Canadian companies that experienced ransomware paid the hackers. (Source: Blakes)... is this because Canadians are friendly? But look! 47% aren't
Almost 80% of cyber attackers target government agencies. (Source: Forbes) Shout out to blue team and gov't defenders
- 3. Undersea Cable Wars: Competition for control of networks brings long-term security risks to the surface
- 4. Article
- 5. The U.S. Should Get Serious About Submarine Cable Security
- 1. NASA helped find a security hole in spacecraft networks
The team has discovered that time-triggered Ethernet (TTE), a feature that lets critical systems sit alongside minor ones on the same networking hardware, is vulnerable to a spoofing attack. An intruder can send fake sync messages by conducting electromagnetic interference through copper Ethernet cables into network switches, creating a "gap" in a switch's activity that lets bogus data slide through.
- 2. Zero-initialize objects of automatic storage duration
This is a proposal. Adopting this change would mitigate or extinguish around 10% of exploits against security-relevant codebases.
- 3. Cryptographic signatures for zip distributions
Red Hat's products are distributed through numerous methods, including RPMs, ISOs and zip files. Over the past several months, we have been working across the organization to design and implement a plan to provide signatures for all zip file types so that our customers have greater assurance that Red Hat actually creates the products they receive.
- 4. Open to a fault: On the passive compromise of TLS keys via transient errors
We use passive and active network measurements to analyze organically-occuring faults in billions of digital signatures generated by tens of millions of hosts.We find that a persistent rate of apparent hardware faults in unprotected implementations has resulted in compromised certificate RSA private keys for years. They found more than 100 private keys, including Baidu.com and Cisco VPN products.
- 5. NASA war-games an asteroid impact disaster and it goes badly
The exercise presented a number of sobering conclusions.
First, a few days, a few weeks, or even, likely, a few months would be too late to detect a destructive space rock headed to Earth for a deep impact.
Second, people have become so distrustful of authority, whether it’s from the political class or the media, that an announcement of a killer asteroid on the way would not be believed by a significant number of people.
- 6. Shocker: EV charging infrastructure is seriously insecure
Hardcoded passwords, unsanitized input fields, outdated Linux kernels, superfluous services, etc. Companies are rushing to deliver products and neglecting security. In one case, researchers managed to sniff out and interrupt charging using a software defined radio with less than 1W of power from 47 meters away "on all seven vehicles and 18 EVSEs that they investigated."