Les Bell and Associates Pty Ltd
Blog entries about Les Bell and Associates Pty Ltd
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Google Issues Chrome Update in Response to 0Day
You should be aware of this by now, but Google has issued an update for the Chrome browser Stable channel in response to a 0day exploit. The new versions are 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/88 for Windows. The update fixes CVE-2022-3723, which is a type confusion vulnerability in V8, Google's high-performance runtime for JavaScript and WebAssembly.
You know what to do. . .
Bommana, Prudhvikumar, Stable Channel Update for Desktop, Google Chrome Releases blog, 27 October 2022. Available online at https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html.
More Trojan Droppers in Google Play Store
The idea of relying on mobile OS app stores to filter out malicious apps before they get to the public is getting less and less sustainable. Now comes a report of five more trojan droppers found on the Google Play Store, with a cumulative installation count of over 130,000 installs.
Since these apps are dropping banking trojans like Sharkbot and Vulture, which can steal online banking credentials and PII, perform keystroke logging and even (in the case of Vultur) run a VNC session to allow the attacker to perform any action on the infected device.
The droppers have been carefully designed to fit in with the security policies of the Play Store, and request as few permissions as possible on the victim's device - only three, and those so common as to not arouse suspicion. While the Sharkbot trojan seems to be interested only in Italian victims, Vultur has a long list of target instiations, including many Australian and European banks.
Uncredited, Malware wars: the attack of the droppers, blog post, 28 October 2022. Available online at https://www.threatfabric.com/blogs/the-attack-of-the-droppers.
How Not to Handle a Privacy Breach
See Tickets, a major event ticketing company, has disclosed a major data breach dating back to June 2019. I'm not sure if that is a record, but it ought to be.
According to See's consumer notification letter, a third party had obtained unauthorized access to event checkout pages on the See website; although they were alerted to the activity in April 2021, a later paragraph reveals that the pages may have been affected as early as 25 June 2019. We can only speculate, but this may have been some kind of supply-chain attack involving a JavaScript framework or subsystem - Ticketmaster suffered this type of breach in 2018 - or some kind of XSS attack. The data exposed includes name, address and credit card numbers, expiry dates and CVV numbers.
The firm engaged forensics consultants, but it took them until 8 January 2022 to fix the exposure and a further nine months before concluding, on 12 September 2022, that "the event may have resulted in unauthorized access to the payment card information of certain of our customers". Finally, in late October, they are notifying customers that their information may have been exposed - although "we are not certain your information was affected".
If that is an "abundance of caution", it's deeply unimpressive. The notification letter provides the obvious advice to affected consumers, but some evidence that See was raising its game would do a lot more to regain consumer trust.
Murphy, James, Re: Notice of Data Breach, letter template, October 2022. Available online at https://dojmt.gov/wp-content/uploads/Consumer-Notification-Letter-638.pdf.
Multiple Juniper JunOS Vulnerabilities
Researchers at Octagon Networks have revealed multiple vulnerabilities in Juniper's JunOS, including one (CVE-2022-22241) with a CVSS score of 8.1. This particular vulnerability allows an unauthenticated attacker to write an arbitrary file, which in turn leads to remove code execution. The exploit would merit a CVSS score of 9.8, were it not for the difficulty of finding a suitable object to make use of in the required deserialization code.
The researchers found five other vulnerabilities. The full list is:
- CVE-2022-22241: Remote pre-authenticated Phar Deserialization to RCE
- CVE-2022-22242: pre-authenticated reflected XSS on the error page
- CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
- CVE-2022-22244: XPATH Injection in send_raw() method
- CVE-2022-22245: Path traversal during file upload leads to RCE
- CVE-2022-22246: PHP file include /jrest.php
All were previously disclosed to Juniper and have been patched, so customers are advised to update to the latest release of the OS, or alternatively disable J-Web or at least, limit access to only trusted hosts.
Uncredited, Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities, blog post, 28 October 2022. Available online at https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Critical Vulnerability in OpenSSL - Patch Due 1 November
According to a tweet from Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Foundation's VP of Security, the OpenSSL team is preparing for the release of version3.0.7, which will fix a CRITICAL vulnerability which is present in versions 3.0.0 through 3.0.6. This is good news for many users, as the most widely-deployed production Linux distributions do not use it - Red Hat Enterprise Linux 8, for example, uses version 1.1.1k.
Admins who are testing more recent versions or have already deployed them will need to proactively patch, though - RHEL 9 runs version 3.0.1.
It's not clear what the underlying vulnerability is, and it will take a little time for threat actors to reverse-engineer the various fixes in 3.0.7 and work out what it is. But it's likely to be serious - by OpenSSL definition, a CRITICAL issue affects common configurations and is also likely to be exploitable.
Vaughan-Nichols, Steven, OpenSSL warns of critical security vulnerability with upcoming patch, ZDnet, 27 October 2022. Available online at https://www.zdnet.com/article/openssl-warns-of-critical-security-vulnerability-with-upcoming-patch/.
British Hacker Arraigned on Charges in US
British hacker Daniel Kaye, a.k.a. "Popopret", "Bestbuy", "TheRealDeal", "Logger", "David Cohen", "Marc Chapon", "UserL0ser", "Spdrman", "Dlinch Kravitz", "Fora Ward", and "Ibrahim Sahil", has been arraigned on charges of access device fraud and money laundering conspiracy in connection with his alleged operation of "The Real Deal", a dark web market for hacking tools and stolen credentials, and his laundering of profits from that market.
'The indictment alleges that Kaye listed for sale on "The Real Deal" login credentials for U.S. government computers belonging to the U.S. Postal Service, the National Oceanic and Atmospheric Administration, the Centers for Disease Control and Prevention, the National Aeronautics and Space Administration, and the U.S. Navy. The indictment further alleges that Kaye, along with an individual (or individuals) known as "thedarkoverlord", trafficked in stolen social security numbers; and that Kaye possessed 15 or more stolen login credentials for Twitter and LinkedIn. Finally, the indictment alleges that Kaye laundered cryptocurrency he obtained from The Real Deal through Bitmixer.io, a website that offered Bitcoin "mixing" services and, through its "mixing" algorithm, sought to keep its users anonymous, private, and immune to Bitcoin blockchain tracing analysis.'
Nonetheless, it seems that the FBI did manage to trace the funds, and Kaye now has been arraigned before US Magistrate Judge Linda T. Walker following his extradition from Cyprus. The FBI was assisted by multiple European police forces.
DoJ US Attorney's Office, Northern District of Georgia, Hacker and Dark Market operator arraigned on federal charges, press release, 26 October 2022. Available online at https://www.justice.gov/usao-ndga/pr/hacker-and-dark-market-operator-arraigned-federal-charges.
Dutch Man Arrested for Healthcare Data Theft
The Dutch police have arrested a 19-year-old man from the town of Krimpen aan den IJssel, near Rotterdam, following a complaint from a healthcare software supplier. It is alleged that the man stole tens of thousands of documents, possibly containing personal and medical data.
The suspect's home was searched and various devices seized for forensic analysis, but until this is completed - a process which could take considerable time - police are unable to determine whether the stolen data was on-sold or distributed. The man was released after question but remains a suspect in the case.
Politie Nederland, Softwareleverancier gehackt, verdachte aangehouden, press release, 25 October 2022. Available online at https://www.politie.nl/nieuws/2022/oktober/25/hack-software-leverancier-verdachte-aangehouden.html.
Australian Privacy Breaches Provide Fodder for Satirists
It being the weekend, let us now turn to lighter topics. Holding to the old adage that if you didn't laugh, you'd cry, Australians have turned to humour as a way of coping with the recent round of data breaches (Optus, Energy Australia, Medibank, Medlab Pathology and others).
The latest offering, by Mark Humphries for ABC TV's 7:30 current affairs program, is presented here for your delight and delectation.
Humphries, Mark, Mark Humphries shares Medibank's apology after hacking scandal | 7.30, video, 28 October 2022. Available online at https://www.youtube.com/watch?embed=no&v=njlvSfuxJi8.
News for CISSP's
Alternative Slate for Upcoming (ISC)2 Election
As those certified by (ISC)2 should know by now, the election for the upcoming vacancies on the Board of the organization will open on 1 November. As previously discussed, the current Board has nominated only five candidates for the five vacancies - a move that renders the election moot - as well as proposing a set of contentious changes to the By-Laws which will further disenfranchise the membership.
Several members who had nominated for Board positions - some of them with previous experience and, more to the point, continued engagement with the members - have asked the voting members to consider them as write-in candidates. With the assistance of Stephen Mencik (one of those stepping forward) I have assembled the following information:
Here are the members asking for your support - and, I would suggest, offering you theirs:
- Wim Remes - Belgium - member number 97080
- Stephen Mencik - US - member number 10288
- Richard Nealon - Republic of Ireland - member number 4205
- Sami O. Koskinen - Finland - member number 54813
- Diana-Lynn Contesti - Canada - member number 5053
For those interested in more information about the five people asking for your write-in votes, here are their information pages:
- For Stephen Mencik - https://sites.google.com/view/smm-petition
The above site was used in an attempt to gain enough petitions to get on the ballot via that route. There are links to his resume and to the skillset questions and answers from the nomination process, and letters of recommendation. Mr. Mencik is ISC2 Member number 10288 and holds CISSP-ISSAP, ISSEP. Mr. Mencik also did most of the work on the counter-proposals for by-laws found at https://jsweb.net/isc2.
- For Diana-Lyn Contesti - https://sites.google.com/site/dlcpetitionboard/home
This site was used by Ms. Contesti in an attempt to gain enough petitions to get on the ballot. It contains a summary of her qualifications. Ms. Contesti is ISC2 member number 5053 and holds CISSP-ISSAP, ISSMP, CSSLP, SSCP.
- For Wim Remes - https://www.be-represented.org/
This site was used by Mr. Remes in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Remes is ISC2 member number 97080 and holds CISSP.
- For Richard Nealon - https://sites.google.com/view/RN-petition-isc2-board
This site was used by Mr. Nealon in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Nealon is ISC2 member number 4205 and holds CISSP-ISSMP, SSCP.
- For Sami O. Koskinen - http://www.linkedin.com/in/sami-koskinen-429624
The link is to Mr. Koskinen's Linked profile, which gives a summary of his qualifications. Mr. Koskinen is ISC2 member number 54813 and holds CISSP-ISSMP.
I would urge all those entitled to vote to visit the pages above and consider carefully before voting.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Yet Another Patient Data Breach
The string of highly-publicized breaches of personal health information in Australia has continued, with a pathology lab the latest firm to be hit.
Medlab Pathology has disclosed a breach which compromised the personal information of patients and staff. The breach occurred back in February 2022, and it would be interesting to know whether and at what point the Office of the Australian Information Commissioner was notified as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017.
According to their statement, Medlab engaged external experts, whose investigation "did not reveal any evidence that information stored in our systems had been accessed or downloaded". However, in June Medlab was contacted by the Australian Cyber Security Centre, which had detected the publication of some Medlab data on the dark web, whereupon the firm downloaded the dataset and "spent several months to analyse the data so it could determine what information was included ... and who it belonged to".
The company states, "This process took several months to complete, including locating current contact details for involved individuals ... so that we did not incorrectly notify anyone and cause undue alarm or distress".
That's all well and good, but not disclosing a breach for eight months sounds very much like closing the stable door after the horse has bolted; in particular, the company seems to have tried to avoid making a public disclosure, only to see it forced upon them before they have contacted the affected individuals (which will happen over the coming weeks, according to their statement). There's also an element of wishful thinking; the fact that "external experts" can find no evidence of information exfiltration is emphatically not evidence that no exfiltration occurred.
McGrath, Melinda, Medlab Cyber Incident, public statement, 27 October 2022. Available online at https://medlab.com.au/medlab-cyber-incident.
Medibank Cyber Insurance Comment
While we're on the topic of Australian privacy breaches: media eyes remain focused on Medibank's handling of the other big breach, with more reporting in mainstream media. One comment that caught my eye (no reference for this one, I'm afraid - it was a passing comment in a TV news report): apparently Medibank had not taken out a cyber insurance policy, on the grounds that it was "too expensive".
I'll pass over the fact that an insurance company thinks that cyber insurance does not represent good value. Perhaps it is appropriate for an insurance company to self-insure for this and other risks, provided it has the capital reserves to do this. But it ignores one key benefit provided by many cyber insurance policies: immediate access to incident response, crisis management and crisis communications experts who parachute in to assist or even take charge of incident response.
Fast access to these kinds of resources might well have done a lot to improve Medibank's image over the last few weeks.
GitLab Tightens Supply Chain Security
Source code management company Gitlab is taking concerns about supply chain security to heart, announcing several new security and compliance features and enhancements to assist with this. Among the new features are security policy management, compliance management, events auditing and vulnerability management. Also planned is a dependency management feature which will be able to track vulnerabilities in dependencies.
The enhancements will help developers manage risk by providing increased visibility into security findings and user activities, as well as performing proactive vulnerability scans, including static analysis, secret detection, container scanning, dependency scanning, infrastructure-as-code scanning and coverage-guided fuzz testing. The GutHub platform will also add access to actionable and relevant secure coding guidance.
This is a welcome step in the movement to 'shift left' by emphasizing security earlier in the development process. It is increasingly obvious that trying to deal with security in the operations domain is simply too late.
Dark Reading Staff, GitLab Adds Governance, Software Supply Chain Enhancements, Dark Reading, 27 October 2022. Available online https://www.darkreading.com/dr-tech/gitlab-adds-governance-software-supply-chain-enhancements.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
LV Ransomware Operator Buys Network Access, Uses ProxyShell
The LV ransomware seems to be based on REvil (a.k.a. Sodinokibi), although the relationship between the groups operating them is uncertain. However, LV breaches are surging, according to researchers at Trend Micro, who have provided an analysis of one particular intrusion.
Back in December 2021, a threat actor claiming to operate LV posted on a cybercrime forum seeking to connect to network access brokers in an attempt to buy access to networks in a range of industries. This seems to have been successful, with multiple breaches around the world. In the reported case, an affiliiate of the LV threat actor was able to use the ProxyShell vulnerability to drop a web shell and then execute a chain of PowerShell scripts, culminating in a backdoor.
From there, were able to use Mimikatz, NetScan and Advanced Port Scanner to harvest credentials and discover servers, including the domain controller. A compromised admin account was then used to access the domain controller, after which the ransomware code was uploaded and a scheduled task used to deploy the ransomware across the domain.
Fahmy, Mohamed, Sherif Magdy and Ahmed Samir, LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company, blog post, 25 October 2022. Available online at https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html.
Education Sector Targeted by Vice Ransomware Operator
One good (!) point in favour of the LV ransomware group is that their post seeking access brokers specifically excluded the healthcare and education sectors. However, other groups are not so choosy, as the LA Unified School District, and many other institutions, can attest. In fact, one group, tracked by Microsoft as DEV-0832 Vice Society, seems to be particularly interested in the education sector, both in the US and globally.
Vice Society seems to favour low-hanging fruit - poorly-secured networks - and uses a wide range of TTP's which are common to ransomware operators. These include Powershell scripts, initial compromise via unpatched systems, use of LOLbins and other tools including commodity ransomware such as BlackCat, QuantumLocker and Zeppelin, as well as generic backdoors like the SystemBC remote access trojan. This suggests that either they adapt to the victim's defences, or that there are multiple operators working under the Vice Society umbrella. They also deploy tools to Linux systems.
Vice Society makes extensive use of customized PowerShell scripts for credential harvesting and post-exploitation discovery, as well as staging of tools via network shares. Interestingly, they seem to favour data exfiltration over encrypting files, in some cases not bothering to proceed to encryption.
The Microsoft report provides suggested mitigations.
Uncredited, DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector, blog post, 25 October 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/.
Medibank Breach Goes from Bad to Worse to Worst
As previously reported, the breach of Australian health insurance company Medibank has continued to become more severe. From an initial report that no data had been exfiltrated, to a report that only one subsidiary and particular accounts were affected, as Medibank's internal and third-party responders have dug deeper, the news has got worse. The latest revelation is that all Medibank, ahm and international student customers' personal data had been accessed.
Now, whether it has actually been exfiltrated remains an open question, for outsiders at least. But one would have to assume that it has, and that the information - including sensitive health-claims data - of 4 million current customers, along with an unknown number of former customers, are now at elevated risk.
We have previously seen, in the case of Finnish mental healthcare provider Vastamo, that when the breached enterprise refuses to pay a ransom, the attacker will turn to extorting the individual patients. We can only hope this does not eventuate, for the sake of the affected patients and also Medibank itself, which at this stage, has only suffered a sharp drop in its share price after the resumption of trading on the ASX and the costs of incident response. Vastamo did not survive for long after the scandal surrounding its breach broke,
Terzon, Emilia and Samuel Yang, Medibank says all customers' personal data compromised by cyber attack, ABC News, 26 October 2022. Available online at https://www.abc.net.au/news/2022-10-26/medibank-hack-criminals-access-hack-data/101578438.
RCE Vulnerability in Melis Platform CMS Now Patched
Many content management systems and e-commerce platforms are based on the Laminas PHP framework, formerly known as Zend. During routine static analysis of these projects, Sonar researchers found three critical vulnerabilities in Melis Platform, a business-oriented CMS used by many large enterprises.
These lead to a potential insecure deserialization vulnerability, which will allow object injection via the PHP $_POST variable, which is set by the user, based on form content. The question faced by the researchers was, is it exploitable? To do this, an attacker has to find a chain of calls to methods in available classes - called a Popchain - that can be triggered from the vulnerable section of code and will execute a malicious action, such as creating a file or executing a command.
They found the required code in the Laminas cache code, in particular a method which saves to disk "deferred items that have not been committed", and were able to use this to create a .PHP file and get it executed. This is an interesting example of the capabilities of static code analysis tools, although some ingenuity is subsequently required to craft a proof-of-concept exploit.
A patch for Melis Platform is now available, and users are urged to update to version 5.0.1 or above.
El Ouerghemmi, Karim and Thomas Chauchefon, Remote Code Execution in Melis Platform, blog post, 18 October 2022. Available online at https://blog.sonarsource.com/remote-code-execution-in-melis-platform/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
RNC Sues Google
The Republican National Committee has sued Google for allegedly directing the emails it send straight to users' spam folders. According to its filing in the US District Court in Califormia, Google is discriminating against the party by "throttling its email messages because of the RNC's political affiliation and views".
In rejecting the claims, the tech giant retorted, "As we have repeatedly said, we simply don't filter emails based on political affiliation. Gmail's spam filters reflect users' actions".
"We provide training and guidelines to campaigns, we recently launched an FEC (Federal Electrion Commission) -approved pilot for political senders, and we continue to work to maximize email deliverability while minimizing unwanted spam", said Google spokesperson José Castañeda.
Binoy, Rhea et. al., Republican National Committee sues Google over email spam filters, Reuters, 25 October 2022. Available online at https://www.reuters.com/world/us/republican-national-committee-sues-google-over-email-spam-filters-2022-10-22/.
CVSS 9.8 RCE Vulnerability in HyperSQL Database
Researchers at Code Intelligence have discovered a potential remote code execution vulnerability in all versions up to and including 2.7.0 of the HyperSQL database (HSQLDB). This is a critical vuln for two reasons: a) a CVSS score of 9.8 and b) the fact that HSQLDB is used in thousands of popular packages and programs, including LibreOffice, JBoss, Log4j, Hibernate, Spring-Boot - itself used in thousands of other products - and many others..
The vulnerability, which is recorded as CVE-2022-41853, is in the parsing procedure for binary and text format data processed by the java.sql.Statement and java.sql.PreparedStatement classes, and can be used to call any static method from any Java class in the classpath.
A fix will be available in HSQLDB version 2.7.1 and later; meanwhile, the issue can be remediated by defining the hsqldb.method_class_names property.
Wagner, Roman, Potential Remote Code Execution Vulnerability Discovered in HSQLDB, blog post, 10 October 2022. Available online at https://www.code-intelligence.com/blog/potential-remote-code-execution-in-hsqldb.
Exploits In The Wild for Cisco AnyConnect Secure Mobility Client
Cisco has advised customers to urgently update installations of the Cisco AnyConnect Secure Mobility Client for Windows, following the discovery by their product security incident response team of exploits circulating in the wild. The related vulnerabilities have been known for over two years, so a patch has long been available.
The two vulnerabilities allow the copying of user-supplied files to system directories, and the hijacking of DLL's. Put together, the two allow injection of arbitrary code and its execution with SYSTEM privileges. Although authentication is required, this would allow privilege escalation.
Uncredited, Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability, Security Advisory, 25 October 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj.
Uncredited, Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability, Security Advisory, 25 October 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW.
Event Log Vulnerabilities Can Lead to DoS
Two rather curious exploits discovered by Varonis can allow an attacker to crash the Event Log service of any Windows machine, or even DoS the machine by filling the hard drive space.
The two vulnerabilities exploit a vulnerability in the OpenEventLogW API which allows a user to open a handle for an event log on a local or remote machine. By default, non-privileged users cannot get a handle for event logs on remote machines - with one exception, the legacy "Internet Explorer" log, which still exists and has its own security descriptor that overrides the default permissions.
Varonis' researchers came up with two PoC exploits; LogCrusher will crash the Event Log on a remote machine, stopping logging and leaving security controls in the dark, while OverLog repeatedly backs up spurious entries created in the Internet Explorer Event Log to a file, eventually filling the hard drive and preventing the machine from swapping to disk.
Microsoft has responded with a patch that restricts the OpenEventLogW API remote access to the IE Event Log to local administrators only, reducing the likelihood of exploitation. We have often referred to Internet Explorer as a cancer wrapped around the heart and lungs of Windows; its eradication is proving difficult.
Taler, Dolev, The Logging Dead: Two Event Log Vulnerabilities Haunting Windows, blog post, 25 October 2022. Available online at https://www.varonis.com/blog/the-logging-dead-two-windows-event-log-vulnerabilities.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Australia Increases Penalties for Privacy Breaches
Following much public anger, hand-wringing and outrage on the part of politicians and pundits, Australia's Commonwealth Government has concluded that the answer is tougher penalties. In a media statement Attorney-General Mark Dreyfus stated that
"existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour".
"The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
- $50 million
- three times the value of any benefit obtained through the misuse of information; or
- 30 percent of a company's adjusted turnover in the relevant period."
That might focus the attention of boards and C-suites, and will doubtless meet with the approval of the public. It might even result in CISO's getting a more sympathetic hearing when budget review time comes around, with increased spending in . . . well, some areas of security efforts.
But it's doubtful whether it will do anything to improve things at the coalface. If the popular theory that the Optus breach which triggered all this brow-beating is correct, and the data was exposed via a misconfigured API endpoint, then nothing would be different - no amount of punitive incentivization will improve the Mark I human's proclivity to errors in the form of slips and lapses. And for developers who may well find themselves walking the plank if caught anywhere near a breach, or CISO's who suddenly find their title has change to DFG (Designated Fall Guy), the size of the fine is irrelevant.
On the other hand, I predict a boom in half-day and one-day courses for directors and senior managers on cybergovernance, with a good lunch as a bonus.
Dreyfus, Mark, Tougher penalties for serious data breaches, media release 22 October 2022. Available online at https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022.
Cybergovernance Principles Launch Hacked
Speaking of which . . . The Australian Institute of Company Directors (AICD) has produced a new set of cybersecurity governance principles, and was set to launch them with an online event yesterday. The event had gained the support of the relevant Federal Minister, Clare O'Neil, as well as CEO of the Cyber Security Cooperative Research Centre, Rachael Falk.
Everything was set for thousands of online attendees to learn how to secure their companies and their systems. But when they tried to log on, the conference did not start on time. As they waited, a fake Eventbrite link, which requested credit card details, was posted to the related LinkedIn chat. When AICD officials asked participants not a follow links in the chat, it was followed by an official-looking AICD link - which also didn't work.
Eventually, the AICD was forced to give up and cancel the event, with MD & CEO, Mark Rigotti, forced to warn anyone who had submitted credit card details to contact their bank, and to apologise for the issues. "We recognise this experience has fallen well below the high standards our members rightly expect of the AICD", he stated.
Apparently, the Magic Wand of Cybergovernance isn't quite as effective as claimed; regular readers are reminded of Putt's Law:
Technology is dominated by two types of people:
Those who understand what they do not manageThose who manage what they do not understand
Towell, Noel and Kishor Napier-Raman, Hackers hit cybersecurity conference, The Sydney Morning Herald, 24 October 2022. Available online at https://www.smh.com.au/national/hackers-hit-cybersecurity-conference-20221024-p5bsiq.html.
Meanwhile, Another Take on Incentives
In the latest issue of Communications of the ACM, the former Editor-in-Chief of that august journal, Moshe Y. Vardi, also ponders these problems. In 2017, he wrote, "So here we are, 70 years into the computer age and after three ACM Turing Awards in the area of cryptography (but none in cybersecurity), and we still do not seem to know how to build secure information systems." Five years on, the only change he would make is subsituting 75 for 70.
Vardi points the finger at the externalities in the system: whatever we do in the digital world involves disclaimers; whether installing new software or signing in to an online service, we accept terms and conditions which allow the vendors to escape liability:
'As the philosopher Helen Nissenbaum pointed out in a 1996 article, while computing vendors are responsible for the reliability and safety of their product, the lack of liability results in lack of accountability. She warned us more than 25 years ago about eroding accountability in computerized societies. The development of the "move-fast-and-break-things" culture in this century shows that her warning was on the mark.'
Vardi suggests that the way to address the cyber-insecurity issue may well be regulation, which overcome the power imbalance between vendors and their customers, and prevent them escaping accountability. The question that comes to mind is, what would we - or governments - regulate? Perhaps it is time to shift the pendulum away from playing catch-them-if-you can in the incident response phase, and back towards engineering security into systems.
Vardi, Moshe Y., Accountability and Liability in Computing, Communications of the ACM, November 2022, Vol. 65 No. 11, Page 5. Available online at https://cacm.acm.org/magazines/2022/11/265836-accountability-and-liability-in-computing/fulltext.
Pentesters Pwned By Malware-Laced PoC's
The dire state of penetration testing is highlighted by a new report from researchers at the Leiden Institute of Advanced Computer Science, who anaysed proof-of-concept exploit code posted to GitHub. Using three fairly simply techniques:
- Comparing the committer's IP addres to public blacklists, VirusTotal and AbuseIPDB
- Submitting binaries and their hashes to VirusTotal for analysts, and
- Deobfuscation of base64 and hex values before performing the above two checks
the researchers found that 4,893 examples, out of the 47,313 that they downloaded in total, made calls to malicious IP addresses, carried obfuscated malicious code, or included trojanized binaries. In other words: download a PoC from GitHub, and you have a 10.3% chance of catching something nasty. More to the point, if you use the code in an engagement without checking it, your client could catch some nasty.
The current emphasis on pen-testing as a way of improving security posture is fine - if the testing is performed by highly-skilled testers. Unfortunately, there aren't enough really skilled testers out there. At the bottom of the market, many rely upon the basic testing performed by automated scanners, while some go a little further, with the aid of Kali Linux and a library of YouTube videos. The better ones will dig a bit deeper, using the capabilities of tools like Metasploit and Cobalt Strike, especially for red-teaming.
But even those tools run out of steam, and so the temptation is huge, to just download any relevant PoC's and see if they work. The results could be devastating. It is incumbent on professional pen-testers to
- Read and understand the code they are about to run against or on their own or their customers' networks
- Use easily-available, free tools like VirusTotal to analyze binaries
- Analyze the code manually, taking the time to deobfuscate where necessary. If this will take too long, then explode it in a sandbox while monitoring it for malicious behaviour and suspicious network traffic
One has to ask: why would code in a proof-of-concept be obfuscated anyway? There are a few sort-of-good reasons, but if it's to stop casual reading and understanding, that's a huge red flag.
El Yadmani, Soufian, Robin The and Olga Gadyatskaya, How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub, arXiv pre-print, 15 October 2022. Available online at https://arxiv.org/abs/2210.08374.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
VMWare Vuln Attracts Ransomware, Cryptominers
Back in April, VMware disclosed CVE-2022-22054, a remote code execution vulnerability in VMware ONE Access with a CVSS score of 9.8, and released a patch for it. It didn't take long for threat actors to reverse-engineer the patch and develop exploits which rapidly spread in the wild.
You would think this wouldn't be a huge problem, since the patch was available - but in August, researchers at Fortinet Labs saw a massive spike in activity, coupled with a change in post-exploitation tactics. Prior to this, threat actors had been using the exploit to find and exfiltrate sensitive information such as credentials, but the August attackers switched to installing the Mirai botnet, or alternatively a combination of the RAR1Ransom ransomware and a cross-platform cryptominer called GuardMiner.
The fact that this campaign is still running, months after a patch became available, shows that many enterprises are not being sufficiently proactive with their patch management programs.
Lin, Cara, Mirai, RAR1Ransom and GuardMiner - Multiple Malware Campaigns Target VMware Vulnerability, blog post, 20 October 2022. Available online at https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability.
Google Project Aims to Improve Supply Chain Security
Google has announced a new open-source project it calls GUAC (pronounced like the dip) to assist with supply chain security. GUAC, or Graph for Understanding Artifact Composition, has been kicked off by the cloud service provider together with Kusari, Citi and Purdue University. It aggregates software security metadata from SBOM's, signed attestations from SLSA and vulnerability databases, into a high fidelity graph database, normalizing entity identities and mapping standard relationships between them.
Querying this database will help to prioritize vulnerability management and remediation workflows, by answering important questions such as which enterprise applications are affected by a newly-disclosed vulnerability (a huge problem for many enterprises following Log4j, for example), or which are the most used criticial components in enterprise systems.
At this stage, GUAC exists as a proof-of-concept that can ingest SLSA, SBOM and Scorecard documents and support simple queries. The focus is now turning to scaling the current capabilities and adding new document types for ingestion.
Lum, Brandon, et. al., Announcing GUAC, a great pairing with SLSA (and SBOM)!, Google Security Blog, 20 October 2022. Available online at https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html.
Ransomware Group Targets Healthcare Sector
The FBI, US Cybersecurity and Infrastructure Security Agency and Dept. of Health and Human Services have issued a joint cybersecurity advisory outlining the TTP's, IOC's and general background on a group called "Daixin Team" who have predominantly been targeting the US healthcare sector with ransomware and extortion operations. Although this advisory is based on US experience, there's no reason to assume the group has not been active in Australia as well, and the advice is generally applicable.
Daixin Team has been active since at least June 2022, deploying ransomware to encrypt servers containing a variety of health information, but also exfiltrating personal identifiable information and patient health information, then threatening to release it if a ransom is not paid.
The group has used various techniques to gain initial access, including exploiting an unpatched vulnerabilitiy in a VPN server, or using previously-compromised credentials. Once access has been gained, they move laterally via SSH and RDP connections, and will attempt privilege escalation via credential dumping and pass-the-hash attacks. The advisory provides a full run-down, and makes for interesting reading.
CISA, #StopRansomware: Daixin Team, Alert AA22-294A, 21 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-294a.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Office Web Apps Server SSRF/RCE Vulnerability
During a routine penetration test involving Microsoft's Office Online Server, MDSec found a server-side request forgery vulnerability which can be further exploited to achieve remote code execution on the server. The vulnerability is located in the /op/view.aspx API, which is normally used to retrieve Office documents for display in a browser.
The API leaks timing information which can be used to enumerate active hosts within the victim's network, but more interestingly, the connections made by the server's requests were made using the host's machine account. This can be used to exploit LDAP (to add shadow credentials) or Active Directory Certificate Services (to obtain a certificate, and from that a Ticket Granting Ticket for the server). From there, it is relatively simply to obtain a forged service ticket for the server, and thus local admin privileges on the server.
Microsoft responded that this is the way the API is intended to work, and suggested some mitigation steps.
Tanwar, Manish, Microsoft Office Online Server Remote Code Execution, blog post, 19 October 2022. Available online at https://www.mdsec.co.uk/2022/10/microsoft-office-online-server-remote-code-execution/.
Android Malware Spies on Iranian Citizens
Researchers from ESET have identified a new version of the FurBall Android malware being used by APT-C-50 top conduct surveillance operations against Iranian citizens as part of its Domestic Kitten campaign, which has been running since at least 2016.
The interesting thing about this new version of Furball is that it has no new functionality; instead, its developers slightly obfuscated class and method names, strings, logs and the C2 server URI's, as well as the names of the PHP functions that run on the server. The purpose of this appears to be to change IoC's in order to evade detection..
Another curious feature is the fact that, despite the app having comprehensive spyware functionality, most of it cannot be used because its AndroidManifest.xml file only requests the permission to access contacts. It is possible that it is simply gathering contact information which will be used in a spearphishing campaign against the real targets; alternatively, once trust is established, more permissions could be requested by an update.
Stefanko, Lukas, Domestic Kitten campaign spying on Iranian citizens with new FurBall malware, blog post, 20 October 2022. Available online at https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/.
US Government to Launch Cybersecurity Labeling Program for IoT
The Internet of Things continues to be a headache for users, bedeviled as it is by such basic vulnerabilities as unchangeable default passwords, software written by the lowest bidder, and the lack of firmware update facilities. Now, inspired by the success of the EPA and DOE's Energy Star program, the White House has announced that it will drive improved security standards for Internet-enabled devices and implement a national cybersecurity labeling program which it intends will be globally recognized (think "Energy Star for cyber").
The National Security Council held a meeting between academics, government officials and manufacturers' representative from AT&T, Cisco, Comcast, Google, Amazon, Sony, Samsung, Intel, LG and others. The FTC and NIST have been tasked with advancing improved security standards and a product labeling scheme.
Watson, Adrienne, Statement by NSC Spokesperson Adrienne Watson on the Biden-Harris Administration's Effort to Secure Household Internet-Enabled Devices, press release, 20 October 2022. Available online at https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/20/statement-by-nsc-spokesperson-adrienne-watson-on-the-biden-harris-administrations-effort-to-secure-household-internet-enabled-devices/.
UK Adopts New Architecture
Staying in the polical realm, on Thursday the British Government announced that it would now transition to a Zero Truss Architecture.
I think that's quite enough for this week . . .
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
CyberEspionage Group Deploys New PowerShell Backdoor
Researchers at SafeBreach have discovered what appears to be a 0day exploit which usesa malicious Word document macro to launch PowerShell scripts which infect the system. The Word document superficially looks like a job application form called "Apply Form.docm", but editing it will run a macro which drops a Visual Basic script and creates a scheduled task to run it, masquerading as part of the Windows update process.
It also creates two PowerShell scripts, which first of which connects to the attacker's C2 server, establishing a channel which is encrypted with AES-256-CBC. The second script then decrypts and executes the received commands, uploading the results in a similar way.
Taking advantage of some elementary errors by the attackers (single AES key for all victims, predictable victim ID's), the SafeBreach researchers were able to find the various commands which were waiting for the 69 or so victims; the vast majority are for exfiltration of data, while the remainder were mostly for user and system enumeration, including network and RDP connections.
Bar, Tomer, SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor, blog post, 18 October 2022. Available online https://www.safebreach.com/resources/blog/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor/.
Microsoft Misconfiguration Exposes Customer Data
Micosoft Security Response Center has disclosed a vulnerability which exposed data - primarily contact details and email contents - relating to customers' relationships with Microsoft and its business partners. The vulnerability was a misconfiguration which allows unauthenticated access to a Microsoft Azure Blob Storage endpoint. Curiously, they state that the "endpoint is not in use across the Microsoft ecosystem", which sounds like a classic example of improper web API asset management.
MSRC also states that "our investigation found no indication customer accounts or systems were compromised" and the affected customers have been notified.
However, Microsoft also take issue with the way in which the researchers who discovered the exposure disclosed it, claiming they made the problem worse. SOCRadar had claimed that sensitive customer information, including product orders and offers, project details and IP for over 65,000 entities in 111 countries, going back 5 years, was exposed.
msrc, Investigation Regarding Misconfigured Microsoft Storage Location, blog post, 19 October 2022. Available online at https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/.
Uncredited, Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket, blog post, 19 October 2022. Available online at https://socradar.io/sensitive-data-of-65000-entities-in-111-countries-leaked-due-to-a-single-misconfigured-data-bucket/.
Ransomware Gang Targets Russian Companies
Generally, ransomware gangs are equal-opportunity operators - they'll accept money from anyone after locking up their files. However, Singapore researchers at Group-IB have identified one group, OldGremlin, which they say specializes in attacking Russian firms across a range of industries.
Their motto seems to be "work smarter, not harder" - since their discovery in March 2020, the group has conducted a total of 16 campaigns, and while they only ran five campaigns this year, their ransom demands have been steadily increasing - in 2021, their biggest demand was for $4.2 million, in 2022 it grew to $16.9 million.
In order to gain initial access, the group uses well-crafted phishing emails, which often present as interview requests, commercial proposals and financial documents. They develop their own ransomware, and while they historically targeted the Windows platform, deploying well-known tools such as PowerSploit and Cobalt Strike, their most recent activities have spread to Linux. They are also stealthy; their victims are typically infected for 49 days before their ransomware is deployed.
Group-IB, Gremlins' prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records, press release, 20 October 2022. Available online at https://www.group-ib.com/media-center/press-releases/oldgremlin-2022/.
Further Criticism of (ISC)2
Former board member at (ISC)2, Wim Remes, has leveled further criticism at the certification body, pointing out the organization's poor record on member engagement. He also points out the problems with the new requirements for members to raise a petition, which would effectively make it impossible.
As Remes points out, under the new process for board elections, in which the board will submit a slate of qualified candidates equal to the number of open seats, an election is, in effect, just a coronation.
Wollacott, Emma, Security certification body (ISC)2 defends 'undemocratic' bylaw changes, The Daily Swig, 19 October 2022. Available online at https://portswigger.net/daily-swig/security-certification-body-isc-defends-undemocratic-bylaw-changes.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
RCE Vulnerability In - Of All Things - Cobalt Strike
IBM X-Force researchers have found a remote code execution vulnerability in the Cobalt Strike post-exploitation C2 framework. Their interest was drawn by a September out-of-band update for Cobalt Strike which was intended to fix an XSS vulnerability (CVE-2022-39197); the release notes for this patch stated that the vulnerability could lead to RCE, and so they set about checking to see whether the patch really did fix the problem.
The researchers started by decompiling the Cobalt Strike Java client application, and took a close look at the XSS mitigation code, identifying two validator functions but realizing that the note input field was not being passed through either XSS validator. Further experimentation on the client, which is written using the Swing UI framework, revealed that it was possible to include HTML in a Swing component, and then include Java components with the HTML by using the HTML <object> tag.
From there, automated code analysis revealed the final component of the vulnerability: a deserialization vulnerability in a library which is used to load SVG (Scalable Vector Graphics) files. Putting the whole chain together, the X-Force researchers created a PoC which injects some JavaScript into the graphical file explorer menu to hook the FileNextFileA function, which allowed them to inject the name of an SVG file into the back end, which, in turn, loads the SVG which contains JavaScript code which can then load and run arbitrary Java code, right up to a full-featured back door.
Sherri, Rio, Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1, blog post, 17 October 2022. Available online at https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/.
New Google OS Based on seL4
Attendees at my CISSP review courses will have heard me talk about the seL4 microkernel, which was originally developed at UNSW under the auspices of Data61, and was spun off into its own foundation a few years ago. seL4 is unique in being a formally verified kernel; its logic was expressed in a mathematical notation (Higher Order Logic) and then interatively proven to be secure using the Isabelle proof assistant, fixing the HOL and the corresponding source code along the way until the security properties (confidentiality, integrity, availability) of the microkernel were proven.
The result is an OS kernel that is ideal for embedded systems with high security and reliability requirements, such as in avionics, medical, automotive and defence applications.
Now Google has picked up on the benefits of building security in from the ground up, rather than trying to add it later, and has created a new operating system which is intended to be a provably secure platform for embedded devices that run machine learning applications. The OS, called KataOS, is implemented almost entirely in Rust - a good move for security, since it eliminates some of the major classes of vulnerabilities such as off-by-one errors and buffer overflows.
The reference implementation of KataOS (important, since formal verification is hardware-dependent) is called Sparrow, and combines KataOS with a silicon root of trust (OpenTitan) on a RISC-V architecture. An interim release will run on 64-bit ARM running in simulation with QEMU.
Call me old-fashioned, but I'm glad to see someone taking security engineering seriously, rather than throwing a system together with COTS and then playing whack-a-mole with pentesters and bad guys.
Sam, Scott and June, Announcing KataOS and Sparrow, Google Open Source blog, 14 October 2022. Available online at https://opensource.googleblog.com/2022/10/announcing-kataos-and-sparrow.html.
seL4 Project, The seL4 Microkernel, project home page, 2022. Available online at https://sel4.systems/.
Medibank Breach Turns Nasty
Earlier this week we reported on a likely breach at healthcare and general insurer Medibank, and in response to the company's claim that, "we have found no evidence that our customer data has been accessed", I could only comment, "Let's hope they're right".
It seems they weren't, with Nine Media mastheads receiving a message from the hackers, who claim to have exfiltrated 200 GB of sensitive information and are now threatening to release it. In broken English, the hackers wrote:
“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”
Medibank had also received a threat, which is was taking seriously. In the meantime, trading in Medibank shares on the ASX has been halted - a move which doubtless refocus the attention of the Medibank board members on cybersecurity.
Bonyhady, Nick and Colin Kruger, Medibank hackers threaten to release stolen health data in ransom demand, The Age, 19 October 2022. Available online at https://www.theage.com.au/technology/medibank-hackers-threaten-to-release-stolen-health-data-in-ransom-demand-20221019-p5br2s.html.
Russia Buys Chips from China, Finds 40% Are Duds
Sanctions against Russia are hitting its electronics manufacturing sector, quite possibly affecting its ability to produce weapons systems. Prior to the imposition of sanctions, Russia was able to buy semiconductor components on the open market, and in those days approximately 2% of parts were faulty. But bear in mind that 2% is quite damaging, since a typical product has multiple components. With 10 components, a completed circuit board has a reliability of just 82% (or a failure rate of 18%).
But with a 40% failure rate, almost nothing is going to work (do the math: for one component, the reliability is 60% or 0.6, but with 10 components, \(.6^{10}\) or 0.006 - that is, 0.6% of completed boards will work. A 99% failure rate.
It seems that China is capitalizing on the fact that Russia is caught between a rock and a hard place. This is also a useful reminder that not only the software supply chain has its vulnerabilities.
Sharwood, Simon, China dumps dud chips on Russia, Moscow media moans, The Register, 18 October 2022. Available online at https://www.theregister.com/2022/10/18/russia_china_semiconductro_failure_rates/.
Soccer Fans: Qatar Wants You (Or Your Data, More Likely)
According to a report in Norwegian media outlet NRK, two mobile apps which everyone (over 18) visiting Qatar for the soccer World Cup will have to install, pose a very severe risk to privacy.
The first app, called Ehteraz, is a COVID-19 tracking app (haven't we moved on from these?). Alarmingly, it asks for a lot of privileges on the phone, including acess to read, delete and change all content on the hone, the ability to connect to wi-fi and Bluetooth, to override other apps and to prevent the phone from switching off to sleep mode. It also accesses accurate location services, make calls and even disable the screen lock.
The other app, called Hayya, is used to access event tickets as well as the Metro public transit system. It also accesses accurate location services, network connections, and disables sleep mode, but also asks for permission to share the user's personal information with almost no restrictions.
Experts consulted by NRK agree that the apps are very intrusive, with no granularity of control over permissions and no ability to opt out: the apps are mandatory. Anyone attending the World Cup should undoubtedly acquire a burner phone and limit their access to cloud services. Employers should prohibit the use of work devices and applications by employees visiting Qatar.
Sande, Egil, et. al., Everyone going to the World Cup must have this app - experts are now sounding the alarm, NRK, 14 October 2022. Available online at https://www.nrk.no/sport/everyone-going-to-the-world-cup-must-have-this-app---experts-are-now-sounding-the-alarm-1.16139267.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.