Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Uber & Rockstar GTA Hacker Arrested
The City of London Police has revealed that it has arrest a 17-year-old teenager from Oxfordshire on suspicion of hacking. It is believed that the real-world identity hacker, who went by the handles 'teapot' and 'teapotuberhacker', was outed in an online forum, giving the police the information they needed to act.
If this is correct, the teenager also hacked Microsoft, Rockstar Games and Uber and may well be 'White' or 'Breachbase', the ringleader of the Lapsus$ extortion group. This group has mainly employed social engineering attacks on employee accounts for initial access, but then employs increasingly sophisticated technical techniques for lateral movement. They have also attempted to recruit privileged insiders at telcos, tech companies and callcenters, bribing them to provide VPN or Citrix credentials.
City of London Police, On the evening of Thursday 22 September ..., tweet, 23 September 2022. Available online at https://twitter.com/CityPolice/status/1573281533665972225.
Flashpoint Team, What We Know About the 'Grand Theft Auto VI' Data Breach, blog article, 23 September 2022. Available online at https://flashpoint.io/blog/grand-theft-auto-6-data-breach/.
Optus Data Breach Resonates
The massive data breach of Australian telco continues to resonate, with ongoing implications for the telco, its customers and regulators. The hacker behind the breach has apparenty now demanded a $US 1 million ransom - which, considering the number of records, amounts to just over 10c per record. Local journalist Jeremy Kirk has been in touch with the alleged hacker and confirmed the authenticity of a sample of the data with the affected customers.
The hacker claims that they obtained access via an API endpoint which required no authentication - a classic function-level authorization vulnerability - enumerating a field called 'contactid' to access customer records sequentially.
Because the customer data contains so much information that can be used for identity theft, the Government is considering changes to privacy laws which will speed the disclosure of such information to banks so that the financial institutions can apply additional monitoring and controls on the accounts of the affected customers. Considering that it is the existing privacy laws that prevent this type of disclosure, the government might wish to pause for reflection on the Law of Unintended Consequences before pushing through any half-baked ideas.
Belot, Henry, Australian Federal Police monitoring dark web amid allegations stolen Optus data may be sold online, ABC News, 24 September 2022. Available online at https://www.abc.net.au/news/2022-09-24/afp-monitoring-dark-web-for-stolen-optus-data-sold-online/101471256.
Kirk, Jeremy, UPDATE: I reached the person who claims to have hacked Optus, tweet, 24 September 2022. Available online at https://twitter.com/jeremy_kirk/status/1573652986437726208.
Speers, David and Andrew Greene, Federal government to unveil new security measures following massive Optus data breach, ABC News, 25 September 2022. Available online at https://www.abc.net.au/news/2022-09-25/new-security-measures-to-be-unveiled-following-optus-data-breach/101472364.
XSS, CSRF Vulns in Netlify JavaScript Library
Web sites built with the Netlify development platform are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, due to a cache poisoning vulnerability (CVE-2022-39239), say researchers. The vulnerability allows attackers to use specially crafted headers which cause the cache handler to load and return arbitrary images - which could include scalable vector graphics (SVG) files carrying embedded malicious scripts.
The vulnerability is due to improper URL parsing in the unjs/ufo library which is, in turn, used by the @netlify/ipx library. This is installed by default on many Netlify installations.
Netlify versions prior to 1.2.3 are vulnerable, and customers are - obviously - urged to update and redeploy sites to clear caches.
Curry, Sam, Exploiting Web3's Hidden Attack Surface: Universal XSS on Netlify's Next.js Library, blog post, 21 September 2022. Available online at https://samcurry.net/universal-xss-on-netlifys-next-js-library/.
Course Updates
Course materials updated in the last few days:
Updated Lecture Slides
Updated CISSP CBK wiki pages:
- CBK Wiki/RESTful API
- CBK Wiki/Simple Object Access ProtocolCBK Wiki/XML-RPC
- CBK Wiki/Broken Object-Level Authorization
- CBK Wiki/JSON Web Token
- CBK Wiki/Federated Identity Management Systems
- CBK Wiki/Software Development for Mobile Devices
- CBK Wiki/Excessive Data Exposure
- CBK Wiki/Sensitive Data Exposure
- CBK Wiki/Broken Function-Level Authorization
- CBK Wiki/Injection Attacks
- CBK Wiki/Lack of Resources and Rate Limiting
- CBK Wiki/Mass Assignment
- CBK Wiki/Improper Web API Asset Management
- CBK Wiki/Insufficient Logging and Monitoring
- CBK Wiki/API Security
- CBK Wiki/API key
- CBK Wiki/Broken User Authentication
- CBK Wiki/Web Application Security
- CBK Wiki/Cross-Site Request Forgery
- CBK Wiki/Polymorphism
- CBK Wiki/Inheritance
- CBK Wiki/Encapsulation
- CBK Wiki/Object-Oriented Concepts and Security
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.