Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

GitHub, PyPi Used to Spread Malicious Python Packages to Naive Users

We have previously reported on attempts to poison the software supply chain via the creation of trojaned Python packages on GitHub and promoted via the PyPi package repository. Generally, this method relies on naive developers making use of the packages in their projects and thereby infecting unsuspecting victims.

However, a new campaign is attracting the victims directly, targeting the victims via a viral TikTok craze. A TikTok filter called "Invisible Body" removes the body of a video's subject, replacing it with a blurred contour image, and a trending craze, "Invisible Challenge", dares people to film themselves naked, then post the resultant "Invisible Body"-processed video.

This is where the cunning attacker comes in: via TikTok videos, he offers some software called "unfilter" which claims to be able to remove the "Invisible Body" filter effect. His videos have attracted over a million views inside just a few days, and over 30,000 people have responded by following the instructions to join a Discord server which, in turn sends an automated message asking the victim to 'star' a GitHub repository (boosting its apparent popularity) and download the malicious Python package. This carries the WASP stealer, which will plunder Discord accounts, passwords, crypto wallets, credit cards and other files from the victim's computer.

Be careful what you ask for; if it seems too good to be true . . .

Nachson, Guy and Tal Folkman, Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package, blog post, 28 November 2022. Available online at https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package/.

Baseboard Management Controllers Bring Vulnerabilities to Internet of Things

Basedboard management controllers are system-on-a-chip devices originally intended for remote monitoring and management of computers; they have long been a feature of mainframes (where they were much larger boards) but over the last decade or so have made their way into server motherboards, where they provide low-level functionality such as network access to a hardware console, BIOS reflashing, power control, etc.

However, these chips are now finding their way into Internet of Things (IoT) and Operational Technology (OT) devices, where they are used to provide network services such as a web-based management dashboard.  Taiwanese manufacturer Lanner Inc., which specialises in embedded applications, sells the IAC-AST2500A, a BMC-based expansion card with firmware based on AMI's MegaRAC SP-X, which is also used in popular servers.

A new report from network security specialist Nozomi Networks details thirteen vulnerabilities in the web interface of this card, not all of them remediated as of this date. They include command injections, stack-based buffer overflows, broken access control, session fixation, username enumeration and others, and several of them can be chained to permit remote code execution.

Uncredited, Vulnerabilities in BMX Firmware Affect OT/IoT Device Security - Part 1, blog post, 22 November 2022. Available online at https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/.

Meta Cops Large Fine for Facebook Data Scraping Breach

The Irish Data Protection Commission (DPC) has announced the conclusion of its investigation of Meta Platforms Ireland Limited (MPIL) in relation to the release of the personal information of 533 million Facebook users. The DPC has imposed a fine of €265 million, along with a range of specific corrective measures.

The breach, which occurred in early 2020, exposed personal information such as the Facebook ID, name, gender, relationship status, occupation, email addressand phone number of each user, and was accomplished using a data scraper to mine and then correlate data from Facebook Search, the Facebook Messenger Contact Importer and the Instagram Contact Importer between May 2018 and September 2019. The data was then made available via a hacker forum.

The DPC found that MPIL had infringed two clauses of Article 25 of the EU General Data Protection Regulation:

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
   
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 2That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

The Data Protection Commission is a key enforcement agency for the GDPR, since so many multinational tech companies base their European operations in Ireland.

Uncredited, Data Protection Commission announces decision in Facebook "Data Scraping" Inquiry, press release, 28 November 2022. Available online at https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.