Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Brewer-Nash Missing in Action

Scandal has rocked the Australian arm of global consulting firm PwC, with chief executive Tom Seymour resigning after sustained criticism arising from allegations the firm shared confidential government tax policy with other clients. There being only a few large audit and consulting firms left, it is not unusual for them to have multiple clients sometimes with conflicting interests.

In this case, PwC had been retained by the government to consult on tax reforms, particularly rules to prevent multinational corporations avoid tax by using strategies such as transfer pricing to shift profits out of Australia to tax havens. However, PwC's former head of international tax, Peter-John Collins was subsequently deregistered for two years by the tax practitioners board for failing to act with integrity and sharing confidential government briefings with other staff. PwC was ordered to put training and procedures in place to ensure conflicts of interest are adequately managed.

Cybersecurity professionals already know how this is done: the Brewer-Nash security model, better known as the Chinese Wall security policy. This blocks access to documents by populating conflict-of-interest classes for employees like consultants working in firms where it is important that sensitive information about one client not be leaked to another. In essence, this is a form of privacy control, only the subjects are corporations rather than individual persons.

However, technical controls can always be bypassed outside the systems that implement them, and this is particularly the case where management lacks the ethical will to implement them in the first place.

Belot, Henry, Consultancy firms becoming ‘shadow public service’, expert warns, as PwC crisis deepens, The Guardian, 9 May 2023. Available online at https://www.theguardian.com/australia-news/2023/may/09/consultancy-firms-becoming-shadow-public-service-expert-warns-as-pwc-crisis-deepens.

Brewer, D. F. C., & Nash, M. J., The Chinese Wall security policy, Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp 206–214, 1989. Available online at https://doi.org/10.1109/SECPRI.1989.36295.

Job-Seeking By Hacking

In a novel approach to job-hunting, a budding 'security researcher' has advertised his skills and availability by 'hacking' some packages in the PHP language's Packagist distribution repository. In doing so, he has reinforced awareness of problems with the open-source software supply chain, which has previously seen malware introduced to repositories like PyPI for Python.

The Packagist repository does not store project code for distribution; rather it links to the project code on services like GitHub, simplifying maintenance for developers and ensuring that the repository always links to the correct version of the software. However, this opens up a second way in which the respository could be 'poisoned': rather than hacking the original source code or binaries, an attacker could simply change the links in Packagist.

And that's what one enterprising hacker did. Having somehow obtained the passwords to four old, inactive Packagist accounts, they copied 14 GitHub projects associated with this accounts, copied these projects to a new GitHub account and then changed the links in Packagist to point to the new GotHub repositories.

Having done this, they could have modified the PHP source code of the projects to insert backdoors or other malware, but instead confined themselves to editing the description field in each project's composer.json file to insert a short message (in Russian) with their email address and the fact that they were "looking for a job in Application Security, Penetration Tester, Cyber Security Specialist".

Hire them at your peril. . .

Ducklin, Paul, PHP Packagist supply chain poisoned by hacker "looking for a job", Naked Security blog, 5 May 2023. Available online at https://nakedsecurity.sophos.com/2023/05/05/php-packagist-supply-chain-poisoned-by-hacker-looking-for-a-job/.

MSI Breach: UEFI Secure Boot No Longer Secure

Following a breach of its systems in March, motherboard manufacturer MSI refused to pay the $US4,000,000 ransom demanded by the 'Money Message' threat actor. Now the group has started to release the 1.5TB of data they exfiltrated from MSI, including the source code for their motherboard firmware.

On Friday of last week, Alex Matrosov, the CEO of firmware supply chain security firm Binarly, revealed that the leaked source code contained the private keys used to sign the BIOS images for 57 different products and the Intel Boot Guard private keys for 116 products. These keys are unique to MSI, and are not Intel signing keys.

However, the Intel Boot Guard keys will allow an attacker to build malicious firmware updates and deliver them through a normal BIOS update process with MSI update tools, according to Matrosov. This will bypass Intel Boot Guard and allow attackers to load UEFI bootkits, rendering Windows UEFI Secure Boot invalid.

In a later tweet, Matrosov also revealed that "one of the leaked keys (bxt_dbg_priv_key.pem) is associated with Intel Orange or OEM Unlocked. Based on Intel documentation, it appears to be more power in comparison to Boot Guard Keys."

The implication is that this breach now affects not only MSI devices, but the entire Windows UEFI Secure Boot ecosystem.

Matrosov, Alex, Recently, @msiUSA accounced a significant data breach., tweet, 4 May 2023. Available online at https://twitter.com/matrosov/status/1653923749723512832.

Matrosov, Alex, Diving deeper into MSI leak ..., tweet, 9 May 2023. Available online at https://twitter.com/matrosov/status/1655744775063244800.

Ravie Lakshamanan, MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web, The Hacker News, 8 May 2023. Available online at https://thehackernews.com/2023/05/msi-data-breach-private-code-signing.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.