Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mudge Spills Beans on Twitter

Former Twitter CISO Peiter "Mudge" Zatko has appeared before a Congressional committee to testify on failures of governance at the company, which he divided into two categories: the company does not know enough about its own data, and employees have too much access to data. “They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.”

The lack of granular access control mechanisms is particularly concerning in light of Mudge's allegations that the company is unable to identify and expel foreign agents in its employ. He claimed that the company knowingly allowed a foreign agent placed by the Indian government to influence negotiations over social media restrictions in the country. Furthermore, a week before Mudge was fired by the company, the FBI had informed Twitter's security team that at least one agent from China's Ministry of State Security was working there.

The problems, claims Mudge, stem from a corporate culture that avoids negativity and selects favourable information to present to the board. "I saw that Twitter was a company that was managed by risk and crises, instead of one that manages risk and crises", he claimed. When he told one executive that he was confident there was a foreign agent within the company, their response was, "Well, since we already have one, what does it matter if we have more?", he claims.

Mudge's testimony comes at an awkward time for Twitter, as it also supports Elon Musk's case for backing out of his planned acquisition on the grounds that the company had failed to disclose that a large proportion of user accounts were, in fact, bots. Twitter, of course, paints his account of events as "a false narrative ... riddled with inconsistencies and inaccuracies".

A related article suggests that various companies are frantically searching for dirt in order to discredit Mudge, but that they will find it difficult.

Paul, Kari, Twitter whistleblower tells Senate of 'egregious' security failings by company, The Guardian, 14 September 2022. Available online at https://www.theguardian.com/technology/2022/sep/13/twitter-whistleblower-testimony-congress-peiter-zatko.

Bond, Shannon and Raquel Maria Dillon, Twitter may have hired a Chinese spy and four other takeaways from the Senate hearing, NPR, 13 September 2022. Available online at https://www.npr.org/2022/09/13/1122671582/twitter-whistleblower-mudge-senate-hearing.

Kaplan, Fred, The People Looking for Dirt to Discredit Twitter Whistleblower "Mudge" Are Not Going to Find It, Slate, 13 September 2022. Available online at https://slate.com/news-and-politics/2022/09/twitter-whistleblower-mudge-hearing-dirt-nope.html.

New Google Tool Minimizes Use-after-free Vulnerabilities

A use-after-free bug arises when a programmer allocates memory from the heap, then frees it but accidentally continues to use it. If an attacker finds the bug and can figure out how to exploit it, it becomes a vulnerability - and these are surprisingly common, because figuring out the ideal code location for a free() function call is surprisingly tricky.

Work done at Google found that half of the known exploitable bugs in the Chrome browser are use-after-frees, and this has spurred their developers on to create a tool which can prevent their exploitation. This defines a new 'smart' pointer type, raw_ptr<T>, which uses a reference counting similar to the garbage collector found in some modern OO languages. When the application code calls free() or delete, but the reference count is not zero - indicating that a variable somewhere still points to the allocated block, the memory is quarantined, rather than being immediately released for reuse. Only after the reference count reaches zero will the memory be reused.

Taylor, Adrian, Bartek Nowlerski and Kentaro Hara, Use-after-freedom: MiraclePtr, Google Security Blog, 13 September 2022. Available online at https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html.

WordPress Plugin 0Day Actively Exploited

Wordfence - a security firm which specializes in WordPress security - has published details of a new zero-day exploit with a CVSS score of 9.8, which is being actively used in the wild for unauthenticated privilege escalation. The underlying vulnerability is in the WPGateway plugin, which is tied to the WPGateway cloud service, an administration dashboard which simplifies the setup and management of WordPress sites.

A simple IOC is the addition of an administrator account called rangex. This is also signaled by an entry in the access_log:

//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1

Administrators who are using the WPGateway plugin should remove it immediately, until a patched version becomes available.

Gall, Ram, PSA: Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild, Wordfence blog, 13 September 2022. Available online at https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/.

You Knew This Would Happen, Right?

After every major news event, there's inevitably a round of attacks seeking to exploit it in some way. For example, within hours of the 2004 Indian Ocean tsunami, hackers had set up fake Red Cross donation sites and were phishing like crazy.

Inevitably, the death of Queen Elizabeth II has triggered similar activity, and Proofpoint's Threat Insights team have found one such campaign. The victims are lured by emails purporting to be from Microsoft, inviting them to an "artificial technology hub" in her honour. The emails contain links to a credential-harvesting page which uses the EvilProxy phishing kit to run a MitM attack which can bypass multi factor authentication.

I dare say this won't be the last such campaign.

Threat Insight, Proofpoint identified a credential #phish campaign using lures related to Her Majesty Queen Elizabeth II. Messages purported to be from Microsoft and invited recipients to an “artificial technology hub” in her honor, Twitter thread, 15 September 2022. Available online at https://twitter.com/threatinsight/status/1570092339984584705.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.