Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Companies Profit from Stolen Code

Macintosh malware researcher Patrick Wardle has found his code, released as open source, in a number of commercial products. As exhibit one, he cites a software tool he created back in 2016, called Oversight. The program monitors a Mac's microphone and webcam, to see whether any applications are accessing them without the knowledge of the owner (no surprise: a number were).

Several years later, Wardle was surprised to discover a number of commercial applications that were not only doing the same thing as Oversight, and in a similar way - they also contained the same bugs. When he approached the three companies involved, they all acknowledge that his code had been used without his consent, and they all eventually paid for rights.

Although it is likely that employees used the code without their employers' knowledge, it does bring to light a risk we sometimes overlook, and emphasizes the need to educate developers on free and open source software licensing.

Faife, Corin, This Mac hacker's code is so good, corporations keep stealing it, The Verge, 11 August 2022. Available online at https://www.theverge.com/2022/8/11/23301130/patrick-wardle-mac-code-corporations-stealing-black-hat.

Meta's In-App Browsers Inject Code to Track You Outside Facebook

Security researcher Felix Krause has investigated the behaviour of the Facebook and Instagram app browser component, and discovered that the app could track every interaction with external websites view from within it. The app injects JavaScript code into every website it renders - the code doesn't currently track everything, but it could monitor every button clicked, every link, all text selections and even form inputs, including passwords.

Now, I was pretty sure that I'd set an option in the Facebook app for Android to turn off the in-app browser, and use the Chrome browser instead - but looking for it now, any such setting seems to be quite deeply buried. So I, for one, welcome our new surveillance capitalism overlords.

Krause, Felix, iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser, Felix Krause blog, 10 August 2022. Available online at https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser.

Signed Secure UEFI Boot Loaders Not Trustworthy

The whole point of the Secure Boot process is to preserve a chain of trust that starts with the system's TPM chip and ends with a guaranteed-unmodified operating system. However, it turns out that three hardware vendors were somehow shipping UEFI boot loaders, signed by Microsoft, which were willing to bypass the process and execute arbitrary, unsigned, code. This would be the perfect way to install a rootkit, for example.

Fortunately, Microsoft's Patchday, earlier this week, saw updates shipped which fix the problem.

Lakshamanan, Ravie, Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders, The Hacker News, 12 March 2022. Available online at https://thehackernews.com/2022/08/researchers-uncover-uefi-secure-boot.html.

GitHub Proposes Adoption of SigStore for NPM

As more and more software distributors adopted cryptographic signing of the packages they distribute, GitHub has asked developers to comment on a proposal to adopt Sigstore for the Node Package Manager (npm) which distributes pJavaScript packages for node.js and related systems. SigStore is an open-souce project which operates public-key infrastructure to both sign packages and to verify signatures, something that is seen as essential to the integrity of the software supply chain.

Lemos, Robert, Software Supply Chain Chalks Up a Security Win With New Crypto Effort, Dark Reading, 13 August 2022. Available online at https://www.darkreading.com/application-security/software-supply-chain-chalks-up-security-win-with-crypto-effort.

Chinese Threat Actor Targets Linux, Mac IM Application

Chinese group APT 27, variously known as Iron Tiger, Emissary Panda and LuckyMouse), is alleged to have deployed a JavaScript trojan in a popular instant messaging app called "MiMi". The backdoor first identifies the OS platform of the victim system, then downloads a back door called rshell. This then exfiltrates system information to its C2 server and awaits commands to search for and upload files to the server.

Older versions of the trojanized "MiMi" app also targeted Windows systems. The campaign appears to be targeting Chinese expatriates, perhaps to monitor their activities in other countries. The same threat actor has previously conducted cyberespionage campaigns internationally, attacking defence, healthcare, energy and technology enterprises. They were among several groups exploiting the Microsoft Exchange ProxyLogon vulnerability last year.

Gatlan, Sergiu, Chinese hackers backdoor chat app with new Linux, macOS malware, Bleeping Computer, 12 August 2022. Available online at https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/.

NSFW Section (It's Saturday)

Excremental Retribution Exposed

A web service which sent a box of animal faeces, along with personalised message, to enemies of their customers (because surely nobody would do this to their friends?) has been exploited by a customer who discovered an SQL injection vulnerability and downloaded the service's entire database.

Unfortunately for ShitExpress (I couldn't avoid saying it in the end), this customer was pompompurin, the owner of the Breached.co forum - exactly the kind of person who would spot a vulnerability - who was planning to use the service to send some dung to a rival security researcher. Instead, he shared the contents of the database on the forum, revealing the motherlode of abusive messages.

The moral of the story: shit doesn't just happen.

Sharma, Ax, Anonymous poop gifting site hacked, customers exposed, Bleeping Computer, 12 August 2022. Available online at https://www.bleepingcomputer.com/news/security/anonymous-poop-gifting-site-hacked-customers-exposed/.

And that's it for this week!

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.