March 2021 - wlug - University of Waikato Mail Lists

IPv4 Parsing Flaw In NPM Netmask Could Affect 270,000 Apps

by Peter Reutemann

'The Security Ledger: Independent security researchers analyzing the widely used open source component netmask have discovered security vulnerabilities that could leave more than a quarter million open source applications vulnerable to attack, according to a report released Monday, The Security Ledger reports. According to a report by the site Sick Codes, the flaws open applications that rely on netmask to a wide range of malicious attacks including Server Side Request Forgeries (SSRF) and Remote- and Local File Includes (RFI, LFI) that could enable attackers to ferry malicious code into a protected network, or siphon sensitive data out of one. Even worse, the flaws appear to stretch far beyond a single open source module, affecting a wide range of open source development languages, researchers say. Netmask is a widely used package that allows developers to evaluate whether a IP address attempting to access an application was inside or outside of a given IPv4 range. Based on an IP address submitted to netmask, the module will return true or false about whether or not the submitted IP address is in the defined "block." According to the researcher using the handle "Sick Codes," the researchers discovered that netmask had a big blind spot. Specifically: it evaluates certain IP addresses incorrectly: improperly validating so-called "octal strings" rendering IPv4 addresses that contain certain octal strings as integers. For example, the IP4 address 0177.0.0.1 should be evaluated by netmask as the private IP address 127.0.0.1, as the octal string "0177" translates to the integer "127." However, netmask evaluates it as a public IPv4 address: 177.0.0.1, simply stripping off the leading zero and reading the remaining parts of the octal string as an integer. The implications for modules that are using the vulnerable version of netmask are serious. According to Sick Codes, remote attackers can use SSRF attacks to upload malicious files from the public Internet without setting off alarms, because applications relying on netmask would treat a properly configured external IP address as an internal address. Similarly, attackers could also disguise remote IP addresses local addresses, enabling remote file inclusion (RFI) attacks that could permit web shells or malicious programs to be placed on target networks. But researchers say much more is to come. The problems identified in netmask are not unique to that module. Researchers have noted previously that textual representation of IPv4 addresses were never standardized, leading to disparities in how different but equivalent versions of IPv4 addresses (for example: octal strings) are rendered and interpreted by different applications and platforms.' -- source: https://it.slashdot.org/story/21/03/31/0046249 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 3 days

1
0
0 0

How to achieve smart home nirvana (or, home automation without subscription)

by Peter Reutemann

'What comes to mind when you think of a smart home? Wi-Fi enabled light bulbs, video doorbells, cloud-connected robot vacuums, or smart fridges perhaps? Brands like Google/Nest or everything enabled with Amazon’s Alexa? While often providing some genuine convenience, these devices are also usually designed to invite and lock users into manufacturers' ecosystems. Create a cool piece of hardware, you’ll make one sale. Create a cool piece of hardware that extracts recurring monthly service fees for cloud storage or to unlock extra functionality, and you’ll have sales for life. Compounding our collective frustration, these ecosystems are often incompatible with each other and require multiple different apps for control. Not only are subscriptions and upselling part of the game, the underlying business models for these products are built around planned obsolescence and mining user data. Luckily, aspirational smart home folks in 2021 have at least one viable alternative: Home Assistant. This piece of open source software is the proverbial ring “that in the darkness binds them.” It is the glue for smart home gear spanning all sorts of manufacturers, from behemoths like Google to minnows like Shelly. It’s a project that has set out to change all of the smart home pitfalls listed above by putting local control, privacy, and interoperability first.' -- source: https://arstechnica.com/information-technology/2021/03/how-to-achieve-smart… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 3 days

1
0
0 0

Ubiquiti Massively Downplayed a 'Catastrophic' Security Breach To Minimize Impact On Stock Price, Alleges Whistleblower

by Peter Reutemann

'In January, Ubiquiti Networks sent out a notification to its customers informing them of a security breach and asking all users to change their account passwords and turn on two-factor authentication. "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider," Ubiquiti said at the time. Now, according to Krebs on Security, a whistleblower "alleges Ubiquiti massively downplayed a 'catastrophic' incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication." From the report: "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers," [the source] wrote in a letter to the European Data Protection Supervisor. "The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk." According to [the source], the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged "third party" involved in the breach. Ubiquiti's breach disclosure, he wrote, was "downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack." In reality, [the source] said, the attackers had gained administrative access to Ubiquiti's servers at Amazon's cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there. "They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration," [the source] said. [The source] says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies. Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide. Instead of asking customers to change their passwords when they next log on, [the source] says Ubiquiti should've immediately invalidated all of its customer's credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.' -- source: https://it.slashdot.org/story/21/03/30/2057237 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 4 days

1
0
0 0

Red Hat withdraws from the Free Software Foundation after Stallman’s return

by Peter Reutemann

'Last week, Richard M. Stallman—father of the GNU Public License that underpins Linux and a significant part of the user-facing software that initially accompanied the Linux kernel—returned to the board of the Free Software Foundation after a two-year hiatus due to his own highly controversial remarks about his perception of Jeffrey Epstein's victims as "entirely willing." As a result of RMS' reinstatement, Red Hat—the Raleigh, North Carolina-based open source software giant that produces Red Hat Enterprise Linux—has publicly withdrawn funding and support from the Free Software Foundation: Red Hat was appalled to learn that [Stallman] had rejoined the FSF board of directors. As a result, we are immediately suspending all Red Hat funding of the FSF and any FSF-hosted events.' -- source: https://arstechnica.com/gadgets/2021/03/red-hat-withdraws-from-the-stallman… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 5 days

1
0
0 0

PHP's Git Server Hacked To Add Backdoors To PHP Source Code

by Peter Reutemann

'Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer. "In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP." According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."' -- source: https://developers.slashdot.org/story/21/03/29/2111200 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 5 days

1
0
0 0

Fairphone suggests Qualcomm is the biggest barrier to long-term Android support

by Peter Reutemann

'Fairphone—the sustainable, modular smartphone company—is still shipping updates to the 5-year-old Fairphone 2. The company won't win any awards for speed, but the phone—which launched in 2015 with Android 5—is now being updated to Android 9.0. The most interesting part of this news is a video from Fairphone detailing the update process the company went through, which offers more transparency than we normally get from a smartphone manufacturer. To hear Fairphone tell the story of Android updates, the biggest barrier to longer-term support is—surprise!—Qualcomm. Fairphone wants consumers to keep their phones for longer, creating less e-waste and carbon emissions via modular replacement parts that are easily upgradeable and repairable. A big challenge for designing a long-lasting phone like this is software support. Even if Fairphone wanted to support a phone forever, Android software updates do not work that way, and major OS updates normally rely on a relay race of companies that all need to hand-off a build of Android before it reaches your phone.' -- source: https://arstechnica.com/gadgets/2021/03/the-fairphone-2-hits-five-years-of-… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 6 days

1
0
0 0

UNIX's Founders Created Another OS at Bell Labs: 'Plan 9'

by Peter Reutemann

'The team behind UNIX also built another operating system at Bell Labs, writes the corporate CTO and president of Nokia Bell Labs: Starting in the late 1980s, a group led by Rob Pike and UNIX co-creators Ken Thompson and Dennis Ritchie developed "Plan 9". Their motivation was two-fold: to build an operating system that would fit an increasingly distributed world, and to do so in a clean and elegant manner. The plan was not to build directly on the Unix foundation but to implement a new design from scratch. The result was named Plan 9 from Bell Labs — the name an inside joke inspired by the cult B-movie "Plan 9 from Outer Space." Plan 9 is built around a radically different model from that of conventional operating systems. The OS is structured as a collection of loosely coupled services, which may be hosted on different machines. Another key concept in its design is that of a per-process name space: services can be mapped on to local names fixed by convention, so that programs using those services need not change if the current services are replaced by others providing the same functionality. Despite the groundbreaking innovations in Plan 9, the operating system did not take off — at least not enough to justify Bell Labs continued investment in Plan 9 development. But Plan 9's innovations found their way into many commercial OSes: the concept of making OS services available via the file system is now pervasive in Linux; Plan 9's minimalist windowing system design has been replicated many times; the UTF-8 character encoding used universally today in browsers was invented for, and first implemented in, Plan 9; and the design of Plan 9 anticipated today's microservice architectures by more than a decade...! Starting this week, Plan 9 will have a new home in the space it helped define: cyberspace. We are transferring the copyright in Plan 9 software to the Plan 9 Foundation for all future development, allowing them to carry on the good work that Bell Labs and many other Plan 9 enthusiasts have undertaken over the past couple of decades. Indeed, there is an active community of people who have been working on Plan 9 and who are interested in the future evolution of this groundbreaking operating system. That community is organizing itself bottom-up into the new Plan 9 Foundation, which is making the OS code publicly available under a suitable open-source software license. We at Nokia and Bell Labs are huge advocates for the power of open-source communities for such pioneering systems that have the potential to benefit the global software development community. Who knows, perhaps Plan 9 will become a part of the emerging distributed cloud infrastructure that will underpin the coming industrial revolution?' -- source: https://tech.slashdot.org/story/21/03/28/192227 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 6 days

2
1
0 0

New Android malware with full range of spying capabilities has been found

by Peter Reutemann

'Researchers have discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers. The app disguises itself as a system update that must be downloaded from a third-party store, researchers from security firm Zimperium said on Friday. In fact, it’s a remote-access trojan that receives and executes commands from a command-and-control server. It provides a full-featured spying platform that performs a wide range of malicious activities. Zimperium listed the following capabilities: - Stealing instant messenger messages - Stealing instant messenger database files (if root is available) - Inspecting the default browser’s bookmarks and searches - Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser - Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx) - Inspecting the clipboard data - Inspecting the content of the notifications - Recording audio - Recording phone calls - Periodically take pictures (either through the front or back cameras) - Listing of the installed applications - Stealing images and videos - Monitoring the GPS location - Stealing SMS messages - Stealing phone contacts - Stealing call logs - Exfiltrating device information (e.g., installed applications, device name, storage stats) - Concealing its presence by hiding the icon from the device’s drawer/menu' -- source: https://arstechnica.com/gadgets/2021/03/new-android-malware-with-full-range… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 6 days

1
0
0 0

cURL's 20th Anniversary Celebrated With 3D-Printed 'GitHub Steel' Contribution Graph

by Peter Reutemann

'This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 20th anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5. Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones. Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc. libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs. curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites. Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles. Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl. I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide... Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021. Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl. In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."' -- source: https://tech.slashdot.org/story/21/03/28/0143206 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 6 days

1
0
0 0

Attackers Breach 21,000 Microsoft Exchange Servers, Install Malware Implicating Brian Krebs

by Peter Reutemann

'Security researcher Brian Krebs wants you to know... "New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let's just get this out of the way right now: It wasn't me." The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with [a domain that begins with brian . krebsonsecurity... Not a safe domain.] Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and "honeypots" — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how. David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. "web shells") that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server's emails)... Shadowserver's honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file "krebsonsecurity.exe"... Oddly, none of the several dozen antivirus tools available to scan the file at Virustotal.com currently detect it as malicious. The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute. Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. But Watson said they don't know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain. "Despite the abuse, this is potentially a good opportunity to highlight how vulnerable/compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message out to victims that they need to sign up our free daily network reports," Watson said.' -- source: https://it.slashdot.org/story/21/03/28/1924206 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 6 days

1
0
0 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

wlug March 2021