'The Security Ledger:
Independent security researchers analyzing the widely used open source
component netmask have discovered security vulnerabilities that could
leave more than a quarter million open source applications vulnerable
to attack, according to a report released Monday, The Security Ledger
reports. According to a report by the site Sick Codes, the flaws open
applications that rely on netmask to a wide range of malicious attacks
including Server Side Request Forgeries (SSRF) and Remote- and Local
File Includes (RFI, LFI) that could enable attackers to ferry
malicious code into a protected network, or siphon sensitive data out
of one. Even worse, the flaws appear to stretch far beyond a single
open source module, affecting a wide range of open source development
languages, researchers say.
Netmask is a widely used package that allows developers to evaluate
whether a IP address attempting to access an application was inside or
outside of a given IPv4 range. Based on an IP address submitted to
netmask, the module will return true or false about whether or not the
submitted IP address is in the defined "block." According to the
researcher using the handle "Sick Codes," the researchers discovered
that netmask had a big blind spot. Specifically: it evaluates certain
IP addresses incorrectly: improperly validating so-called "octal
strings" rendering IPv4 addresses that contain certain octal strings
as integers. For example, the IP4 address 0177.0.0.1 should be
evaluated by netmask as the private IP address 127.0.0.1, as the octal
string "0177" translates to the integer "127." However, netmask
evaluates it as a public IPv4 address: 177.0.0.1, simply stripping off
the leading zero and reading the remaining parts of the octal string
as an integer.
The implications for modules that are using the vulnerable version of
netmask are serious. According to Sick Codes, remote attackers can use
SSRF attacks to upload malicious files from the public Internet
without setting off alarms, because applications relying on netmask
would treat a properly configured external IP address as an internal
address. Similarly, attackers could also disguise remote IP addresses
local addresses, enabling remote file inclusion (RFI) attacks that
could permit web shells or malicious programs to be placed on target
networks. But researchers say much more is to come. The problems
identified in netmask are not unique to that module. Researchers have
noted previously that textual representation of IPv4 addresses were
never standardized, leading to disparities in how different but
equivalent versions of IPv4 addresses (for example: octal strings) are
rendered and interpreted by different applications and platforms.'
-- source: https://it.slashdot.org/story/21/03/31/0046249
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'What comes to mind when you think of a smart home? Wi-Fi enabled
light bulbs, video doorbells, cloud-connected robot vacuums, or smart
fridges perhaps? Brands like Google/Nest or everything enabled with
Amazon’s Alexa? While often providing some genuine convenience, these
devices are also usually designed to invite and lock users into
manufacturers' ecosystems. Create a cool piece of hardware, you’ll
make one sale. Create a cool piece of hardware that extracts recurring
monthly service fees for cloud storage or to unlock extra
functionality, and you’ll have sales for life.
Compounding our collective frustration, these ecosystems are often
incompatible with each other and require multiple different apps for
control. Not only are subscriptions and upselling part of the game,
the underlying business models for these products are built around
planned obsolescence and mining user data.
Luckily, aspirational smart home folks in 2021 have at least one
viable alternative: Home Assistant. This piece of open source software
is the proverbial ring “that in the darkness binds them.” It is the
glue for smart home gear spanning all sorts of manufacturers, from
behemoths like Google to minnows like Shelly. It’s a project that has
set out to change all of the smart home pitfalls listed above by
putting local control, privacy, and interoperability first.'
-- source: https://arstechnica.com/information-technology/2021/03/how-to-achieve-smart…
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'In January, Ubiquiti Networks sent out a notification to its
customers informing them of a security breach and asking all users to
change their account passwords and turn on two-factor authentication.
"We recently became aware of unauthorized access to certain of our
information technology systems hosted by a third party cloud
provider," Ubiquiti said at the time. Now, according to Krebs on
Security, a whistleblower "alleges Ubiquiti massively downplayed a
'catastrophic' incident to minimize the hit to its stock price, and
that the third-party cloud provider claim was a fabrication." From the
report:
"It was catastrophically worse than reported, and legal silenced and
overruled efforts to decisively protect customers," [the source] wrote
in a letter to the European Data Protection Supervisor. "The breach
was massive, customer data was at risk, access to customers' devices
deployed in corporations and homes around the world was at risk."
According to [the source], the hackers obtained full read/write access
to Ubiquiti databases at Amazon Web Services (AWS), which was the
alleged "third party" involved in the breach. Ubiquiti's breach
disclosure, he wrote, was "downplayed and purposefully written to
imply that a 3rd party cloud vendor was at risk and that Ubiquiti was
merely a casualty of that, instead of the target of the attack." In
reality, [the source] said, the attackers had gained administrative
access to Ubiquiti's servers at Amazon's cloud service, which secures
the underlying server hardware and software but requires the cloud
tenant (client) to secure access to any data stored there. "They were
able to get cryptographic secrets for single sign-on cookies and
remote access, full source code control contents, and signing keys
exfiltration," [the source] said.
[The source] says the attacker(s) had access to privileged credentials
that were previously stored in the LastPass account of a Ubiquiti IT
employee, and gained root administrator access to all Ubiquiti AWS
accounts, including all S3 data buckets, all application logs, all
databases, all user database credentials, and secrets required to
forge single sign-on (SSO) cookies. Such access could have allowed the
intruders to remotely authenticate to countless Ubiquiti cloud-based
devices around the world. According to its website, Ubiquiti has
shipped more than 85 million devices that play a key role in
networking infrastructure in over 200 countries and territories
worldwide.
Instead of asking customers to change their passwords when they next
log on, [the source] says Ubiquiti should've immediately invalidated
all of its customer's credentials and forced a reset on all accounts,
mainly because the intruders already had credentials needed to
remotely access customer IoT systems.'
-- source: https://it.slashdot.org/story/21/03/30/2057237
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'Last week, Richard M. Stallman—father of the GNU Public License that
underpins Linux and a significant part of the user-facing software
that initially accompanied the Linux kernel—returned to the board of
the Free Software Foundation after a two-year hiatus due to his own
highly controversial remarks about his perception of Jeffrey Epstein's
victims as "entirely willing."
As a result of RMS' reinstatement, Red Hat—the Raleigh, North
Carolina-based open source software giant that produces Red Hat
Enterprise Linux—has publicly withdrawn funding and support from the
Free Software Foundation:
Red Hat was appalled to learn that [Stallman] had rejoined the FSF
board of directors. As a result, we are immediately suspending all Red
Hat funding of the FSF and any FSF-hosted events.'
-- source: https://arstechnica.com/gadgets/2021/03/red-hat-withdraws-from-the-stallman…
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP
committer, released a statement indicating that two malicious commits
had been pushed to the php-src Git repository. These commits were
pushed to create a backdoor that would have effectively allowed
attackers to achieve remote code execution through PHP and an HTTP
header.
"The incident is alarming considering PHP remains the server-side
programming language to power over 79% of the websites on the
Internet," adds BleepingComputer.
"In the malicious commits [1, 2] the attackers published a mysterious
change upstream, 'fix typo' under the pretense this was a minor
typographical correction. However, taking a look at the added line 370
where zend_eval_string function is called, the code actually plants a
backdoor for obtaining easy Remote Code Execution (RCE) on a website
running this hijacked version of PHP."
According to Popov, the first commit was detected a couple hours after
it was made, and the changes were reverted right away. "Although a
complete investigation of the incident is ongoing, according to PHP
maintainers, this malicious activity stemmed from the compromised
git.php.net server, rather than compromise of an individual's Git
account," reports BleepingComputer. "As a precaution following this
incident, PHP maintainers have decided to migrate the official PHP
source code repository to GitHub."'
-- source: https://developers.slashdot.org/story/21/03/29/2111200
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'Fairphone—the sustainable, modular smartphone company—is still
shipping updates to the 5-year-old Fairphone 2. The company won't win
any awards for speed, but the phone—which launched in 2015 with
Android 5—is now being updated to Android 9.0. The most interesting
part of this news is a video from Fairphone detailing the update
process the company went through, which offers more transparency than
we normally get from a smartphone manufacturer. To hear Fairphone tell
the story of Android updates, the biggest barrier to longer-term
support is—surprise!—Qualcomm.
Fairphone wants consumers to keep their phones for longer, creating
less e-waste and carbon emissions via modular replacement parts that
are easily upgradeable and repairable. A big challenge for designing a
long-lasting phone like this is software support. Even if Fairphone
wanted to support a phone forever, Android software updates do not
work that way, and major OS updates normally rely on a relay race of
companies that all need to hand-off a build of Android before it
reaches your phone.'
-- source: https://arstechnica.com/gadgets/2021/03/the-fairphone-2-hits-five-years-of-…
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'The team behind UNIX also built another operating system at Bell
Labs, writes the corporate CTO and president of Nokia Bell Labs:
Starting in the late 1980s, a group led by Rob Pike and UNIX
co-creators Ken Thompson and Dennis Ritchie developed "Plan 9". Their
motivation was two-fold: to build an operating system that would fit
an increasingly distributed world, and to do so in a clean and elegant
manner. The plan was not to build directly on the Unix foundation but
to implement a new design from scratch. The result was named Plan 9
from Bell Labs — the name an inside joke inspired by the cult B-movie
"Plan 9 from Outer Space."
Plan 9 is built around a radically different model from that of
conventional operating systems. The OS is structured as a collection
of loosely coupled services, which may be hosted on different
machines. Another key concept in its design is that of a per-process
name space: services can be mapped on to local names fixed by
convention, so that programs using those services need not change if
the current services are replaced by others providing the same
functionality.
Despite the groundbreaking innovations in Plan 9, the operating system
did not take off — at least not enough to justify Bell Labs continued
investment in Plan 9 development. But Plan 9's innovations found their
way into many commercial OSes: the concept of making OS services
available via the file system is now pervasive in Linux; Plan 9's
minimalist windowing system design has been replicated many times; the
UTF-8 character encoding used universally today in browsers was
invented for, and first implemented in, Plan 9; and the design of Plan
9 anticipated today's microservice architectures by more than a
decade...!
Starting this week, Plan 9 will have a new home in the space it helped
define: cyberspace. We are transferring the copyright in Plan 9
software to the Plan 9 Foundation for all future development, allowing
them to carry on the good work that Bell Labs and many other Plan 9
enthusiasts have undertaken over the past couple of decades. Indeed,
there is an active community of people who have been working on Plan 9
and who are interested in the future evolution of this groundbreaking
operating system. That community is organizing itself bottom-up into
the new Plan 9 Foundation, which is making the OS code publicly
available under a suitable open-source software license.
We at Nokia and Bell Labs are huge advocates for the power of
open-source communities for such pioneering systems that have the
potential to benefit the global software development community. Who
knows, perhaps Plan 9 will become a part of the emerging distributed
cloud infrastructure that will underpin the coming industrial
revolution?'
-- source: https://tech.slashdot.org/story/21/03/28/192227
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'Researchers have discovered a new advanced piece of Android malware
that finds sensitive information stored on infected devices and sends
it to attacker-controlled servers.
The app disguises itself as a system update that must be downloaded
from a third-party store, researchers from security firm Zimperium
said on Friday. In fact, it’s a remote-access trojan that receives and
executes commands from a command-and-control server. It provides a
full-featured spying platform that performs a wide range of malicious
activities.
Zimperium listed the following capabilities:
- Stealing instant messenger messages
- Stealing instant messenger database files (if root is available)
- Inspecting the default browser’s bookmarks and searches
- Inspecting the bookmark and search history from Google Chrome,
Mozilla Firefox, and Samsung Internet Browser
- Searching for files with specific extensions (including .pdf, .doc,
.docx, and .xls, .xlsx)
- Inspecting the clipboard data
- Inspecting the content of the notifications
- Recording audio
- Recording phone calls
- Periodically take pictures (either through the front or back cameras)
- Listing of the installed applications
- Stealing images and videos
- Monitoring the GPS location
- Stealing SMS messages
- Stealing phone contacts
- Stealing call logs
- Exfiltrating device information (e.g., installed applications,
device name, storage stats)
- Concealing its presence by hiding the icon from the device’s drawer/menu'
-- source: https://arstechnica.com/gadgets/2021/03/new-android-malware-with-full-range…
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'This week Swedish developer Daniel Stenberg posted a remarkable
reflection on the 20th anniversary of his command-line data tool,
cURL:
curl was adopted in Red Hat Linux in late 1998, became a Debian
package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today,
it is also shipped by default in Windows 10 and in iOS and Android
devices. Not to mention the game consoles, Nintendo Switch, Xbox and
Sony PS5.
Amusingly, libcurl is used by the two major mobile OSes but not
provided as an API by them, so lots of apps, including many extremely
large volume apps bundle their own libcurl build: YouTube, Skype,
Instagram, Spotify, Google Photos, Netflix etc. Meaning that most
smartphone users today have many separate curl installations in their
phones.
Further, libcurl is used by some of the most played computer games of
all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.
libcurl powers media players and set-top boxes such as Roku, Apple TV
by maybe half a billion TVs.
curl and libcurl ships in virtually every Internet server and is the
default transfer engine in PHP, which is found in almost 80% of the
world's almost two billion websites.
Cars are Internet-connected now. libcurl is used in virtually every
modern car these days to transfer data to and from the vehicles.
Then add media players, kitchen and medical devices, printers, smart
watches and lots of "smart"; IoT things. Practically speaking, just
about every Internet-connected device in existence runs curl.
I'm convinced I'm not exaggerating when I claim that curl exists in
over ten billion installations world-wide...
Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.
Stenberg attributes cURL's success to persistence. "We hold out. We
endure and keep polishing. We're here for the long run. It took me two
years (counting from the precursors) to reach 300 downloads. It took
another ten or so until it was really widely available and used." But
he adds that 22 different CPU architectures and 86 different operating
systems are now known to have run curl.
In a later blog post titled "GitHub Steel," Stenberg also reveals that
GitHub gave him a 3D-printed steel version of his 2020 GitHub
contribution matrix — accompanied by a friendly note. "Please accept
this small gift as a token of appreciation on behalf of all of us here
at GitHub, and everyone who benefits from your work."'
-- source: https://tech.slashdot.org/story/21/03/28/0143206
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
'Security researcher Brian Krebs wants you to know... "New data
suggests someone has compromised more than 21,000 Microsoft Exchange
Server email systems worldwide and infected them with malware that
invokes both KrebsOnSecurity and Yours Truly by name. Let's just get
this out of the way right now: It wasn't me."
The Shadowserver Foundation, a nonprofit that helps network owners
identify and fix security threats, says it has found 21,248 different
Exchange servers which appear to be compromised by a backdoor and
communicating with [a domain that begins with brian .
krebsonsecurity... Not a safe domain.] Shadowserver has been tracking
wave after wave of attacks targeting flaws in Exchange that Microsoft
addressed earlier this month in an emergency patch release. The group
looks for attacks on Exchange systems using a combination of active
Internet scans and "honeypots" — systems left vulnerable to attack so
that defenders can study what attackers are doing to the devices and
how.
David Watson, a longtime member and director of the Shadowserver
Foundation Europe, says his group has been keeping a close eye on
hundreds of unique variants of backdoors (a.k.a. "web shells") that
various cybercrime groups worldwide have been using to commandeer any
unpatched Exchange servers. These backdoors give an attacker complete,
remote control over the Exchange server (including any of the server's
emails)... Shadowserver's honeypots saw multiple hosts with the
Babydraco backdoor doing the same thing: Running a Microsoft
Powershell script that fetches the file "krebsonsecurity.exe"...
Oddly, none of the several dozen antivirus tools available to scan the
file at Virustotal.com currently detect it as malicious. The
Krebsonsecurity file also installs a root certificate, modifies the
system registry, and tells Windows Defender not to scan the file.
Watson said the Krebsonsecurity file will attempt to open up an
encrypted connection between the Exchange server and the
above-mentioned IP address, and send a small amount of traffic to it
each minute.
Shadowserver found more than 21,000 Exchange Server systems that had
the Babydraco backdoor installed. But Watson said they don't know how
many of those systems also ran the secondary download from the rogue
Krebsonsecurity domain. "Despite the abuse, this is potentially a good
opportunity to highlight how vulnerable/compromised MS Exchange
servers are being exploited in the wild right now, and hopefully help
get the message out to victims that they need to sign up our free
daily network reports," Watson said.'
-- source: https://it.slashdot.org/story/21/03/28/1924206
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/