This posting is here to collect cyber security news in July 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
322 Comments
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-play-ransomware-linux-version-targets-vmware-esxi-vms/?fbclid=IwZXh0bgNhZW0CMTEAAR21gQEPH2YNRuCjAvhtjgVNKsCaBrs8T-PO_gZf8_iajxuWdNeWuDT8P7Q_aem_ibkDyEF9mLVlZUPanQzOuw
Tomi Engdahl says:
https://www.engadget.com/google-is-turning-off-its-googl-shortener-links-next-year-130030435.html
Tomi Engdahl says:
CrowdStrike issues go beyond Windows: company’s security software has reportedly been causing Linux kernel panics since at least April
News
By Christopher Harper published July 22, 2024
Identified most recently on enterprise-targeted Red Hat Linux, but has also caused issues with other distros
https://www.tomshardware.com/software/linux/crowdstrike-issues-go-beyond-windows-companys-security-software-has-reportedly-been-causing-kernel-panics-since-at-least-april
Tomi Engdahl says:
https://www.malwarebytes.com/blog/news/2024/07/heritage-foundation-data-breach-containing-personal-data-is-available-online
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/windows-july-security-updates-send-pcs-into-bitlocker-recovery/
Tomi Engdahl says:
https://www.iltalehti.fi/digiuutiset/a/9b8ae71f-8cc4-4a23-8111-d8dcf7cff4ed
Tomi Engdahl says:
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
Tomi Engdahl says:
Tuhopolttojen aiheuttamat häiriöt vaikuttavat 800 000 matkustajaan Ranskassa – Viittaako toteutustapa äärivasemmistoon?
https://www.iltalehti.fi/ulkomaat/a/1c510530-812b-4313-af6d-3bc2bd4d8359
Tuhopoltot junaraiteiden läheisyydessä ovat katkaisseet yhteydet Pariisiin usealta suunnalta.
Tomi Engdahl says:
https://www.iltalehti.fi/pariisin-olympialaiset-2024/a/97f7ec0f-0592-448e-b300-51dad07a5da7
Sabotaasi aiheutti Pariisin juna-asemille perjantaina hiljaisen kaaoksen.
Tomi Engdahl says:
It took them like a week to get 97% of computers back and they’re trying to make that sound like a good thing. It’s rediculous how slow that is, that means that 3% are still down a week later.
Tomi Engdahl says:
France train attacks: What we know about sabotage before Olympics
https://www.reuters.com/world/europe/what-do-we-know-about-pre-olympic-attacks-frances-railways-2024-07-26/?fbclid=IwY2xjawERZxtleHRuA2FlbQIxMQABHfhZpNpqdnglMlKNepfbkCj_D9–7SVfSegqIP3UoKrVg_bLmQbc9vjRnQ_aem_B0fphbFYDHc2utTl_ATYcA
PARIS, July 26 (Reuters) – Unidentified saboteurs struck France’s train network in a series of pre-dawn attacks across the country on Friday, causing travel chaos and exposing security gaps just hours before the opening ceremony of the Paris Olympics.
What do we know about the attacks?
THE ATTACKS
Explosive devices set off fires on signalling infrastructure on three railway lines going into Paris, rail operator SNCF said. The attacks hit the lines from cities such as Lille in the north, Bordeaux in the west and Strasbourg in the east.
Another attack on the Paris-Marseille line was foiled.
One attack happened by lines near Courtalain, southwest of Paris, another in Pagny-sur-Moselle in northeast France and the other in Croisilles near the Belgian border.
Pictures released by SNCF showed engineers repairing charred cables in signal substations.
THE PERPETRATORS
Nobody has claimed responsibility for the attacks
NATO Secretary-General Jens Stoltenberg said in June that the alliance had seen several examples of “sabotage, of arson attempts” by Russia, but there is no indication that Moscow might have been behind Friday’s attacks in France.
THE IMPACT
The attacks marked an inauspicious start to the Olympic Games as France prepares to stage one of the most ambitious Opening Ceremonies ever seen.
Some 45,000 police, 10,000 soldiers and 2,000 private security agents have been deployed to secure the Games’ opening ceremony.
SNCF chief Jean-Pierre Farandou said some 800,000 customers had been impacted ahead of a busy weekend for French holidaymakers.
Eurostar’s high-speed services linking London and Paris were forced onto slower lines while Germany’s Deutsche Bahn warned of disruption to long-distance services.
Tomi Engdahl says:
https://hackaday.com/2024/07/27/a-history-of-internet-outages/
Tomi Engdahl says:
https://hackaday.com/2024/07/15/nitric-acid-is-the-hot-new-way-to-pick-locks/
Tomi Engdahl says:
https://hackaday.com/2024/07/15/linksys-velop-routers-caught-sending-wifi-creds-in-the-clear/
A troubling report from the Belgian consumer protection group Testaankoop: several models of Velop Pro routers from Linksys were found to be sending WiFi configuration data out to a remote server during the setup process. That would be bad enough, but not only are these routers reporting private information to the mothership, they are doing it in clear text for anyone to listen in on.
https://www.test-aankoop.be/hightech/wifi-versterkers/nieuws/router-linksys-onveilig
Tomi Engdahl says:
First up this week is the story of EvilVideo, a clever telegram exploit that disguises an APK as a video file. The earliest record we have of this exploit is on June 6th when it was advertised on a hacking forum.
Researchers at ESET discovered a demo of the exploit, and were able to disclose it to Telegram on June 26th. It was finally patched on July 11. While it was advertised as a “one-click” exploit, that’s being a bit generous, as the ESET demo video shows. But it was a clever exploit. The central trick is that an APK file can be sent in a Telegram chat, and it displays what looks like a video preview.
https://hackaday.com/2024/07/26/this-week-in-security-evilvideo-crowdstrike-and-insecure-boot/
https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-sending-malicious-android-apks-as-videos/
Tomi Engdahl says:
LetsKill OCSP
Let’s Encrypt surprised a few of us by announcing the end of OCSP this week. The Online Certificate Status Protocol is used to query whether a given certificate is still valid. One of the problems with that protocol is that it requests status updates per DNS address, effectively sending a running browsing history over the Internet. There’s a technical issue, in that the attacks that OCSP is designed to defend against also place the attacker in a position to block OCSP requests, and clients will silently ignore OCSP requests that time out.
The replacement is the Certificate Revocation List (CRL), which is a simple list of revoked certificates. The problem is that those lists can be huge. Mozilla and Google have rolled out a clever solution, that uses data compression and aggressive optimization to handle those CRLs like any other browser update. And hence, OCSP is destined to go away.
https://hackaday.com/2024/07/26/this-week-in-security-evilvideo-crowdstrike-and-insecure-boot/
Intent to End OCSP Service
https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html
Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago. We added support for CRLs in 2022.
Websites and people who visit them will not be affected by this change, but some non-browser software might be.
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.
We are also taking this step because keeping our CA infrastructure as simple as possible is critical for the continuity of compliance, reliability, and efficiency at Let’s Encrypt. For every year that we have existed, operating OCSP services has taken up considerable resources that can soon be better spent on other aspects of our operations. Now that we support CRLs, our OCSP service has become unnecessary.
In August of 2023 the CA/Browser Forum passed a ballot to make providing OCSP services optional for publicly trusted CAs like Let’s Encrypt. With one exception, Microsoft, the root programs themselves no longer require OCSP. As soon as the Microsoft Root Program also makes OCSP optional, which we are optimistic will happen within the next six to twelve months, Let’s Encrypt intends to announce a specific and rapid timeline for shutting down our OCSP services. We hope to serve our last OCSP response between three and six months after that announcement. The best way to stay apprised of updates on these plans is to subscribe to our API Announcements category on Discourse.
Tomi Engdahl says:
Secure Boot is completely broken on 200+ models from 5 big device makers
Keys were labeled “DO NOT TRUST.” Nearly 500 device models use them anyway.
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
The threat of such BIOS-dwelling malware was largely theoretical and fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that gains and maintains stealthy root access by subverting key protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren’t only feasible; they were also powerful. In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.
Keenly aware of Mebromi and its potential for a devastating new class of attack, the Secure Boot architects hashed out a complex new way to shore up security in the pre-boot environment. Built into UEFI—the Unified Extensible Firmware Interface that would become the successor to BIOS—Secure Boot used public-key cryptography to block the loading of any code that wasn’t signed with a pre-approved digital signature. To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
An unlimited Secure Boot bypass
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”
Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one.
The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings “DO NOT SHIP” or “DO NOT TRUST.”
These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren’t clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.
Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret.
“Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?”
Matrosov said his team found identical test platform keys on both client and server-related products.
“If the key will be leaked, it’s impacting the ecosystem,” he explained. “It’s not impacting a single device.”
Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys.
The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here.
Owning Secure Boot
The threat posed by PKfail is that anyone with (1) knowledge of the private portion of an affected platform key and (2) administrative system rights to an affected device can completely bypass Secure Boot protections. The threat is most immediate for devices that use the platform key compromised in the 2022 leak on GitHub.
Last year, Smolár uncovered BlackLotus, the world’s first-known instance of real-world UEFI-dwelling malware that bypassed Secure Boot. The discovery resulted in the addition of several new entries in the forbidden DBX database. An attacker with knowledge of the private platform key material can “not only make BlackLotus work again but create other malware and enable it on all these devices,” he said.
PKfail has parallels to at least two recent supply-chain mishaps.
The PKfail issue highlights multiple security problems related to device supply chain security:
Poor cryptographic materials management and appearance of the private keys directly in the code repositories with the hardcoded path from the build scripts.
Usage of the non-production cryptographic keys responsible for the platform security of production firmware and devices.
No rotation of the platform security cryptographic keys per product line. For example, the same cryptographic keys were confirmed on client and server-related products. Similar behavior was detected with Intel Boot Guard reference code key leakage.
The same OEM used the same platform security-related cryptographic keys for firmware produced for different device manufactures. Similar behavior was detected with Intel Boot Guard reference code key leakage.
None of the companies answered questions asking how their products came to be using test keys clearly marked as untrusted. All of the companies declined to outline the steps they take to ensure platform keys in their products are managed using best practices in the industry.
Tomi Engdahl says:
People who want to know if their Windows device uses one of the test platform keys can run the following powershell command:
> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
PK).bytes) -match “DO NOT TRUST|DO NOT SHIP”
True
Linux users can detect one of the test certificates by displaying the content of the PK variable:
$ efi-readvar -v PK
Variable PK, length 862
PK: List 0, type X509
Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-
fbf883bbb35e
Subject:
CN=DO NOT TRUST – AMI Test PK
Issuer:
CN=DO NOT TRUST – AMI Test PK
There’s little that users of an affected device can do other than install a patch if one becomes available from the manufacturer. In the meantime, it’s worth remembering that Secure Boot has a history of not living up to its promises.
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/fbcs-data-breach-impact-now-reaches-42-million-people/
Debt collection agency Financial Business and Consumer Solutions (FBCS) has again increased the number of people impacted by a February data breach, now saying it affects 4.2 million people in the US.
FBCS is a US debt collection agency that collects unpaid debts from consumer credit, healthcare, commercial, auto loans and leases, student loans, and utilities.
Tomi Engdahl says:
Google Says Sorry After Passwords Vanish For 15 Million Windows Users
https://www.forbes.com/sites/daveywinder/2024/07/27/google-says-sorry-after-passwords-vanish-for-15-million-windows-users/
Google has said it is sorry after a bug prevented a significant number of Windows users from finding or saving their passwords. The issue, which Google noted started on July 24 and continued for nearly 18 hours before being fixed on July 25, was due to “a change in product behavior without proper feature guard,” an excuse that may sound familiar to anyone caught up in the CrowdStrike disruption this month.
The vanishing password problem impacted Chrome web browser users from all over the world, leaving them unable to find any passwords already saved using the Chrome password manager. Newly saved passwords were also rendered invisible to the affected users. Google, which has now fixed the issue, said that the problem was limited to the M127 version of Chrome Browser on the Windows platform.
The precise number of users to be hit by the Google password manager vanishing act is hard to pin down. However, working on the basis that there are more than 3 billion Chrome web browser users, with Windows users counting for the vast majority of these, it’s possible to come up with an estimated number. Google said that 25% of the user base saw the configuration change rolled out, which, by my calculations, is around 750 million. Of these, around 2%, according to Google’s estimation, were hit by the password manager issue. That means around 15 million users have seen their passwords vanish into thin air.
Chrome Password Manager Disruption Is Now Fully Fixed
Google said that an interim workaround was provided at the time, which involved the particularly user-unfriendly process of launching the Chrome browser with a command line flag of ” —enable-features=SkipUndecryptablePasswords.” Thankfully, the full fix that has now been rolled out just requires users to restart their Chrome browser to take effect.
Tomi Engdahl says:
https://hackaday.com/2024/07/24/hacking-an-iot-camera-reveals-hard-coded-root-password/
Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying something. But that doesn’t mean you can’t learn something by watching, with this root password exploit on a cheap IP video camera being a good look at the basics.
Tomi Engdahl says:
https://github.com/nervous-inhuman/tplink-tapo-c200-re
Reverse Engineering the TP-Link Tapo C200 camera
Tomi Engdahl says:
There is no “S” in IoT, so does that mean there is no Security ?
Tomi Engdahl says:
Internally originating Threat
Tomi Engdahl says:
If we’re talking about remote access to every unit via some publicly accessible API, that’s very very bad. If we’re talking about remote access when on the same network / when the camera isn’t behind a firewall or reasonable network security, well, that’s still pretty bad.
However, if we’re talking about getting root over a local serial console only, with no (known / obvious) remote entry paths, I’d argue that it’s good — as the saying goes, there’s no assumption of device security when the attacker has physical access anyway, and for people who want to modify or repurpose their own hardware, being able to get root locally is a strong benefit, not a drawback.
Tomi Engdahl says:
if you believe in privacy, all sorts of things can stress you out. but once you accept that privacy is obsolete, bliss descends upon you
Tomi Engdahl says:
Goodbye? Attackers Can Bypass ‘Windows Hello’ Strong Authentication
Accenture researcher undercut WHfB’s default authentication using open source Evilginx adversary-in-the-middle (AitM) reverse-proxy attack framework.
https://www.darkreading.com/endpoint-security/goodbye-attackers-can-bypass-windows-hello-strong-authentication
Microsoft’s Windows Hello for Business (WHfB) default phishing-resistant authentication model recently was found susceptible to downgrade attacks, allowing threat actors to crack into even biometrically protected PCs and laptops.
WHfB authentication, which uses cryptographic keys embedded in a computer’s Trusted Platform Module (TPM) and enabled by biometric or PIN-based verification, can be bypassed by altering the parameters within an authentication request.
Accenture red-team security researcher Yehuda Smirnov, who made the discovery late last year, reported it to Microsoft, which has made a fix available. Smirnov will demonstrate the attack and how to mitigate that loophole during a session at Black Hat USA 2024 in Las Vegas on Aug. 8.
Authentication Downgrades With Adversary-in-the-Middle
WHfB, an option for commercial and enterprise versions of Windows 10, has been available since 2016. It is designed to protect against phishing attacks using Windows Hello’s device-based biometric or PIN authentication, an inherently more secure verification mode than passwords or SMS-based, one-time passwords (OTPs).
Smirnov is not the first to uncover a vulnerability in WHfB’s secure authentication model.
In this case, Smirnov found that an attacker can intercept and alter POST requests to Microsoft’s authentication services, defaulting WHfB to less secure passwords or OTP methods.
Smirnov says his discovery does not indicate that WHfB is insecure. “The insecure part here is not regarding the protocol itself, but rather how the organization forces or does not force strong authentication,” he says. “Because what’s the point of phishing-resistant authentication if you can just downgrade it to something that is not phishing-resistant?”
When a user initially registers Windows Hello on their device, the WHiB’s authentication mechanism creates a private key credential stored in the computer’s TPM. The private key is inaccessible to an attacker because it is sandboxed on the TPM, therefore requiring an authentication challenge using a Windows Hello-compatible biometric key or PIN as a sign-in challenge.
To authenticate with cloud applications using WHiB, Microsoft generates a challenge sent to the client using the WebAuthn API implemented in a browser, which interacts with Windows Hello on the device to request the verification challenge using the private key. WebAuthn, a World Wide Web Consortium (W3C) standard, is the underlying component of FIDO2 or passkeys-based authentication.
Microsoft’s Remediation: New Conditional Access Policy
Microsoft’s fix quietly arrived in March with the addition of a new Conditional Access capability called “authentication strength,” which administrators can now activate in the Azure portal. “Basically, they can force the employees to authenticate using only phishing-resistant authentication,” Smirnov says. “It is now possible for them to do that, which was not possible beforehand.”
According to Microsoft, the authentication strength parameter can require exclusively phishing-resistant authentication to access sensitive information.
Tomi Engdahl says:
Analyysi: Historian pahimmasta ohjelmistoviasta voi vetää kaksi vastakkaista johtopäätöstä
Viime viikolla 8,5 miljoonaa Windows-konetta kaatanut viallinen ohjelmistopäivitys on samaan aikaan osoitus keskitetyn järjestelmän haavoittuvuudesta ja sen hyödyistä, kirjoittaa teknologiatoimittaja Teemu Hallamaa.
https://yle.fi/a/74-20101209
2000-luvun alussa ohjelmistoyhtiö Microsoft oli toistuvasti kilpailuviranomaisten syynissä. Yhtiön Windows-käyttöjärjestelmä oli saavuttanut niin suvereenin markkina-aseman, että sääntelijät ympäri maailmaa katsoivat parhaaksi puuttua siihen, miten Microsoft kilpaili muiden ohjelmistokehittäjien kanssa omalla alustallaan.
Ja virustorjunnassa tietoturvayhtiöille piti tarjota samanlaiset mahdollisuudet havaita ja torjua hyökkäykset kuin Microsoftilla itsellään oli. Tämä tarkoitti pääsyn myöntämistä käyttöjärjestelmän ytimeen, niin kutsuttuun kerneliin.
Crowdstrike on yksi tietoturvayhtiöistä, jolla on pääsy Windowsin ytimeen. Viime viikolla yhtiö lähetti tietoturvapäivityksen ohjelmaansa, joka pyörii miljoonissa tietokoneissa. Päivityksessä oli virhe, joka kaatoi kaikki päivityksen saaneet tietokoneet ja samalla aiheutti laajoja häiriöitä etenkin lentoliikenteeseen.
Viikonlopun tietoliikennekaaos ei ollut Microsoftin syytä, mutta osa imagohaitasta osui ohjelmistojättiin. Verkossa on jaettu kuvia kauppakeskusten ja lentokenttien ilmoitustauluista, joilla mainosten ja aikataulujen sijaan näkyy Windowsin virheilmoitus eli sininen kuolemanruutu. Samaan aikaan poliitikot ja sääntelijät ovat nostaneet tapauksen esimerkiksi Microsoftille keskittyneestä vallasta.
Siksi ei ole ihme, että Microsoftin tiedottaja nosti talousjulkaisu Wall Street Journalin haastattelussa esille sen, ettei Microsoft voi rajoittaa Crowdstriken kaltaisten tietoturvayhtiöiden pääsyä Windowsin ytimeen. Tiedottajan mukaan tämä olisi yhtiön ja Euroopan komission vuonna 2009 solmiman sopimuksen vastaista.
Nyt tietoturvayhtiöissä pelätään, että Microsoft käyttää Crowdstriken virhettä hyväkseen ja alkaa vaatia Windowsin ytimen sulkemista ulkopuolisilta toimijoilta.
Verkko- ja tietoturvapalveluita tarjoavan Cloudflaren toimitusjohtaja Matthew Prince nosti tämän huolen esille X:ssä. Princen mukaan lopputuloksena ei saa olla kernelin sulkeminen, koska silloin valta keskittyy entisestään ja avoimuus kärsii.
Hän huomauttaa, että kilpailu avoimilla markkinoilla takaa parhaan tietoturvan. Jos kernel suljetaan, meidän on luotettava siihen, että Microsoft on paras ja innovatiivisin toimija tietoturvan saralla. Näin ei ole aina ollut.
Princen näkemystä tukee myös se, että Crowdstriken virhe koski vain alle prosenttia kaikista Windows-koneista. Jos virheen olisi tehnyt Microsoft, sata prosenttia koneista olisi kaatunut. Tämän seurauksia on vaikea edes kuvitella.
Toisaalta mikään muu yhtiö maailmassa ei välitä yhtä paljon Windowsin toimivuudesta kuin Microsoft. Crowdstrike teki monta virhettä, joita Microsoft ei olisi tehnyt. Jos Microsoft hallitsisi käyttöjärjestelmänsä ydintä, viikonlopun kaaokselta olisi todennäköisesti vältytty.
Crowdstriken viime viikon virhe saattoi olla historian pahin ohjelmistovika: yli 5 000 lentoa on peruttu, Britanniassa terveydenhoito yhä ongelmissa
Päivitysvika vaikutti vain prosenttiin maailman kaikista Windows-käyttäjistä, mutta sotkua voidaan joutua siivoamaan viikkoja.
https://yle.fi/a/74-20100737
Tomi Engdahl says:
RADIUS Protocol Vulnerability Exposes Network Device Authentication
https://www.infoq.com/news/2024/07/radius-vulnerability/
A team of security researchers has discovered a significant vulnerability in the widely used RADIUS (Remote Authentication Dial-In User Service) protocol. This vulnerability could potentially allow attackers to gain unauthorised access to network devices. Cloudflare staff detailed the findings in a blog post, highlighting the ongoing challenges of maintaining security in long-standing network protocols.
RADIUS/UDP vulnerable to improved MD5 collision attack
https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack
The MD5 cryptographic hash function was first broken in 2004, when researchers demonstrated the first MD5 collision, namely two different messages X1 and X2 where MD5(X1) = MD5 (X2). Over the years, attacks on MD5 have only continued to improve, getting faster and more effective against real protocols. But despite continuous advancements in cryptography, MD5 has lurked in network protocols for years, and is still playing a critical role in some protocols even today.
One such protocol is RADIUS (Remote Authentication Dial-In User Service). RADIUS was first designed in 1991 – during the era of dial-up Internet – but it remains an important authentication protocol used for remote access to routers, switches, and other networking gear by users and administrators.
In this post, we present an improved attack against MD5 and use it to exploit all authentication modes of RADIUS/UDP apart from those that use EAP (Extensible Authentication Protocol). The attack allows a Monster-in-the-Middle (MitM) with access to RADIUS traffic to gain unauthorized administrative access to devices using RADIUS for authentication, without needing to brute force or steal passwords or shared secrets. This post discusses the attack and provides an overview of mitigations that network operators can use to improve the security of their RADIUS deployments.
Tomi Engdahl says:
CrowdStrike says hackers are threatening to leak sensitive information about adversaries
The company said some of its information had already been released.
https://www.nbcnews.com/tech/security/crowdstrike-says-hackers-are-threatening-leak-sensitive-information-ad-rcna163675
Tomi Engdahl says:
The cybersecurity company CrowdStrike said Wednesday evening that some of the company’s private information on the hackers it tracks had been posted online, and that the hacker behind the leak has threatened to release information that’s even more sensitive.
https://www.nbcnews.com/tech/security/crowdstrike-says-hackers-are-threatening-leak-sensitive-information-ad-rcna163675
Tomi Engdahl says:
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List
https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
Tomi Engdahl says:
Tag-100 Hacker Group Exploiting Citrix NetScaler & F5 BIG-IP Vulnerabilities
https://cybersecuritynews.com/tag-100-exploits-citrix-vulnerabilities/#google_vignette
Tomi Engdahl says:
CrowdStrike ‘Updates’ Deliver Malware & More as Attacks Snowball
The fake updates are part of a phishing and fraud surge that is both more voluminous and more targeted that the usual activity around national news stories
https://www.darkreading.com/threat-intelligence/crowdstrike-updates-malware-attacks-snowball
Tomi Engdahl says:
Which VPN protocols aren’t safe anymore?
https://www.techradar.com/pro/vpn/which-vpn-protocols-arent-safe-anymore
All VPN protocols create a secure connection (or try to) but they don’t all do it the same way. It’s the encryption methods, authentication processes, and data transmission techniques that differentiate protocols.
PPTP, which stands for Point-to-Point Tunneling Protocol, is Microsoft’s in-house VPN protocol developed for Windows.
It has a lot of issues, though, and way too many to mention here in depth. I’ll go over the main problem, however, which is that the asymmetric key used to negotiate the session isn’t secure.
PPTP uses Microsoft’s MS-CHAPv2 for key negotiation, which is based on Microsoft’s existing authentication standards.
PPTP piggybacks on this existing infrastructure to generate a session key. Then, the key is used to create the encryption needed for streaming data using the RC4 encryption scheme between the VPN clients.
However, there is a fundamental flaw in how MS-CHAPv2 works – it’s easily cracked using brute force.
While there are slightly safer implementations of PPTP that ditch MS-CHAPv2 in favor of the public-key cryptography I mentioned earlier, there’s no real reason to use PPTP unless you’re trying to support legacy systems.
The argument against PPTP is pretty solid – but the reasons for my doubts about IPSec and L2TP are harder to nail down.
It’s uncertain exactly how IPSec/L2TP is unsecure. However, leaks provided by Edward Snowden in 2014 revealed that the NSA and GCHQ have a vested interest in decrypting as much VPN traffic as possible to support their SIGINT programs. As part of this program, it’s suggested that the NSA has to decrypt a significant portion of the world’s internet traffic transported over IPSec/L2TP.
This could mean that the IPSec suite itself contains a vulnerability, or has been deliberately weakened to make it easier to decrypt
Without actual technical implementations to correlate its claims, it’s difficult to say exactly why IPSec is insecure.
Nevertheless, the leaked documents are enough to make me steer clear of IPSec too – at least as it relates to IKEv1. Thankfully, IKEv2 has replaced IKEv1 in most implementations built around IPSec, and it seems like a far more secure protocol.
OpenVPN is considered the gold standard of VPN security. It’s open-source, trusted by hundreds of thousands of organizations the world over, and built on top of the OpenSSL library which provides encryption used by basically every website ever.
If you’re on the hunt for a secure VPN and notice that a potential pick uses OpenVPN – it’s a solid option. When configured properly, it’s virtually bulletproof.
Then, there’s WireGuard. It’s almost as secure as OpenVPN but, by default, there’s one noticeable issue. WireGuard stores your IP when doing Network Address Translation. So, if a hacker or employee broke into the VPN server, they’d be able to link your traffic to your IP address. Luckily, it can be fixed pretty easily by VPN providers.
To address this issue, top-tier VPN providers that offer WireGuard use something called a “double-NAT” approach to anonymize your traffic
Speaking of, when it comes to provider-specific VPN protocols, it’s hard to gauge them on a case-by-case basis. However, there are a few golden rules to keep in mind.
One of the most important, for example, is to check that the protocol has been subject to a third-party audit. A VPN provider that has built its own protocol is attempting to replicate the work of potentially hundreds of software, network, and cryptography engineers. In my opinion, any VPN worth its salt will be comfortable letting a third-party firm inspect its products, down to the nitty-gritty, and check for potential vulnerabilities.
Quantum computing poses a potential threat to a lot of encryption methods – including those used by VPN protocols.
For example, quantum computers could theoretically break RSA encryption, one of the most common asymmetrical key exchange methods.
For now, quantum computers are not yet advanced enough to break these encryption methods on a large scale.
Researchers have already developed several algorithms designed to be secure against quantum attacks in response to the potential threat. Post-quantum algorithms are now baked into most encryption libraries – and top-tier VPN providers like NordVPN and ExpressVPN are already integrating these into their VPN encryption protocols.
Tomi Engdahl says:
https://www.digiturvamalli.fi/ekirja?utm_source=facebook&fbclid=IwZXh0bgNhZW0BMAABHYr5_BJYmVyOz3ch_kGgVW_zI2R6w0MW4quYVdi4qszFb_3hP13ck1pEtw_aem_rbY7tJ9AdaHHFVsPtuM6Ew&utm_medium=paid&utm_id=6576385508561&utm_content=6598245368761&utm_term=6576385508161&utm_campaign=6576385508561
Tomi Engdahl says:
Pariisin olympialaiset ovat terroristitoimien lisäksi potentiaalinen kohde myös kyberhyökkäyksille arvioivat tietoturvayhtiöt. Amerikkalainen Palo Alto Networks on laatinut oman uhkaraportin ja myös kotimainen WithSecure varoittelee tuoreessa raportissaan Pariisin olympialaisten kyberturvauhista.
https://www.uusiteknologia.fi/2024/07/26/pariisin-olympialaiset-ovat-kyberhyokkaysten-kohde-kisat-alkavat-tanaan/?utm_campaign=pariisin-olympialaiset-ovat-kyberhyokkaysten-kohde-kisat-alkavat-tanaan&utm_medium=rss&utm_source=rss&fbclid=IwZXh0bgNhZW0CMTEAAR1f9BPrjGMR8jPH_0nzbrQMkGbZVIhtLhTYpcGL7c995fYs8rFrar2g2xo_aem_NnpUNTC0wmTgvg6qB2dAXg
Tomi Engdahl says:
https://www.uusiteknologia.fi/2024/07/17/suomi-harjoittelee-kriittisen-infran-suojaamista/?utm_campaign=suomi-harjoittelee-kriittisen-infran-suojaamista&utm_medium=rss&utm_source=rss&fbclid=IwZXh0bgNhZW0CMTEAAR0BDbxzpWxHctDxzKo78STJpaodVafaY4zy3kSdt46RWrXo5p5rgEItb0o_aem_MBxPN_Rq8ca5VUxiBahGfQ
Tomi Engdahl says:
Yle: Matkapuhelinmasto kaadettu Janakkalassa
https://www.is.fi/kotimaa/art-2000010593515.html
Tomi Engdahl says:
Matkapuhelinmasto kaadettu Janakkalassa – poliisi tutkii tapausta törkeänä vahingontekona
Hämeen poliisin tilannekeskuksen mukaan mastoa tukevat vaijerit on katkaistu.
https://yle.fi/a/74-20101849
Tomi Engdahl says:
Nnamdi Nzekwe
C-00000291*.sys is file installed by 3rd party software CrowdStrike and cit auses BSOD blue screen.
Advise to delete this *.sys file suggest logging into command recovery shell or booting from any other device (USB boot, connect SSD to another PC etc).
If your system drive is encrypted – you won’t be able to access filesystem
Tomi Engdahl says:
Fiber optic cables in several regions of France were cut overnight in what appears to be a coordinated act of sabotage, French service providers said Monday.
French fiber optic cables cut in latest Olympics sabotage
https://www.axios.com/2024/07/29/france-fiber-optic-olympic-attack?fbclid=IwY2xjawEUiZRleHRuA2FlbQIxMQABHUmUKGhLL4JTPDdoErUhUrn7hsPnMg7lWQFREuzSxgYNRfe4YhhIapE3NQ_aem_cwufN6XBbJ6L3skasH-B-w
Fiber optic cables in several regions of France were cut overnight in what appears to be a coordinated act of sabotage, French service providers said Monday.
Why it matters: This is the second attack on French infrastructure in a matter of days, underscoring the security threats around the Paris Olympic Games.
Driving the news: “A new major sabotage of long distance cables took place last night in France around 2:15 a.m.,” Nicolas Guillaume, CEO of internet service provider Netalis, wrote on X Monday.
The big picture: The fiber cables incident comes days after coordinated arson attacks disrupted France’s high-speed rail networks ahead of Friday’s opening ceremony of the Olympic Games.
Interior Minister Gérald Darmanin said Monday that police had identified “profiles” of people who may have been behind the attack and suggested that far-left activists could have been responsible, though he did not provide specific evidence to back up his claim.
“Coordinated” arson attacks disrupt French rail on Olympics opening day
https://www.axios.com/2024/07/26/paris-olympics-france-rail-arson-attack
Tomi Engdahl says:
FRANCE
PARIS 2024 OLYMPICS
Fiber optic networks ‘sabotaged’ in parts of France
It was not clear whether there was a link with the coordinated attacks that paralyzed the country’s high-speed train network last Friday, hours before the opening ceremony of the Paris Olympics.
https://www.lemonde.fr/en/france/article/2024/07/29/fiber-optic-networks-sabotaged-in-parts-of-france_6703674_7.html
Tomi Engdahl says:
LAPD warns residents after spike in burglaries using Wi-Fi jammers that disable security cameras, smart doorbells
News
By Mark Tyson published July 20, 2024
Wilshire-area neighborhoods were told to be particularly vigilant.
https://www.tomshardware.com/networking/lapd-warn-residents-after-spate-of-wi-fi-jammer-cloaked-burglaries-police-share-a-security-check-list
The Los Angeles Police Department has warned residents to be wary of thieves using technology to break into homes undetected. High-tech burglars have apparently knocked out their victims’ wireless cameras and alarms in the Los Angeles Wilshire-area neighborhoods before getting away with swag bags full of valuables. An LAPD social media post highlights the Wi-Fi jammer-supported burglaries and provides a helpful checklist of precautions residents can take.
Criminals can easily find the hardware for Wi-Fi jamming online. It can also be cheap, with prices starting from $40. However, jammers are illegal to use in the U.S.
We have previously reported on Wi-Fi jammer-assisted burglaries in Edina, Minnesota. Criminals deployed Wi-Fi jammer(s) to ensure homeowners weren’t alerted of intrusions and that incriminating video evidence wasn’t available to investigators.
“These burglary suspects are known to enter via second-story balconies and seek high-end jewelry, purses, US currency, and other fine valuables.”
Security checklist
The LAPD Wilshire force proactively provided a security checklist that could be useful to anyone, not just local residents. Its most obvious suggestion to address Wi-Fi security is for residents to think about hard-wiring their burglary alarm system. It also believes that complementary modern tech, like Apple AirTags and Ring Doorbell app networks, can help provide increased coverage and security. Moreover, it reminds users never to tell their Uber, Lyft, or taxi drivers that they are going away – and a similar “loose lips sink ships” warning applies to those who are habitual social media posters.
Outside the high-tech world, the LAPD suggests securing electrical circuit boxes, securing your home DVR recorder, installing better property lighting, and cutting back shrubbery or trees. Other tips regarding your home’s physical security include keeping an eye open for suspicious people, vehicles, and activity and coordinating with your friends and neighbors to watch over your home if you are away for any extended period.
Some surveys suggest that home burglaries are most common in the summer months
Tomi Engdahl says:
ULKOPOLIITTISEN instituutin entinen johtaja ja Euroopan parlamentin jäsen Mika Aaltola (kok) ei poissulje mahdollisuutta, että Venäjä voisi olla Janakkalassa viime viikonloppuna tapahtuneen puhelinmaston kaatumisen takana.
Aaltola omituisista tapahtumista Suomessa: ”Jotain on tekeillä”
https://www.is.fi/politiikka/art-2000010594716.html
Tomi Engdahl says:
Tämä tiedetään Elisan kaatuneesta matkapuhelinmastosta
https://www.is.fi/kotimaa/art-2000010595009.html
Tomi Engdahl says:
WhatsApp for Windows lets Python, PHP scripts execute with no warning
https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/
A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them.
For the attack to be successful, Python needs to be installed, a prerequisite that may limit the targets to software developers, researchers, and power users.
The problem is similar to the one affecting Telegram for Windows in April, which was initially rejected but fixed later, where attackers could bypass security warnings and perform remote code execution when sending a Python .pyzw file through the messaging client.
WhatsApp blocks multiple file types considered to carry a risk to users but the company tells BleepingComputer that it does not plan to add Python scripts to the list.
Further testing by BleepingComputer shows that PHP files (.php) are also not included in WhatsApp’s blocklist.
When sending a potentially dangerous file, such as .EXE, WhatsApp shows it and gives the recipient two options: Open or Save As.
However, when trying to open the file, WhatsApp for Windows generates an error, leaving users only the option to save the file to disk and launch it from there.
In BleepingComputer tests, this behavior was consistent with .EXE, .COM, .SCR, .BAT, and Perl file types using the WhatsApp client for Windows. Das found that WhatsApp also blocks the execution of .DLL, .HTA, and VBS.
For all of them, an error occurred when trying to launch them directly from the app by clicking “Open.” Executing them was possible only after saving to disk first.
Talking to BleepingComputer, Das said that he found three file types that the WhatsApp client does not block from launching: .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file).
BleepingComputer’s tests confirmed that WhatsApp does not block the execution of Python files and discovered that the same happens with PHP scripts.
Tomi Engdahl says:
They went through four separate video interviews and even cleared background checks. https://trib.al/3OCgIUD
Security Firm Alarmed to Discover Their Remote Employee Is a North Korean Hacker
https://futurism.com/the-byte/security-firm-remote-employee-north-korean-hacker
An security and anti-phishing company called KnowBe4 hired a remote worker — who, in an ironic twist, turned out to be a North Korean hacker.
The company hired the software engineer after they had passed through four separate video interviews and cleared background checks.
But shortly after the worker was sent a company-issued computer, things immediately went awry.
“The moment it was received, it immediately started to load malware,” the company’s founder and CEO Stu Sjouwerman wrote in a blog post.
As it turns out, the engineer was a “fake IT worker from North Korea.”
“This was a real person using a valid but stolen US-based identity,” Sjouwerman wrote. “The picture was AI ‘enhanced.’”
While the company claims that “no illegal access was gained” and “no data was lost, compromised, or exfiltrated,” the hacker didn’t waste any time.
“The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software,” the blog post reads
How a North Korean Fake IT Worker Tried to Infiltrate Us
https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
Tomi Engdahl says:
Asiantuntija: Tällaisen rangaistuksen voi saada puhelinmaston kaatamisesta
Tekijä tai teon motiivi eivät ole toistaiseksi selvillä.
Asiantuntija: Tällaisen rangaistuksen voi saada puhelinmaston kaatamisesta
https://www.is.fi/kotimaa/art-2000010597509.html
Hämeen poliisilaitos kertoi tiedotteessaan tiistaina, että rikosnimikkeitä tapauksessa ovat tällä hetkellä törkeä vahingonteko sekä törkeä tietoliikenteen häirintä. Tekijä tai teon motiivi eivät ole toistaiseksi selvillä.
Rikos- ja prosessioikeuden emeritusprofessori Matti Tolvanen Itä-Suomen yliopistosta kertoo, että törkeästä vahingonteosta tekijälle voidaan määrätä vankeutta neljästä kuukaudesta neljään vuoteen. Sakoilla sovittelu ei ole mahdollista.
Tomi Engdahl says:
Microsoft 365 and Azure outage takes down multiple services /again/
Microsoft 365 and Azure outage takes down multiple services
https://www.bleepingcomputer.com/news/microsoft/microsoft-365-and-azure-outage-takes-down-multiple-services/?fbclid=IwY2xjawEWFOtleHRuA2FlbQIxMQABHQtNPGFONza2FURFizl4Y-H4bZS5fokvhr0vor5hBxvV-V3mSJ9V0-wqQg_aem_KV6B0BBxE4mKALsbuATftw#webview=1
Microsoft is investigating an ongoing global outage blocking access to some Microsoft 365 and Azure services.
“We’re currently investigating access issues and degraded performance with multiple Microsoft 365 services and features. More information can be found under MO842351 in the admin center,” Redmond said.
However, many users report having issues connecting to the Microsoft 365 admin center and opening the Service Health Status page, which should provide real-time information on issues impacting Microsoft Azure and the Microsoft 365/Power Platform admin centers.