Robert Grupe's AppSecNewsBits 2024-01-13

Author

Robert Grupe
January 13, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Fidelity National now says 1.3M customers had data stolen by cyber-crooks

It's still not calling it ransomware. The biz added it "has been named as a defendant in several lawsuits related to this incident." And it still maintains that, "at this time, we do not believe that the incident will have a material impact on the company."
By that, it may think it can absorb any financial hit from the cyberattack. Another mortgage lender, Mr Cooper, last month said it expects to spend at least $25 million cleaning up its earlier security breach, which saw almost 14.7 million people's data stolen. FNF's 2022 annual profit was over a billion dollars, and has crossed $500 million in its financial year to date; it can probably take the hit.

Apple has known since at least 2019 that AirDrop leaks the real-world identities of users. To this day, however, Apple has never publicly discussed or acknowledged any aspect of the leakage, including whether the company has plans to replace AirDrop’s hash-based PSI with a more secure PSI, such as one devised by the researchers.

There are several ways to carry out this attack, which falls under a general category of hash cracking known as dictionary attacks.

The dictionary attack—which is the opposite of brute-force attacks that hash every possible plain-text string (beginning, say, with “a” and ending with “zzzzzzzzzzzzzzzzzzzzzzzzz”—is possible because AirDrop can’t use a cryptographic salt, a unique set of characters added to each plain-text string before it’s hashed.
“The attack clearly exploits the underlying issue that we pointed out in our paper and that we reported to Apple—namely the insecure use of hash functions for ‘obfuscating’ contact identifiers in the AirDrop protocol.”
For now, there’s nothing AirDrop users can do to prevent their phone number and email address from being leaked, short of configuring the feature to “receiving off” and never initiating a send.

Students failed to return 77,505 laptops and other electronic devices within a year. Schools marked tech devices "lost" when they were assigned to students or staff and never returned – but there were no consequences.
District-wide, 27 percent of tech assets were marked lost or stolen during the 2022-2023 school year – amounting to more than one of every four.
The district spends about $2.5 million dollars on software that's meant to track and locate devices, but the district just wasn't using that software.

The most critical security issue GitLab patched has the maximum severity score (10 out of 10) and is being tracked as CVE-2023-7028. An authentication problem that permits password reset requests to be sent to arbitrary, unverified email addresses, allowing account takeover. If two-factor authentication (2FA) is active, it is possible to reset the password but the second authentication factor is still needed for successful login.
The second critical problem is identified as CVE-2023-5356 and has a severity score of 9.6 out of 10. An attacker could exploit it to abuse Slack/Mattermost integrations to execute slash commands as another user.
[rG: These could have been prevented by SSLC design threat assessment reviews/attack analysis: SAST and DAST vulnerability scanning wouldn't provide any warnings. Organizations should prioritize requiring SSDLC Threat Assessments/Attack Analysis whenever there is new or changed solution account management functionality due to the devastating potential of compromized credentials.]

 

HACKING

Email security company Cofense warns that these attacks are becoming more frequent and even organizations with sound email security practices are having trouble against them. Cybercriminals take advantage of this topic and are sending targets 401(k) notifications posing as someone from their company's Human Resources department alleging an important plan update or an increase in contributions.
Open enrollment is a specific period, typically occurring towards the end of the calendar year, allowing employees to enroll in health insurance or retirement plans. Recipients take these messages very seriously because failing to enroll before the deadline results in loss of eligibility for some benefits until the next enrollment round. Cybercriminals also appear to use more often lures regarding compensation adjustments, especially about bonuses and increases, which are usually decided at the end of the year.
Cofense says that throughout last year it has seen a sharp rise in QR codes embedded in those phishing emails, taking recipients to a fake login page designed to steal credentials.
Finally, Cofense warns about fake employee satisfaction surveys and assessment reports sent to targets from spoofed human resource departments. In one example, the phishing email uses an “employee of the year award” theme to trick recipients into opening their performance reports, allegedly to review and sign them.

Stuxnet, whose existence came to light in 2010, is widely believed to be the work of the United States and Israel, its goal being to sabotage Iran’s nuclear program by compromising industrial control systems (ICS) associated with nuclear centrifuges. The malware, which had worm capabilities, is said to have infected hundreds of thousands of devices and caused physical damage to hundreds of machines.
It’s believed that the Stuxnet malware was planted on a water pump that the Dutch national installed in the nuclear complex in Natanz, which he had infiltrated. It’s unclear if Van Sabben knew exactly what he was doing, but his family said he appeared to have panicked at around the time of the Stuxnet attack. Van Sabben passed away in the United Arab Emirates two weeks after the Stuxnet attack as a result of a motorcycle accident.

The SEC today said its Twitter account was hijacked to wrongly claim it had approved a bunch of hotly anticipated Bitcoin ETFs, causing the cryptocurrency to spike and then slip in price.

The Bosch Rexroth Handheld Nutrunner NXA015S-36V-B cordless device, which wirelessly connects to the local network of organizations that use it, allows assemblers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability.
The device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.
Unauthenticated attackers could hack devices by exploiting the traversal flaw in combination with other vulnerabilities, such as a hardcoded account.
Your washing machine could be sending 3.7 GB of data a day — LG washing machine owner disconnected his device from Wi-Fi after noticing excessive outgoing daily data traffic. The device uploaded 3.57GB and downloaded about 100MB, and the data traffic was almost constant.
One of the more innocent theories regarding the significant data uploads suggested laundry data was being uploaded to LG so it could improve its LLM (Large Laundry Model). It sought to do this to prepare for the launch of its latest “AI washer-dryer combo” at CES, joked Johnie.
A relatively innocent reason for the supposed high volume of uploads could be an error in the Asus router firmware. In a follow-up post a day after his initial Tweet, Johnie noted “inaccuracy in the ASUS router tool.” Other LG smart washing machine users showed device data use from their apps. It turns out that these appliances more typically use less than 1MB per day.

Casualties of the Royal and Akira ransomware gangs were targeted by a third party, believed to be the same individual or group in both scenarios, and extorted by a fake cyber samaritan.
Victims were approached by a "security researcher" who offered post-exploitation services. In one case, the mark was told the ransomware gang's server could be hacked and their stolen data could be deleted.
In return, the hacked customers were asked for a fee of approximately 5 Bitcoin ($225,823 at today's exchange rate).
Re-extortion attempts aren't new to the industry: they've always been conducted by the same ransomware groups, using their own previously used backdoors, rather than a third party.

Proof of concept shows it's possible to upload malicious releases to GitHub by exploiting insecure misconfigurations in GitHub Actions, resulted in the ability to upload malicious releases to GitHub, upload releases to host, potentially add code to the main repository branch, backdoor dependencies, etc.
GitHub Actions is a CI/CD service that allows GitHub users to automate the building and testing of software code by defining workflows that execute automatically inside containers on either GitHub’s or the user’s own infrastructure.
Actions workflows are defined in .yml files which contain instructions in YAML syntax of what commands to execute and on which runner. These workflows are triggered automatically on different events — for example, pull_request — when someone proposes a code change to a repository branch. This is useful because the workflow will trigger and can run, for example, a series of tests on the code before a human reviewer even look at it and decides to merge it.
By default, when a self-hosted runner is attached to a repository, any of that repository’s workflows can use that runner. This setting also applies to workflows from fork pull requests [PRs].
Anyone can submit a fork pull request to a public/non-restricted GitHub repository.
This means that if someone ever had a fork PR merged, workflows will automatically execute for all their future fork PRs. This setting can be changed to require approval before executing workflows on all fork PRs whether the owner is a past contributor or not.

Demonstrating (1) netsh interface portproxy and (2) TCP redirectors using adversary code techniques.

 

APPSEC, DEVSECOPS

The least surprising headline from 2023 is that ransomware again set new records for a number of incidents and the damage inflicted. We saw new headlines every week, which included a who's-who of big-name organizations. If MGM, Johnson Controls, Chlorox, Hanes Brands, Caesars Palace, and so many others cannot stop the attacks, how will anyone else?
Phishing-driven ransomware is the cyber threat that looms larger and more dangerous than all others. CISA and Cisco report that 90% of data breaches are the result of phishing attacks and monetary losses that exceed $10 billion in total. A report from Splunk revealed that 96 percent of companies fell victim to at least one phishing attack in the last 12 months and 83 percent suffered two or more.
With the rise of Generative Artificial Intelligence (GenAI), cybercriminals are able to take phishing to an entirely new level where every attack can become nearly impossible for users to identify, and attackers will now be able to do this with little effort.

Mike Tyson's famous adage, "Everyone has a plan until they get punched in the face," lends itself to our arena - cyber defenses must be battle-tested to stand a chance.
The chasm between perceived and actual security confirms the growing need for security validation through Breach and Attack Simulation (BAS) - a method of confronting these fallacies by rigorously validating defenses before attacks catch organizations off guard.
At its core, BAS is the systematic, controlled simulation of cyberattacks across your production network. Each simulation is designed to mimic the behavior of actual attackers, cultivating preparedness for adversary tactics, techniques, and procedures (TTPs). According to the Red Report 2023, threat actors use an average of 11 different TTPs during an attack.
BAS isn't just a one-off exercise. It's an ongoing process that adapts as the threat landscape evolves.

The attacks, which can have significant impacts on availability, integrity, and privacy, are broadly classified as follows:

  • Evasion attacks, which aim to generate adversarial output after a model is deployed

  • Poisoning attacks, which target the training phase of the algorithm by introducing corrupted data

  • Privacy attacks, which aim to glean sensitive information about the system or the data it was trained on by posing questions that circumvent existing guardrails

  • Abuse attacks, which aim to compromise legitimate sources of information, such as a web page with incorrect pieces of information, to repurpose the system's intended use

Such attacks, NIST said, can be carried out by threat actors with full knowledge (white-box), minimal knowledge (black-box), or a partial understanding of some of the aspects of the AI system (gray-box), adding another dimension to the taxonomy.

HHS directed defenders to the NIST AI Risk Management Framework as a tool to mitigate these threats. The red-teaming activities required by the executive order will also help to reduce risk across AI tools, making them more reliable for end-users across healthcare and other sectors.
On the privacy front, the Biden Administration noted plans to enforce existing consumer protection laws and implement safeguards against fraud, unintended bias, discrimination, and infringements on privacy, all of which have been lasting concerns surrounding AI use in healthcare.
For AI developers, that means preparing to document the safety and security of their products. Meanwhile, healthcare organizations can expect to see improvements and refinements in AI technologies in the near future.

This infographic presents insights gathered from a comprehensive survey of IT professional, shedding light on their organizations’ security approaches.
[rG: Not really that useful because it is self-attested opinion, and, doesn't indicate level of controls use (e.g. simply having a vulnerability scanner isn't the same thing as utilization coverage.)]

 

DEV

CI in CI/CD stands for continuous integration — the practice of continuously merging code into the main branch in source control. The key point is that continuous integration is a human-guided process, no matter which tools you use to support it.
The CD in CI/CD means continuous delivery, a software delivery method based on the principle of writing software in a way that makes sure it is deployable at all times.
Once you have a good software version, you must prevent changes in your artifacts and processes as you progress them through your environments. Applying the same artifacts and processes ensures that both have been tested together multiple times before you deploy the code to production.
Many teams are increasingly treating CI as CD, and it’s giving them headaches. When you attempt to make your build server aware of infrastructure, environments and configuration, things can get painful.

It’s tempting to pick lists of metrics to track from frameworks like DORA (the DevOps Research and Assessment research group) and SPACE (work done at GitHub and Microsoft that extends DORA from the initial, very functional metrics to include satisfaction and well-being; performance; activity; communication and collaboration; and efficiency and flow).
Most of the time the most effective and successful metrics are going to be very specific to a team and their situation.
Goals are actually the most important and those are the things that are much easier to align up and down the org chart, because you can always ask why. For any goal you have, you say: why is that my goal? And if you keep playing that game, like a two-year-old who just keeps saying ‘why why why’, eventually you will get to the company’s mission.
But the framework also encourages everyone to be pragmatic. If people tell you that having the data isn’t actually going to make any difference to their behavior, you know that’s a metric that isn’t worth collecting and an analysis that isn’t worth doing.

DORA research argues that speed and reliability go hand-in-hand, however, they do so based on outcome measures which are entirely based on speed. Moreover, the use of subjective surveys can bias recipients who feel better about their work to answer “yes” to both questions. And whilst companies who are more competent may inevitably be more competent at both factors, this does not create a causal relationship.
These metrics only matter to the extent that they are useful outcomes to measure.
Trust in software engineers and the reliability expectations of the public can vary considerably from industry to industry, meaning a one-size-fits-all approach should be discouraged.
Research of both software engineers and a representative sample of the general public (with the research firm Survation) and found that both agree speed is the least important factor. Instead, the public cares most about data security, data accuracy and preventing serious bugs. It is hard to find a hypothesis which would connect the Four Key Metrics to these outcomes which software developers and the public say are most important - especially given that preventing serious bugs is outright a lower priority than fixing bugs quickly or getting work fast. Even for other factors like data security, it’s hard to see how these connect to any of the Four Key Metrics.
Even amongst business decision-makers, it seems that on-time delivery matters above fast delivery.
Like Dr Keys received funding from the sugar industry in his research - in many investigations, it’s important to follow the money to understand where incentives lie. The DORA team originally started doing State of DevOps reports for Puppet, a company focussed on automating IT infrastructure and now they do this work for Google Cloud. Both have a vested interest in developers being able to deploy work as quickly as possible. This does not mean however that it is the solution to all our problems.

 

VENDORS & PLATFORMS

SecurityScorecard provides letter grades to businesses and organizations based on cyber resilience. The company’s intelligence provides an “outside-in view” of an organization’s cyber preparedness.
The Canadian Centre for Cyber Security plans to use that information to address where there may be vulnerabilities in critical areas of the economy and using that information to “raise the resilience” of Canadian critical infrastructure providers.

Dependency confusion is a supply chain attack where an attacker is able to poison the build by forcing the build system to retrieve his malicious dependency somewhere on the internet instead of the legitimate internal dependency.
Artifactory uses the term “repository” whereas Docker uses the therm “registry”. If you don’t use Docker private registries then probably not. If you use Docker mirrors because your organisation has private repositories then read on.
Docker will look for the base image on docker hub remote-docker-hub first, then will fallback to the private registry local-docker-project. This is only exploitable if the project uses internal namespaces because as previously mentioned, failing to provide a namespace would implicitly default to the library namespace, where only official images are uploaded.
The exploitation is simple enough: create an account on Docker Hub, register the namespace (for instance gquere) and upload the malicious image (for instance hello-world). Then wait until the image is ran and congrats, you’ve gained a foothold in your target’s internal network!

Up until January 10, OpenAI’s “usage policies” pageOpens in a new tab included a ban on “activity that has high risk of physical harm, including,” specifically, “weapons development” and “military and warfare.” That plainly worded prohibition against military applications would seemingly rule out any official, and extremely lucrative, use by the Department of Defense or any other state military. The new policyOpens in a new tab retains an injunction not to “use our service to harm yourself or others” and gives “develop or use weapons” as an example, but the blanket ban on “military and warfare” use has vanished.
While some within U.S. military leadership have expressed concernOpens in a new tab about the tendency of LLMs to insert glaring factual errors or other distortions, as well as security risks that might come with using ChatGPT to analyze classified or otherwise sensitive data, the Pentagon remains generally eager to adopt artificial intelligence tools.  

 

LEGAL

eBay agreed to pay a $3 million criminal penalty in connection with the harassment and stalking of a Massachusetts couple who had been subjected to threats and bizarre deliveries, including live spiders, cockroaches, a funeral wreath and a bloody pig mask in August 2019.
The fine comes after several eBay employees ran a harassment and intimidation campaign against the Steiners, who publish a news website focusing on players in the e-commerce industry.
Devin Wenig, eBay's CEO at the time, shared a link to a post Ina Steiner had written about his annual pay. The company's chief communications officer, Steve Wymer, responded: "We are going to crush this lady."
About a month later, Wenig texted: "Take her down." Prosecutors said Wymer later texted eBay security director Jim Baugh. "I want to see ashes. As long as it takes. Whatever it takes," Wymer wrote. Baugh set up a meeting with security staff and dispatched a team to Boston, about 20 miles from where the Steiners live.
Senior executives at eBay were frustrated with the newsletter's tone and content, and with the comments posted beneath the newsletter's articles.
The Steiners started being bombarded with newsletters they'd never signed up for in August 2019: Sin City Fetish Night, the Satanic Temple, the Communist Party and dozens of others. Then harassment started on social media.
Pornography addressed to David Steiner was sent to the Steiners' neighbors. The couple's home was listed on social media as the site of yard sales and sex parties. And then a book about surviving the loss of a spouse, addressed to David Steiner, arrived at their Massachusetts doorstep. "It was a death threat. And to be followed up a few short days later with a funeral wreath, an expensive funeral wreath.
One day, David Steiner noticed he was being followed by a van and later by a car. He snapped a picture of the license plate, which broke open the case.
Local police tracked the license plate and traced the number back to a rental agency where Veronica Zea, an eBay employee, had rented the van.

Food delivery company HelloFresh is nursing a £140,000 ($178k) fine by Britain’s data privacy watchdog after a probe found it had dispatched upwards of a staggering 79 million spam email and one million texts in just seven months.
The Information Commissioner’s Office says the company claimed messages were based on an opt-in statement, yet this statement did not include any reference to the sending of marketing messages via text. There was a nod to email marketing, however, this was included in an age confirmation statement that was “likely to unfairly incentivize customers to agree”.
As such, the emails and texts did not fit requirements that they be “specific” and “informed”: not mentioning SMS, being “unclear and bundled with others aspects.”
In addition, customers weren’t give ample information that their data would be used for marketing messages for up to two years after they’d cancelled their HelloFresh subscription

Petty officer Wenheng Zhao admitted to taking as many as 14 payoffs in return for non-public military information. Wenheng Zhao, 26, also known as Thomas Zhao, was sentenced on January 8 to 27 months in prison and ordered to pay a $5,500 fine for one count of conspiring with an intelligence officer and one count of receiving a bribe.
The punishment is significantly less than the maximum possible sentence of 20 years, which includes up to five years for conspiring with a foreign intelligence officer and up to 15 years for accepting bribes.

Ryan Dellone, a healthcare worker in Fresno, Calif., asserts that thieves stole his bitcoin on Dec. 14, 2021, by executing an unauthorized SIM-swap that involved an employee at his mobile phone provider who switched Dellone’s phone number over to a new device the attackers controlled.
Dellone says the crooks then used his phone number to break into his account at Coinbase and siphon roughly $100,000 worth of cryptocurrencies. Coinbase is also named as a defendant in the lawsuit, which alleges the company ignored multiple red flags, and that it should have detected and stopped the theft.
It’s unclear if the bitcoin address that holds his client’s stolen money is being held by the government or by the anonymous hackers. Nevertheless, he is pursuing a novel legal strategy that allows his client to serve notice of the civil suit to that bitcoin address — and potentially win a default judgment to seize his client’s funds within — without knowing the identity of his attackers or anything about the account holder.
Bitcoin transactions are public record, and each transaction can be sent along with an optional short message. The message uses what’s known as an “OP RETURN,” or an instruction of the Bitcoin scripting language that allows users to attach metadata to a transaction — and thus save it on the blockchain.
In the $100 bitcoin transaction Mora sent to the disputed bitcoin address, the OP RETURN message read: “OSERVICE – SUMMONS, COMPLAINT U.S. Dist. E.D. Cal. LINK: t.ly/123cv01408_service,” which is a short link to a copy of the lawsuit hosted on Google Drive.
Bax said Mora’s method could allow more victims to stake legitimate legal claims to their stolen funds. “If you get a default judgment against a bitcoin address, for example, and then down the road that bitcoin gets sent to an exchange that complies with or abides by U.S. court orders, then it’s yours."

 

And Now For Something Completely Different