Robert Grupe's AppSecNewsBits 2024-01-20

Author

Robert Grupe
January 20, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Microsoft network breached through password-spraying by Russian-state hackers

Senior execs' emails accessed in network breach that wasn't caught for 2 months. A device inside Microsoft’s network was protected by a weak password with no form of two-factor authentication employed. The Russian adversary group was able to guess it by peppering it with previously compromised or commonly used passwords until they finally landed on the right one.
The attack, which Microsoft attributed to a Kremlin-backed hacking group it tracks as Midnight Blizzard, is at least the second time in as many years that failures to follow basic security hygiene has resulted in a breach that has the potential to harm customers. Furthermore, this “legacy non-production test tenant account” was somehow configured so that Midnight Blizzard could pivot and gain access to some of the company’s most senior and sensitive employee accounts.

 

There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data, We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.
To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

 

The most recent move in valuation follows an admission by Paul Patterson, director of Fujitsu Services Ltd and Fujitsu European CEO, that the company bore a moral obligation to contribute to compensating the victims of the Post Office Horizon scandal, which saw 736 managers of local Post Office branches wrongfully convicted of fraud when errors in the system were to blame. More victims are expected to come forward.
"We were involved from the very start. We did have bugs and errors in the system. And we did help the Post Office in their prosecutions of the subpostmasters [and for] that we are truly sorry."
[rG: Not a security fail, but of inadequate pre-release testing and custom support incident response.]

 

Mary Callahan Erdoes, JPMorgan Chase's CEO in charge of asset and wealth management, revealed the figure during a discussion of the future of banking yesterday, adding that the number is twice what the institution faced a year prior.
"We have 45 billion – billion – cracks into our system that don't make it through, not on an annual basis, on a daily basis," she told her audience. "There are people trying to hack into JPMorgan Chase 45 billion times a day. That number is what it is."
JPMC, the largest US bank by market cap, also claims to have 62,000 technologists working to protect corporate assets - a figure Erdoes claims tops the engineer count at Google or Amazon.
A spinner for JPMorgan Chase has been in touch to clarify that Erdoes quoted a figure that seemingly included all connection attempts not just potentially malicious ones. Examples of activity can include user logins like employee virtual desktops, and scanning activity, which are often highly automated and not targeted.

 

A security researcher in Germany has been fined €3,000 ($3,300, £2,600) for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records.
A contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.
In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge.
But it’s exactly as people feared: no matter how flawed the supposed 'protection,' its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users. 

 

HACKING

The content was posted on Discord, a social platform somewhat similar to Slack with millions of different channels communicating in their separate communities, dubbed servers. Thousands of UC Irvine students created their own servers to swap notes, study for tests and even join clubs. However, on Tuesday, they were bombarded with graphic images. The hackers infiltrated 30 channels and demanded a $1,000 ransom.
Kim is one of nearly 3,000 current and former UC Irvine students who witnessed the gore against their will. [The gruesome videos portrayed the desecration of human corpses and mutilation of animals.] "I heard about a lot of people vomiting, a lot of people crying."
Nearly 100 students banded together to create a bot that would automatically block the hackers. They eventually tracked down 400 different accounts associated with the attack and blocked them. Kim and other students have reported the attack to UCI police, who hope to escalate it to the FBI. Kim said the attackers have hit other schools, including Washington State University and USC. Many times, she said, the gore continued to filter through channels for nearly a month. In Irvine's case, the graphic images continued to pop up for about four day.

 

“Triangulation fraud” occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.
Barker said he bought seven “Step2 All Around Playtime Patio with Canopy” sets from a seller on Amazon .ca , using his payment card on file to pay nearly $2,000 for the items. On the morning of April 7, Barker awoke to a series of nasty messages and voice calls on Facebook from an Ontario woman he’d never met. She demanded to know why he’d hacked her Walmart account and used it to buy things that were being shipped to his residence.
On April 12, 2023, before the Amazon purchases had even arrived at his home, Barker received a call from an investigator with the Royal Canadian Mounted Police (RCMP).
Barker believes he and the Ontario woman are both victims of triangulation fraud, and that someone likely hacked the Ontario woman’s Walmart account and added his name and address as a recipient.
But he says he has since lost his job as a result of the arrest, and now he can’t find new employment because he has a criminal record.

 

Publicly exposed PostgreSQL and MySQL databases with weak passwords are being autonomously wiped out by a malicious extortion bot – one that marks who pays up and who is not getting their data back.
Cloud providers don't always make it easy to access your database from your desktop, or even a workload running in a different region or provider. You may have no other option than to open it from anywhere. And so, while bad practice, it's not all that surprising that there are that many open databases.The investigation started after programmer Amos Wenger, tweeted (X-ed?) about his database apparently getting ransomed "immediately" after accidentally exposing their Postgres server. For Docker users, it's important to know that using docker run -p to publish a container's port alters your iptables rules for DNAT-based port forwarding, overriding any default deny settings in your iptables INPUT table.
The bot scans the internet for PostgreSQL and MySQL servers to brute-forced and inspected for databases.
Once inside, the number of tables available is determined and a snapshot of the database is taken before all tables and databases are deleted using 'DROP TABLE' and 'DROP DATABASE' commands.
The bot also terminates all backend processes connected to any database other than its target, which is presumably done to prevent admins from interrupting the attack.
After the damage is done, a ransom note is left behind, instructing victims to pay a fee to regain access to their data.
A glance at the blockchain reveals the bot has indeed managed to trick some victims into paying, netting just over $3,000 from six victims in just one week.

 

Roughly 25 million of the passwords have never been seen before by widely used service. Nearly 71 million unique credentials stolen for logging into websites such as Facebook, Roblox, eBay, and Yahoo have been circulating on the Internet for at least four months,
Toy Hunt wrote,“When a third of the email addresses have never been seen before, that's statistically significant. This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it's from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”
Stealer malware runs on a victim’s device and uploads all user names and passwords entered into a login page—the passwords appear in plaintext. Account credentials taken in website breaches are almost always cryptographically hashed. (A sad aside: Most of the exposed credentials are weak and would easily fall to a simple password dictionary attack.)
Data collected by Have I Been Pwned indicates this password weakness runs rampant. Of the 100 million unique passwords amassed, they have appeared 1.3 billion times.

 

The cybercriminals monetize these infections by turning the devices into nodes for illegal media streaming platforms, traffic proxying networks, distributed denial of service (DDoS) swarms, and OTT content provision.

 

UEFI firmware from five of the leading suppliers contains vulnerabilities that allow attackers with a toehold in a user's network to infect connected devices with malware that runs at the firmware level.
The vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings. People with even minimal access to such a network—say a paying customer, a low-level employee, or an attacker who has already gained limited entry—can exploit the vulnerabilities to infect connected devices with a malicious UEFI.
For PixieFail to be exploited, PXE must be turned on. For the overwhelming number of UEFIs in use, PXE isn’t turned on. PXE is generally used only in data centers and cloud environments for rebooting thousands or tens of thousands of servers. Additionally, PXE must be configured to be used in combination with IPv6 routing.

 

The rapper and social media personality Punchmade Dev is perhaps best known for his flashy videos singing the praises of a cybercrime lifestyle. With memorable hits such as “Internet Swiping” and “Million Dollar Criminal” earning millions of views, Punchmade has leveraged his considerable following to peddle tutorials on how to commit financial crimes online.
Even though we’re talking about an individual who regularly appears in videos wearing a half-million dollars worth of custom jewelry draped around his arm and neck (including the functional diamond-encrusted payment card skimming device), there’s never been much evidence that Punchmade was actually involved in committing cybercrimes himself. Even his most vocal critics acknowledged that the whole persona could just be savvy marketing.

 

 

APPSEC, DEVSECOPS, DEV

Ransomware attacks are being linked to a litany of psychological and physical illnesses reported by infosec professionals, and in some cases blamed for hospitalizations.
A cybersecurity worker in the financial services industry, for example, pinned the stress of remediating ransomware on their heart attack, which ultimately required surgery to sort out.
Another, working for a charity, was hospitalized after their self-care went downhill following a ransomware attack. Dehydration caused by the excessive consumption of coffee, coupled with an insufficient intake of water and pre-existing medical conditions, led to health issues that required medical intervention.
These are just two of the plethora of stories revealed as part of a research piece from the Royal United Services Institute (RUSI).

 

Vital to integrate security into an MLOps Lifecycle, in much the same way that security gets woven into DevOps. This requires security touchpoints — including monitoring and testing — throughout the AI/ML lifecycle, from early development to deployment and ongoing use.
Use threat modeling exercises to identify vulnerabilities in AI/ML systems early on so the team can test thoroughly before use. This practice helps identify risks and offers broader and deeper insight into how AI impacts security as well as the overall business.
Continuously test and monitor AI systems to ensure they operate as designed — and as expected. This includes checking for model drift, biases, and operational effectiveness. In a best practice framework, security and machine learning teams work together to build robust guardrails and controls.

 

 

DEV

There have been hundreds of articles that prove time and time again that doing code reviews brings more value than the time spent doing them.
If you're not doing code reviews, or if you're doing them just to tick a box, you're setting yourself up for a world of pain, not now, maybe, but eventually. It's like building a house on a foundation of sand. Sure, it might stand up for a while, but it's only a matter of time before it all comes crashing down. And in the startup world, you might not get a second chance.
[rG: Read full article for excellent guidance for effective code reviews.]

 

Generative Adversarial Networks (GANs) have become hugely popular for their abilities to generate both beautiful and realistic images, and language models (e.g. ChatGPT) that are increasingly rising in their use across every sector.
Discriminative models focus on classifying data into predefined classes for example classing images of dogs and cats into their respective classes.
Generative models aim to understand the underlying structure of the data.
The generator strives to learn to produce synthetic data that the discriminator can not differentiate from the real data. Simultaneously, the discriminator also learning and improving its ability to differentiate the real from the synthetic. This dynamic training process pushes both models to refine their skills. The two models are always competing with one another (hence why it is called Adversarial) and through this competition both models become excellent at their roles.

 

ONC added 13 new data elements

 

VENDORS & PLATFORMS

More than 40% of the Fortune 100 participated in its Copilot early access program.
Copilot Pro — the new consumer plan, priced at $20 per user per month — gives customers access to Copilot GenAI features across Word, Excel (in preview, only in English for now), PowerPoint, Outlook and OneNote on PC, Mac and iPad — if they have a Microsoft 365 Personal or Family plan, that is. Bringing the total cost of the lowest-tier Microsoft 365 subscription to $27 per month ($6.99 per month for Microsoft 365 Personal plus $20 for Copilot Pro).
Copilot is generally available for organizations subscribed to Microsoft 365 Business Premium, Microsoft 365 Business Standard, Microsoft 365 E3 and E5 or Office 365 E3 and Office E5. Previously, Copilot for Microsoft 365 had a 300-user minimum purchase and required a Microsoft 365 license, but both of those requirements have been done away with. Enterprise Copilot customers — not consumers — get a “Copilot” in Teams that provides real-time summaries and action items, handling tasks such as identifying people for follow-ups and creating meeting agendas.

 

The Red Hat Developer Hub, an enterprise-level internal developer platform (IDP) for building developer portals. The platform provides an opinionated framework and set of templates based on the Backstage open source Cloud Native Computing Foundation (CNCF) project and accessible from a Red Hat account.

 

IBM has sponsored an "Invention Achievement Award Plan" to incentivize employee innovation. One point was awarded for publishing. Three points were awarded for filing a patent or four if the filing was deemed high value. For accruing 12 points, program participants would get a payout. Inventors reach an invention plateau for every 12 points they achieve – which must include at least one file decision. For each plateau achieved, IBM would pay its inventors $1,200.
IBM canceled the program at the end of 2023 and replaced it with a new one that uses a different, incompatible point system called BluePoints. IBM's invention review process could take months, meaning that employees just didn't have time between the announcement and the program sunset to pursue the next plateau and cash out. 

 

LEGAL

Haier is a multinational home appliances and consumer electronics corporation selling a wide range of products under the brands General Electric Appliances, Hotpoint, Hoover, Fisher & Paykel, and Candy.
Home Assistant is an open-source home automation platform enabling users to control and automate their smart home devices from a centralized interface. Apart from convenience and cost, Home Assistant offers superior security and privacy options not available on similar commercial apps.
The plugins offered in the GitHub repositories enable users to control Haier, Candy, and Hoover air conditioners, purifiers, dishwashers, induction hobs, ovens, fridges, washing machines, and dryers through Home Assistant.
The plugins themselves are open-source, but it is unclear if they incorporate Haier's intellectual property, such as software code or proprietary protocols, which would give the firm a legal basis for the request.
On the other hand, if the plugins do not infringe on Haier's intellectual property or fall under fair use provisions, the creator could opt to defend his work and keep the plugins available to the community.
Nonetheless, Haier's legal threats have intimidated the developer, who announced that the project will be taken down in the next couple of days. At this time, the Haier home assistant plugins have been forked 228 times, many occurring since the news of the legal threats.

 

Conor Brian Fitzpatrick was sentenced to 20 years of supervised release today in the Eastern District of Virginia for operating the notorious BreachForums hacking forum, known for the sale and leaking of personal data for hundreds of millions of people worldwide.
Fitzpatrick had previously pleaded guilty to 1 count of Conspiracy to Commit Access Device Fraud, two counts of Solicitation for the Purpose of Offering Access, and three counts of Possession of Child Pornography.
In a sentencing memorandum submitted by U.S. prosecutors on January 16th, the U.S. government sought 188 months, approximately 15.7 years, of imprisonment for Fitzpatrick.
However, the courts showed leniency today, sentencing Fitzpatrick to time served and 20 years of supervised release.
Fitzpatrick will serve the first two years of his release in home arrest with a GPS locator and receive mental health treatment. Fitzpatrick is also prevented from using the internet in his first year of release and must allow the probation officer to install monitoring software on his computer.
The courts require Fitzpatrick to pay restitution for victims' losses, with the amount to be determined at a later date.
[rG: Imagine, in today’s digital society, no mobile apps, no Wiki, Netflix, email, online banking, bill paying, medical appointments, delivery services, etc.]

 

And Now For Something Completely Different …

We get our content from a For You Page now— algorithmically selected videos and images made by our favorite creators, produced explicitly for our preferred platform. Which platform doesn’t matter much. So long as it’s one of the big five.
Not long ago, we were good at separating the signal from noise. Granted, there’s a lot more noise these days, but most of it comes from and is encouraged by the silos we dwell in.
Somewhere between the late 2000’s aggregator sites and the contemporary For You Page, we lost our ability to curate the web. Worse still, we’ve outsourced our discovery to corporate algorithms. Most of us did it in exchange for an endless content feed.

 

The United States grew in size by 1 million square kilometers (more than 386,000 square miles) – that’s almost twice the area of Spain. The unexpected growth spurt was not the result of strange geological forces, nor the invasion of a foreign land, but the States attempting to lay claim to its surrounding ocean-floor territory.
It’s not quite the Louisiana Purchase. It’s not quite the purchase of Alaska, but the new area of land and subsurface resources under the land controlled by the United States is two Californias larger.