Robert Grupe's AppSecNewsBits 2024-07-13

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Crooks Steal Phone, SMS Records for Nearly All AT&T Customers
AT&T Corp. disclosed a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.
AT&T’s said it learned of the breach on April 19, but delayed disclosing it at the request of federal investigators. The company’s SEC disclosure says at least one individual has been detained by the authorities in connection with the breach.
The customer data was stolen as a result of a still-unfolding data breach involving more than 160 customers of the cloud data provider Snowflake. Earlier this year, malicious hackers figured out that many major companies have uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password. Hackers behind the Snowflake data thefts purchased stolen Snowflake credentials from dark web services that sell access to usernames, passwords and authentication tokens that are siphoned by information-stealing malware. Snowflake says it now requires all new customers to use multi-factor authentication.
It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. That may be because, apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable for sloppy security practices. AT&T told the SEC it does not believe this incident is likely to materially impact AT&T’s financial condition or results of operations.
[rG Preventative Prioritization: Strong passwords changed monthly, strongly encrypted password and sensitive information storage, strongly encrypted communication channels, session management, activity monitoring alerting & response/throttling. MFA does add a degree of attack complexity, but isn't sufficient on it's own (see below Singapore Banks).]

Car dealer software slinger CDK Global said to have paid $25M ransom after cyberattack
CDK restored services to car dealerships across the US after a two-week outage. The shutdown of CDK's software platform caused chaos for up to 15,000 car dealerships, including the Asbury, AutoNation, Group 1, Lithia, and Sonic chains, stopping sales going through and registrations being filed in some states.
The ransom was actually paid just two days after the attack, we're told. That would suggest CDK perhaps coughed up, as claimed, straight away to persuade the extortionists to not leak any data stolen during the infection and to just back off, and that it subsequently took several days to rebuild and restore service. CDK may have been able to restore from backups and/or may have needed some information on computers encrypted by the ransomware, adding time to recovery.
The entire situation still may not be resolved. Other affected systems, including the CRM and certain functions of the DMS, remain offline as the company continues to investigate and test such systems. Additionally, some third-party applications typically accessible through the affected systems also remain offline. The timing of restoration of full access to all affected Systems remains unclear.

Data breach exposes millions of mSpy spyware customers
A data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.
Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024.
The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker’s Zendesk-powered customer support system.
Yet more than a month after the breach, mSpy’s owners, a Ukraine-based company called Brainstack, have not acknowledged or publicly disclosed the breach.
According to the data, one of the email addresses pertains to Kevin Newsom, a serving appellate judge for the U.S. Court of Appeals for the Eleventh Circuit across Alabama, Georgia, and Florida, who used his official government email to request a refund from mSpy.
The dataset also shows interest from U.S. authorities and law enforcement. An email from a staffer at the Office of the Inspector General for the Social Security Administration, a watchdog tasked with oversight of the federal agency, asked an mSpy representative if the watchdog could “utilize [mSpy] with some of our criminal investigations.”
A spokesperson for the Social Security Administration’s inspector general did not comment on why the staffer inquired about mSpy on behalf of the agency.
The Arkansas County sheriff’s department sought free trials of mSpy, ostensibly for providing demos of the software to neighborhood parents.

CISA broke into a US federal agency, and no one noticed for a full 5 months
A red team exercise at a certain unnamed federal agency in 2023 revealed a string of security failings that exposed its most critical assets. CISA calls these SILENTSHIELD assessments. The agency's dedicated red team picks a federal civilian executive branch (FCEB) agency to probe and does so without prior notice – all the while trying to simulate the maneuvers of a long term hostile nation-state threat group.
The red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise.
After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response.
"About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party.
CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023.

Python GitHub token leak shows binary files can burn developers too
A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. Although many secrets are leaked in the same manner, this case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands — one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself.
In early 2023, Ee Durbin, the administrator of PyPI and director of infrastructure for the Python Software Foundation (PSF), was working on cabotage-app, a Docker-based tool developed by the PSF that is used to deploy PyPI and associated services on a Kubernetes cluster. While working on the build portion of the codebase, he kept running into API rate limits that GitHub enforces for anonymous access.
In what he calls “an act of laziness,” Durbin decided to modify the source code locally to include an access token for his own account in order to bypass the default rate limits and finish the job faster. This was a quick fix, an alternative to configuring a localhost GitHub App to do the build instead of using the GitHub API.
While Durbin knew that adding personal access tokens (PATs) to source code is bad security practice, the change was only to his local copy of the codebase and was never intended to be pushed remotely. In fact, the automated build and deployment script was supposed to revert local changes, which should have scrubbed the token.
What Durbin didn’t realize was that the token was also included in .pyc (Python compiled bytecode) files generated as part of the build process, and that those files, stored in the pycache folder, were not configured to be excluded from the final Docker image uploaded to Docker Hub.
Developers should use the new fine-grained GitHub personal access tokens that were introduced two years ago instead of the classic ones. 2021 GitHub tokens have a new format that includes a ghp_ prefix and a checksum, making it easier for automated tools to detect them. Old GitHub tokens, which haven’t been deprecated and are still around, are indistinguishable from SHA1 hashes, which are also common in source code and not a security risk, so could be skipped by scanners. Developers are strongly advised to switch to the new token format.

Signal downplays encryption key flaw, fixes it after X drama
When Signal Desktop for Windows or Mac is installed, it creates an encrypted SQLite database to store a user's messages. This database is encrypted using a key generated by the program and without input from the user. In Signal's case, it stores the key as plain text in a local file. However, if Signal can access this key then so can any other user or program running on the computer, making the encrypted database worthless and providing little to no extra security.
One solution is to encrypt the local database with a user-supplied password that is never stored anywhere, as we see with cloud backup software, web browsers, password managers, and cryptocurrency wallets.
In April, an independent developer, Tom Plant, created a request to merge code that uses Electron's SafeStorage API to further secure Signal's data store from offline attacks.
A Signal developer finally replied that they implemented support for Electron's safeStorage, which would be available soon in an upcoming Beta version. Though its good to see that we have these additional protections coming to Signal, some are disappointed it only happened after the uproar on X.

Elexon's Insight into UK electricity felled by expired certificate
Demonstrating that Microsoft is not alone in its inability to keep track of certificates is UK power market biz Elexon.
While getting a certificate warning is an inconvenience on the browser, receiving the same from an API service can render many integrations inoperative since, quite correctly, an invalid certificate means the connection is not secure, and the data transmitted on it could be modified or stolen.
The organization appears to have forgotten to forecast when its TLS certificate will expire. Expiring certificates are the bane of an integrator's life, and it appears that no organization is immune from the chaos that can come from failing to maintain a spreadsheet with a list of dates.

HACKING
The Stark Truth Behind the Resurgence of Russia’s Fin7
The Russia-based cybercrime group dubbed “Fin7,” known for phishing and malware attacks that have cost victim organizations an estimated $3 billion in losses since 2013, was declared dead last year by U.S. authorities. In May 2023, the U.S. attorney for Washington state declared “Fin7 is an entity no more,” after prosecutors secured convictions and prison sentences against three men found to be high-level Fin7 hackers or managers. This was a bold declaration against a group that the U.S. Department of Justice described as a criminal enterprise with more than 70 people organized into distinct business units and teams.
The first signs of Fin7’s revival came in April 2024, when Ban intrusion at a large automotive firm that began with malware served by a typosquatting attack targeting people searching for a popular free network scanning tool. Now, researchers at security firm Silent Push say they have devised a way to map out Fin7’s rapidly regrowing cybercrime infrastructure, which includes more than 4,000 hosts that employ a range of exploits, from typosquatting and booby-trapped ads to malicious browser extensions and spearphishing domains.
In typosquatting attacks, Fin7 registers domains that are similar to those for popular free software tools. Those look-alike domains are then advertised on Google so that sponsored links to them show up prominently in search results, which is usually above the legitimate source of the software in question. According to Silent Push, the software currently being targeted by Fin7 includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.

Selfie-based authentication raises eyebrows among infosec experts
Some banks – and even governments – have begun requiring live images over Zoom or similar in order to participate in the modern economy. Some apps have already been called out for accepting still photos instead of a live image of the individual.
Getting a selfie is not a problem on its own – the problem is that this data is not properly handled and in many cases is never discarded after the verification is complete. That dilemma is compounded when lots of people have access to the files.
US cyber security firm Resecurity flagged similar concerns when it found a spike in leaked identity documents containing selfies of Singaporeans on the dark web. Many of those selfies were provided to fintech and e-commerce providers and later leaked. Resecurity asserted that some were captured by cyber crime groups that run fake telemarketing or customer support scams and gather selfies so they can sell them to other miscreants.

Scammers double-scam victims by offering to help recover from scams
Victims of previous scams are easily identified by criminals who commonly keep and sell information about individuals they have exploited. Armed with that info, the scammers contact victims and pretend to be a trusted party such as a government agency, cyber security organization, fund recovery service, lawyer, consumer advocacy group or charity.
Scammers also position themselves as victims who managed to recover lost funds and offer their supposed expertise for a fee. Such offers are propped up with fake references – either to supposed customers or to review sites.

FBI, cyber-cops zap ~1K Russian AI disinfo Twitter bots
RT's operation allegedly used software termed Meliorator. Meliorator was designed to be used on social media networks to create 'authentic' appearing personas en masse. Meliorator interfaced with another piece of software, called Taras, which created and automatically operated the fake accounts by using what are termed "souls" and "thoughts," it's claimed. An account would be created with a randomly generated soul, that would define the personality of the bot's output, and then assigned thoughts, which would direct the bots to perform actions and interact with other accounts. This is all supposedly powered by generative AI models. The bot farm implemented various strategies to avoid getting caught, such as having the bots follow big accounts with more than 100,000 followers and following accounts with opinions that matched the corresponding soul, using proxy IP addresses individual to each soul, and bypassing X's bot identification measures. However, the bot farm probably made a big mistake by signing up its 968 X accounts through the two domains it owned.
The Register reached out to RT News on whether the allegations were true, and the Russian broadcaster merely told us: "Farming is a beloved pastime for millions of Russians."

BlastRADIUS Attack Exposes Critical Flaw in 30-Year-Old RADIUS Protocol
The vulnerability is being tracked as CVE-2024-3596 and VU#456537. The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network. Every single RADIUS server world-wide must be upgraded to address this vulnerability. “It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable.
Researchers note that a successful attack will be costly. It can take a significant amount of cloud computing power to succeed in performing the attack. This cost is also per packet being exploited, and cannot be automatically applied to many packets. If an attacker wants to perform 100 attacks, he has to use 100 times of computing power. However, these costs are “drop in the bucket for nation-states” looking to target specific users.

APPSEC, DEVSECOPS, DEV
A CISO's Guide to Avoiding Jail After a Breach
Uber chief security officer (CSO) Joe Sullivan was appointed to the so-called Commission on Enhancing National Cybersecurity. The first eight years of his career he moved up the ladder at the US Department of Justice, and the following half-decade as an assistant US attorney. He'd even prosecuted the first-ever case pertaining to the Digital Millennium Copyright Act (DMCA), United States v. Elcom Ltd., on behalf of the government. Few people on earth understood the laws, the business, and the reality of cybersecurity better than Sullivan did. But for having mishandled a major data breach in November 2016, he's still defending himself in court to this day.
The key to avoiding trouble as a security leader, is awareness of three things: how government investigations work, how the government interacts with companies during the process, and the incentives companies have to resolve their cases in one way or another. When push comes to shove, for example, companies will be pressured to name and shame individuals. In his proceedings, Sullivan's legal team painted a picture of a company (Uber) trying to rebrand itself, and holding him up as a lamb to the slaughter.
To avoid being singled out (and because it's good security practice), CISOs should focus on building clear and robust lines of communication that bring other board members into the cybersecurity decision-making process. You need to first of all establish a risk council, in which you would have roles and responsibilities clearly defined.
Communication and collaboration are the safety net that security leaders will fall back on when the worst comes to pass. That's ultimately the through line between all these cases: that communication between the cross-functional groups wasn't there to the extent it needed to be. And the people who took the brunt of that were not the lawyers, were not the execs, were not the board. It was infosec.

CISA urges devs to weed out OS command injection vulnerabilities

• Use built-in library functions that separate commands from their arguments whenever possible instead of constructing raw strings fed into a general-purpose system command.

• Use input parameterization to keep data separate from commands; validate and sanitize all user-supplied input.

• Limit the parts of commands constructed by user input to only what is necessary.

Tech leaders should be actively involved in the software development process to ensure that the software uses functions that generate commands safely while preserving the command's intended syntax and arguments.
Additionally, they should review threat models, use modern component libraries, conduct code reviews, and implement rigorous product testing to ensure the quality and security of their code throughout the development lifecycle.

Elevating Application Security: A Strategic Approach With DevSecOps
Top 10 DevSecOps Practices
1. Automate security processes.
2. Implement continuous security and compliance.
3. Disconnect logic from specific tools.
4. Use security-as-code.
5. Standardize development environments.
6. Educate developers.
7. Implement the Principle of Least Privilege (PoLP).
8. Perform regular security and compliance audits.
9. Foster a culture of security.
10. Use threat modeling and risk assessments.

NSA Publishes Guidance for Strengthening AI System Security
Report

Singapore's banks to ditch texted one-time passwords
The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) announced on Tuesday that "major retail banks in Singapore will progressively phase out the use of One-Time Passwords (OTPs) for bank account login by customers who are digital token users within the next three months.
The banks hope this will "better protect against phishing" – at least against attacks in which scammers trick customers into disclosing their OTP. Instead, MAS and ABS encourage the use of digital tokens –apps running on smartphones that produce OTPs – as the source of second factors for bank account authentication.
The move was "not unexpected given that scammers have figured out how to game the current OTP system notwithstanding that it was two factor.

The Anatomy of Slow Code Reviews
In a typical engineering environment, there are no incentives to prioritize code reviews. One exception to this may be if the reviewer is also responsible for the timely launch of a product or feature associated with the code review. In cases where there are no incentives, it makes sense for a developer to prioritize finishing their work over reviewing others’ changes.
Knowing what to improve is more important than learning how to improve. Unlike CI/CD system performance, code review performance depends on people — not machines. Therefore, instead of looking at “code review time” as a whole, breaking it down into distinct areas where you can make improvements — keeping in mind the social and cultural aspects of the process — can help you optimize code review times.

VENDORS & PLATFORMS
What The Free Google Dark Web Report Will Soon Reveal About You
Google is making its Dark Web Report available to the hundreds of millions of users with a free Google account—and that means you will soon learn where your personal data has been leaked online.
To find out whether your information has been part of a data leak, you first need to create what Google calls a monitoring profile. By default, this includes your name, date of birth and Gmail address. Google also lets you add other information to your monitoring profile, including your postal address, additional email addresses and phone numbers.
The big one you must pay attention to and act on immediately is passwords.
The Dark Web Report “will become available to all users with a consumer Google Account” from late July. It’s not yet clear where it will appear, but the security section of your My Account page on Google would be a good place to start looking.

Google makes it easier for users to switch on advanced account protection
Google’s Advanced Protection Program, introduced in 2017, requires the strongest form of multifactor authentication (MFA). Whereas many forms of MFA rely on one-time passcodes sent through SMS or emails or generated by authenticator apps, accounts enrolled in advanced protection require MFA based on cryptographic keys stored on a secure physical device. Unlike one-time passcodes, security keys stored on physical devices are immune to credential phishing and can’t be copied or sniffed.
Until now, Google required people to have two physical security keys to enroll in APP. Now, the company is allowing people to instead use two passkeys or one passkey and one physical token. Those seeking further security can enroll using as many keys as they want.

AWS App Studio promises to generate enterprise apps from a written prompt
Amazon defines enterprise apps as having multiple UI pages with the ability to pull from multiple data sources, perform complex operations like joins and filters, and embed business logic in them.
It is aimed at IT professionals, data engineers and enterprise architects, even product managers who might lack coding skills but have the requisite company knowledge to understand what kinds of internal software applications they might need.

New quantum computer smashes 'quantum supremacy' record by a factor of 100 — and it consumes 30,000 times less power
The point where quantum computers overtake classical ones is known as "quantum supremacy," but achieving this milestone in a practical way would need a quantum computer with millions of qubits. The largest machine today has only about 1,000 qubits.
The reason we would need so many qubits for "quantum supremacy" is that they are inherently prone to error, so many would be needed to correct those errors. That's why many researchers are now focusing on building more reliable qubits, rather than simply adding more qubits to machines.
In the new study, scientists achieved an XEB score of approximately 0.35. This means the H2 quantum computer can produce results without producing an error 35% of the time.

LEGAL & REGULATORY
Man arrested for T-Mobile hack is suspected in newly-revealed AT&T data breach
An American citizen who was arrested in Turkey earlier this year after affirming his role in a massive security incident involving T-Mobile has been linked to a newly-revealed data breach involving nearly all of AT&T’s customers two years ago, The Desk has learned.
Federal authorities believe John Binns, 24, is one of several individuals who conspired to steal logs pertaining to phone calls and text messages sent and received by AT&T wireless customers in 2022.