Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Büge]

This is pretty bad news.

[Mongrel]

Whhhhaaaaaaat da fuck

[Thad]

How a Microsoft blunder opened millions of PCs to potent malware attacks

For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.

Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.

It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.

[Upthorn]

So, this is kind of different from the standard security alerts we share, but this still seems like the correct place to put it:

Raspberry Pi recently tooted bragging about hiring a (former?) cop with 15 years experience placing unobtrusive surveillance devices.

They have quickly become mastodon's first non-musk main character by instantly blocking any account that mentions that it looks like they hired someone to plant surveillance devices in all future Pis...

[Mongrel]

what in the fuck

[Thad]

Raspberry Pi recently tooted bragging about hiring a (former?) cop with 15 years experience placing unobtrusive surveillance devices.

Not found
This resource could not be found

Sounds like it's going great!

[Upthorn]

Looks like the federation protocols are inadvertantly DDoSing raspberry pi's instance.

I got it to load and took this screen-cap:


Upon reading this for the 10th time, I finally realized he's saying he was using raspberry pis in the surveillance equipment, so he probably doesn't actually have the skillset necessary to implant surveillance equipment unobtrusively on a raspberry pi (as was feared).

But it's still a little concerning for a hobby electronics company to go "Hey look at this awesome surveillance expert we hired!!!"

[Mongrel]

Probably to help sell or service their devices for LE customers. Still not great, since it's obviously signalling they're perfectly happy to arm cops with more sophisticated technology.

[Thad]

(via)

[Cait]

If they hadn't doubled down and gone full Streissand mode, it would've probably just blown over with a few people upset and most people not caring all that much.

[Thad]

Looks like the federation protocols are inadvertantly DDoSing raspberry pi's instance.

More on that: Raspberry Pi Shows How Not To Mastodon

A post by Aurynn Shaw, who runs cloudisland.nz, an instance hosted in Aotearoa New Zealand, provides a great summary of the discussion that ensued. [...] Shaw writes:

As the common theme from Raspberry Pi was to tell other users to unfollow them, and blocking any criticism, the Fediverse as a whole was very quick to react.

Due to the very different power dynamics of the Fediverse, it took less than two hours from the initial post and initial harmful replies before the official Raspberry Pi instance started being defederated, noted via the #fediblock hashtag. This public hashtag is a way for administrators to co-ordinate with each other in an attempt to reduce harm to their users, and hitting #fediblock is a strong indicator that an instance is being cut off from the the Fediverse until they improve their moderation abilities.

“Defederation” is another unique and important feature of Mastodon. It means that various servers running Mastodon block interaction with a particular instance that is deemed to be problematic. It is quite an extreme remedy. Normally, there is some kind of moderator on an instance that would deal with the renegade user who is causing problems elsewhere. In the present case, the problem user and the moderator are effectively the same, so defederation was the only way for other instances to deal with the situation. Shaw notes that reversing defederation and the damage to Raspberry Pi’s brand that it has caused, will be quite hard:

Now that Raspberry Pi has hit the #fediblock, recovery becomes considerable more difficult. Not only does Raspberry Pi need to withdraw their statements and issue unequivocal apologies, they must also apologise directly to the admins who defederated them, and demonstrate an ongoing commitment to change.

This commitment can be demonstrated through administrative and moderator changes, or demonstrated over a significant period of time. Both approaches will take time for trust to be regained.

[Thad]

LastPass Tries To Bury The Full Scope Of Its Disastrous Privacy Breach Behind The Christmas Holiday

I've always been skeptical of LastPass, and they've had enough breaches and vulnerabilities at this point that I really can't see any case for recommending it. Even using Keepass and syncing across your devices with Dropbox or some other file-sync service is safer.

[Grath]

Long-ass Mastodon post from a former LastPass advocate who is now recommending that anyone still using LastPass should migrate to a different password manager.

tl;dr:
- They claim to have no knowledge of what sites you're using, but that information is stored in plaintext on their servers.
- Their encryption for what few things are encrypted is shit.
- Their secret management is shit, storing important secrets in plaintext on your computer.
- Their software is full of basic, obvious vulnerabilities.
- Their server can just demand that your browser extension does anything.
- They've had 7 major security breaches in the last 10 years, so their servers being compromised is an established risk factor.
- They don't play ball with (most) security researchers, which means they actively ignore opportunities to improve.

[Thad]

Those scary warnings of juice jacking in airports and hotels? They’re mostly nonsense

tl;dr it's possible that public USB chargers could be used to transmit malware, but examples of it actually happening are close to nonexistent.

If you're paranoid there are precautions you can take -- use a USB cable that only has charging pins, no data pins (or a USB condom, a dongle that you can stick on the end of a standard USB cable that doesn't have data pins), carry a charging brick, charge that from the public outlet and your device from the brick, etc. -- but basically if you're a likely target for malware transmitted through USB chargers, you're getting security briefings that are a lot more thorough than some public advisory from the FCC or FBI.

[Thad]

How Google Authenticator gave attackers one company’s keys to the kingdom
jfc they sync your MFA codes to your user account

this is some douglas adams shit

BTW there are a shit-ton of MFA apps that are compatible with Google Authenticator but don't do that shit. I use Aegis.

[Thad]

Google quietly corrects previously submitted disclosure for critical webp 0-day

Google has quietly resubmitted a disclosure of a critical code-execution vulnerability affecting thousands of individual apps and software frameworks after its previous submission left readers with the mistaken impression that the threat affected only the Chrome browser.

The vulnerability originates in the libwebp code library, which Google created in 2010 for rendering images in webp, a then-new format that resulted in files that were up to 26 percent smaller than PNG images. Libwebp is incorporated into just about every app, operating system, or other code library that renders webp images, most notably the Electron framework used in Chrome and many other apps that run on both desktop and mobile devices.

Two weeks ago, Google issued a security advisory for what it said was a heap buffer overflow in WebP in Chrome. Google’s formal description, tracked as CVE-2023-4863, scoped the affected vendor as “Google” and the software affected as “Chrome,” even though any code that used libwebp was vulnerable. Critics warned that Google’s failure to note that thousands of other pieces of code were also vulnerable would result in unnecessary delays in patching the vulnerability, which allows attackers to execute malicious code when users do nothing more than view a booby-trapped webp image.

On Monday, Google submitted a new disclosure that’s tracked as CVE-2023-5129. The new entry correctly lists libwebp as the affected vendor and affected software. It also bumps up the severity rating of the vulnerability, from 8.8 out of a possible 10 to 10.

The lack of completeness in the first CVE Google assigned goes well beyond being a mere academic failing. More than two weeks after the vulnerability came to light, a host of software remains unpatched. The most glaring example is Microsoft Teams.

Links not included in copy-paste.

[Mongrel]

As if I didn't already hate webp's enough as it was.

[Thad]

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack

LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year’s worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware.

The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

[...]

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

I've always thought adding unnecessary frippery at the lowest level of execution was a bad idea.

[sei]

US senator [Ron Wyden] warns governments are spying on Apple and Google users via push notifications - TechCrunch

[Thad]

FTC says Avast promised privacy, but pirated consumers’ data for treasure

For consumers concerned about their privacy, Avast’s claims for its anti-virus software and browser extensions were attention-getters. The company promised its products would block “annoying tracking cookies that collect data on your browsing activities.” In a major app store, the company pitched its Avast Mobile Software as way for consumers to “secure your device” by getting “alerted when you install spyware and adware apps that violate your privacy by sending your personal data to their servers.” In describing its desktop software, Avast promised it would “shield your privacy” and “stop anyone and everyone from getting to your computer.” Avast also told people that its software would allow them to “reclaim your browser. Get rid of unwanted extensions and hackers making money off your searches.” The company’s marketing hook for its Avast Secure Browser was its anti-tracking capabilities, promising it would “protect[] your privacy by preventing websites, advertising companies, and other web services from tracking your online activity.”

It’s an irony not lost on the FTC that Avast made those privacy promises while trafficking in consumers’ browser histories.

Apparently AVG did the same thing.

I'd be wary of any of the free-as-in-beer AV suites, at this point. (Aside from Microsoft's, I guess, if only because the company that makes your OS doesn't need to use optional add-on software to spy on you.)