Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Thad]

I haven't seen anything in the news about it but anecdotally it looks like a botnet was recently taken down.

I get a set of security logs every morning at work, and they used to be rife with failed login attempts (unsophisticated brute-force stuff; repeated attempts to log in with common usernames and Linux logins like root, www, etc.). A couple of hundred of them would be a typical day, but sometimes I'd get these giant 2MB text files with thousands of login attempts.

All that stuff stopped a couple of weeks ago, and now I'm getting nice, clean, normal log files every morning. So it looks like whatever was causing it ain't no more.

[Upthorn]

Or they finally got in.

[Thad]

This behavior isn't really consistent with the kind of sophistication where a bot would get in, get quiet, and start doctoring logs to hide itself.

Or maybe that's what they want me to think.

[Thad]

UEFI exploits found in the wild.

So far they seem to be incredibly rare, but give them time.

Kaspersky Lab still doesn’t know how the bootkits came to be installed on the victim machines. One possibility is that the PCs received a fake UEFI update from a remote source, but there are no signs of that happening in the Kaspersky AV logs.

The article notes that this exploit isn't just dangerous because of how low-level it is, but also because really nobody's been preparing for it. UEFI is still a little-understood piece of the stack and most developers haven't been taking it seriously enough as an attack vector.

The more pressing concern, Lechtik told me, is that the UEFI largely remains a blind spot in computer security. Some companies are slowly coming to realize the risk posed by malicious firmware. Last year, for instance, Google unveiled an open-source root-of-trust chip that will “ensure that a server or a device boots with the correct firmware and hasn't been infected by a low-level malware.”

Password-protecting the UEFI bootup process is also an effective measure to prevent firmware tampering. Using full-disk encryption can also be a help because, should UEFI firmware be hacked, it won’t be able to write to the disk.

But by and large, hardware and firmware providers still aren’t spending enough resources to build defenses needed for products to effectively withstand attacks. Secure boot, because it only protects the boot process during run time, isn’t the answer. And security companies are only now starting to design scanning for mainstream users.

As noted earlier, UEFI firmware is something of a black box that’s also hard to access. That makes it powerful for both good and bad, but it also makes attacks difficult, since they rely on a large amount of skill to write the firmware and somehow deploy it on a target machine. The Hacking Team leak, combined with this new discovery, shows attacks will almost certainly become more common.

[Thad]

Useful article at Ars: Study shows which messengers leak your data, drain your battery, and more

Note that the summary graphic could be a lot clearer. Green checkmark means "good", red X means "bad", regardless of context. So a green checkmark under "crashing apps and draining the battery" means it doesn't do that, and a green checkmark under "end-to-end encrypted" means it does that.

[mharr]

Oh look, it's Facebook and Son of Facebook. Who could have predicted.

[Thad]

UK company "><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD" told to change its name

[Thad]

Apple lets some Big Sur network traffic bypass firewalls

Apple has yet to explain the reason behind the change. Firewall misconfigurations are often the source of software not working properly. One possibility is that Apple implemented the move to reduce the number of support requests it receives and make the Mac experience better for people not schooled in setting up effective firewall rules. It’s not unusual for firewalls to exempt their own traffic. Apple may be applying the same rationale.

But the inability to override the settings violates a core tenet that people ought to be able to selectively restrict traffic flowing from their own computers. In the event that a Mac does become infected, the change also gives hackers a way to bypass what for many is an effective mitigation against such attacks.

“The issue I see is that it opens the door for doing exactly what Patrick demoed... malware authors can use this to sneak data around a firewall,” Thomas Reed, director of Mac and mobile offerings at security firm Malwarebytes, said. “Plus, there’s always the potential that someone may have a legitimate need to block some Apple traffic for some reason, but this takes away that ability without using some kind of hardware network filter outside the Mac.”

This isn't specific to Apple (try blocking Windows 10 telemetry with Windows Firewall and see how that works), but it's always disappointing and frustrating to see it.

If you need an effective firewall, the most effective choice is always going to be a hardware firewall (though that requires a certain amount of expertise to set up correctly). Course, that's not going to help if you're using a laptop on someone else's network. I don't know enough about third-party software firewalls for Mac or Windows to make any recommendations there.

[mharr]

Okay this is from some random guy on reddit, I have no clue how plausible it all is, and there's a big slice of 'want to believe' here, but the claim is that Parler's opsec was such dogshit that hacktivists have been able to create thousands of admin accounts and begin a distributed effort to download the entire back end database, user details, deleted posts and all.

https://old.reddit.com/r/ParlerWatch/co ... we/giu04o6

Amusingly, r/conspiracy are talking up how any such evidence will be inadmissable because apparently they believe in the rule of law now. I think maybe you step outside that game when you declare war on your own home.

Edit: Seems to be a legit thing that's happened, although the archive recovery efforts weren't total and focused specifically on Whiffed Insurrection Day and the lead up. People need to understand that the delete button is a lie.

Well maybe not these specific people.

https://gizmodo.com/every-deleted-parle ... 1846032466

Oh yeah, and the lead activist's screen name is Crash Override. chefkiss.gif

[Upthorn]

The death of Flash killed rail service in Northern China... until they installed a pirated version that wouldn't sunset.

[mharr]

So the basic approach to systems engineering here is to have a balanced selection of active bugs and viruses that will fight each other into a deadlock?

[Mongrel]

The death of Flash killed rail service in Northern China... until they installed a pirated version that wouldn't sunset.

Pirates, as always...

[Thad]

I forget, have I talked about the Wireguard thing yet?

Jim Salter's got a pretty fantastic article over at Ars Technica: Buffer overruns, license violations, and bad code: FreeBSD 13’s close call

There's a big chunk of it that's pretty technical and probably not very interesting to non-programmers, but I think the overall story is interesting even if you don't have a technical background. (But if you're not interested in programming specifics, stop when you get to the first subheader and then skip down to "Poor code wasn’t par for the course".)

[Mongrel]

I like the fact that the guy also turned out to be a complete asshole IRL landlord as well.

[Thad]

Oof. Word of warning on the Economic Impact Payment Card website: after you're done transferring your money, clear out your browser's form data, because whatever low-bid hack built this website didn't set up the "last 4 digits of SSN", "routing number", and "confirm checking account number" fields correctly and your browser *will* save the inputs you put in them.

[Mothra]

Good, brutal read on the RSA hack by Chinese military ten years ago.

[Thad]

FBI-made messaging app tricks gangs, leads to hundreds of arrests in global sting

There's a lot to unpack there, but one point I think it raises: you shouldn't assume open-source software is secure, but you *should* assume that proprietary software isn't.

[Thad]

If you've got a WD My Book, you're gonna wanna disconnect it from the Internet.

[Thad]

And if you've got a Dell, you're gonna wanna update your firmware.

[Thad]

Update your Windows.

And yes, there's a patch for Windows 7.