harrysintonen

@harrysintonen@infosec.exchange

Infosec consultant https://mastodon.social/@WithSecure - Coding, Research + various other interests

This profile is from a federated server and may be incomplete. Browse more on the original instance.

harrysintonen, to infosec

lineup looks fantastic again - https://t2.fi/schedule/2024/

harrysintonen, to infosec

Russian scriptkiddie group keeps on targeting Finnish websites. Their current targets seem to be websites of various cities and municipalities and other seemingly randomly selected targets they believe to be somehow critical for Finnish society.

This of course is nothing new, and low-skill harassment such as this has been going on for years. The impact of their activity is nuisance at best, and it is not something to get overly worried about.

There naturally are more serious Russian - they are the ones who don't make noise.

harrysintonen, to random

CVE-2023-6246 - syslog() heap-based buffer overflow - https://www.openwall.com/lists/oss-security/2024/01/30/6 - Impact: local privilege escalation to root

harrysintonen,
harrysintonen, to random

"With 84.8% of votes counted, the Yle forecast puts Alexander Stubb on track to place first with 27.3% of the vote. The forecast puts Pekka Haavisto in second place with 25.8% of the vote. The forecast predicts a second round will be necessary."

source: https://vaalit.yle.fi/pv2024-k1/tulospalvelu/en/ #presidentinvaalit #elections

harrysintonen, to infosec

again trying to target Finnish presidential election, in vain. The targets include tulospalvelu.vaalit.fi - a website that is wholly unrelated to actual voting process. The voting in Finnish elections is pen and paper and no amount of can affect it.

Finland specifically does NOT employ electronic or online voting systems. The reasons include:

  • The existing pen and paper system has been honed to perfection: It's highly effective, secure and well established.
  • Moving the system to online systems would allow potential interference from malicious parties.

target list for today: https://cyberplace.social/@GossiTheDog/111833295726201739

harrysintonen, to infosec

Linux shim has a heap buffer overflow CVE-2023-40547 that allows arbitrary code execution and full system compromise when attacker is able to control the HTTP response.

Fix: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d

harrysintonen, to infosec

datacenter has been impacted by apparent attack. Various Swedish websites are down, including Systembolaget, several payment systems, several payroll and HR systems. While the initial impact is said to be loss of availability, it remains to be seen if some confidential information has been stolen as well.
https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2024/01/ransomware-attack-in-sweden-update/

harrysintonen, to vmware

continues: "VMware has cancelled all existing product activation codes (PACs) issued that have not yet been activated." https://www.reddit.com/r/vmware/comments/194zwng/vmware_oem_partners_and_resellers_received_a/

harrysintonen, to random

The #GitLab #vulnerability allowing trivial account hijacking (CVE-2023-7028) will lead to ton of problems: It will allow malicious actors to perform #supplychain #attacks - something that will allow attacker to gain access to 3rd party who don't themselves run GitLab but just include from projects that do. I would suggest great caution regardless if you run GitLab yourself or not.

Naturally anyone using GitLab themselves must update as soon as possible. I would also suggest performing forensic investigation to find out if you have already been compromised, and take further action in case compromise has already occurred. Check "Were any accounts actually compromised due to this vulnerability?" section in this post for details: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

harrysintonen, to apple

Daily :

A) China has broken

or

B) Chinese officials are exploiting the unfixed in the Apple AirDrop reported by researches in 2021 (disclosed to Apple in 2019) (*)

(*) https://www.crossing.tu-darmstadt.de/news_events/crossing_details_231552.en.jsp

harrysintonen,

If all data is stored in government owned servers with state controlled encryption (1), and this data includes email address and phone number of the specific account, wouldn't this allow the state to calculate the contact identifiers (2) directly?

Talk about making it easy. No need to do bruteforcing or use rainbow tables.

  1. https://www.engadget.com/apple-chinese-government-control-data-131343119.html
  2. https://www.usenix.org/system/files/sec21fall-heinrich.pdf
harrysintonen, to tetris

has finally been "beaten" to the kill screen - https://www.thegamer.com/tetris-beaten-34-years/

harrysintonen, to random

Media keeps parroting the grossly misleading information about attack (CVE-2023-48795). This vulnerability is only a significant problem with versions of AsyncSSH that have other serious flaws that actually allow meaningful exploitation.

For the rest the only issue is downgrading the SSH Extension Negotiation. While this is theory will allow removing the restrictions set on the used signature algorithms, you'd still also need to have a client and server that both agree to use an algorithm that has a grave security flaw in it. This is not very likely. Removal of the keystroke timing countermeasures has very little practical impact as you'd still need to actually perform the timing attack to exploit this (and this extension was added for OpenSSH 9.5 to begin with, earlier versions don't even attempt to use this extension so there is nothing to attack against there).

I don't know why it is so difficult for media to get this right. Crying wolf for non-issues keeps diluting the messaging about actually impactful security issues.

Of course the security updates should be installed in a timely manner, especially if AsyncSSH is being used. But the messaging around Terrapin has been overly alarmistic, and not very helpful as a whole.

https://thehackernews.com/2024/01/new-terrapin-flaw-could-let-attackers.html

harrysintonen,

@dangoodin

"there's no reason to think other SSH apps don't harbor similar, and possibly higher severity, vulnerabilities that can be ferreted out and exploited by more motivated threat actors."

This is entirely possible. It will be interesting the follow up on the future research around this area. If found, such additional vulnerabilities would still require active MiTM to exploit, something that limits the impact somewhat, at least. They would also be limited to specific (typically far more marginal) implementations.

In my opinion this does not necessitate immediate security response. Normal upgrade processes can be employed.

"This breaks the entire integrity of the SSH connection."

I beg to differ with this statement. It breaks the integrity of the handshake phase of the SSH session. Combined with the fact that the truncation attack is limited to only removing parts from the handshake significantly limits the practical impact of this vulnerability. It definitely does not break "entire integrity of the SSH connection".

This doesn't reduce the value of the research, of course. It definitely is significant and valuable research. Also, the researchers themselves were clear to point out the limitations of the impact. It just seems that media got too carried away.

harrysintonen,

@dangoodin That is incomplete statement. It has to include this relevant detail:

"This allows prefix truncation attacks where some encrypted
packets at the beginning of the SSH channel can be deleted
without the client or server noticing it."

harrysintonen,

@dangoodin Sure, but I would still be very clear what "break" means exactly. There is a great difference in being able to arbitrarily change the channel vs being limited to dropping some packets at the handshake phase.

I believe that not understanding what that means and what the limitations are is one of the reasons why some of the coverage has been so off the mark.

harrysintonen,

@dangoodin I found at least some of the coverage to be mispresenting the severity of the issue, or at least failing to properly present the mitigating factors.

Maybe this was due to the NVD having the insane CVSS score of 9.5 on the issue initially (which later was toned down to more sensible level).

Or maybe it was due to the pressure of getting on the news bandwagon as soon as possible and maybe skipping actually reading the technical description carefully enough.

There of course is also very good and balanced coverage of the issue as well, such as this excellent article at The Register: https://www.theregister.com/2023/12/20/terrapin_attack_ssh/

harrysintonen, to debian

#Debian stable cpio is currently #vulnerable to path traversal due to reverting a security patch for CVE-2015-1197. This allows malicious cpio archives to overwrite arbitrary files with permission of the user extracting the archive (think of crontab files, .authorized_keys, .bash_profile or similar). Note that tools and applications calling cpio indirectly are vulnerable as well. cpio update fixing this #vulnerability should become available shortly.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163

harrysintonen,

It should be noted that attacks towards this may be able to hide the fact that the attack vector is a cpio archive. Some tools do not depend on the filename extension when determining how to decompress a file, and thus might extract the file with cpio command even if the filename extension is different.

So for now I would recommend caution when extracting archives originating from unknown sources, at least when utilizing "smart" tools for decompression.

harrysintonen, to iPhone

My partner’s second #iPhone decided to drop dead on upgrade. Luckily a full backup of the contents was made before it went into permanent error 4013 loop. There are number of recovery options for extracting the content from the iTunes backups, most of them payware. Searching for recovery options you’re obviously steered towards these options.

But wait! There are free options, too, and since time both unlimited and free I did the only sensible thing and spent the next couple of hours sorting out the open source options. I can report that iTunes Backup Explorer worked great!

https://github.com/MaxiHuHe04/iTunes-Backup-Explorer #apple #datarecovery

harrysintonen, to random

Glad to see that is on top of things adding mitigation https://github.com/libssh2/libssh2/pull/1291

harrysintonen, to random

Did you know that for the longest time “scp” was a gaping security hole? When copying from a remote server to your local system, a malicious server could drop arbitrary, unrelated files relative to the target directory. If you copied to your user homedir, a malicious server could just drop a new “.bash_profile” and gain code execution.

The origin of this mess was the remote copy tool (rcp) from 1980s: The glob(3)bing was left to the remote server to perform and to send back any matching entries. When rcp was adjusted to create scp tool in 1995, they merely replaced rsh with ssh, without giving much consideration to security otherwise.

9.0 (and later) fixed this issue for good as scp then defaults to using sftp protocol for the transfer.

lcamtuf, (edited ) to random

deleted_by_author

    •
    harrysintonen,

    @lcamtuf It's likely we'll never see this vehicle in Europe due to it not meeting security standards and such heavy vehicles requiring a special driver's license. The market for idiotic pickup trucks is also way too small to make it viable - even if a version for EU markets would otherwise be made.

    There is no need to invoke Elon.

    GossiTheDog, to random
    @GossiTheDog@cyberplace.social avatar

    NoName057(16) are targeting the UK today, so I shall start monitoring them and naming their targets and attack types.

    Their targeting: https://raw.githubusercontent.com/GossiTheDog/Monitoring/main/NoName/targets_2023_12_07_11am.txt

    Currently:
    pa.eastcambs.gov.uk
    politics.leics.gov.uk
    www.liverpool.gov.uk
    www.mil.be
    www.bollington-tc.gov.uk
    www.cranbrooktowncouncil.gov.uk
    cert.be
    my.swiftcard.org.uk
    www.monarchie.be
    www.premier.be
    www.david-clarinval.be
    www.dekamer.be
    www.senaat.be

    #threatintel #noname

    harrysintonen,

    @GossiTheDog The target list are quite random and includes many sites that are not related to any critical infrastructure functions or that would cause any kind of issues even if they would be down. The list is something you might come up with if you would just google something without realizing what you're doing.

    This just goes to show that this actor is a bloody joke.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • rosin
  • thenastyranch
  • everett
  • DreamBathrooms
  • ethstaker
  • magazineikmin
  • cubers
  • Youngstown
  • tacticalgear
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • provamag3
  • osvaldo12
  • InstantRegret
  • cisconetworking
  • GTA5RPClips
  • modclub
  • tester
  • mdbf
  • khanakhh
  • normalnudes
  • Leos
  • megavids
  • anitta
  • lostlight
  • All magazines
    •