harrysintonen

harrysintonen, 6 months ago to debian

I wonder why #debian did not pull the kernel deb package 6.1.64-1 with the #ext4 corruption bug from the package repositories. Countless of systems were upgraded to to buggy version as a result. Is there some technical reason why this could not be done? https://www.debian.org/News/2023/2023120902

harrysintonen, 7 months ago to random

Please make sure that you don't use atexit() in a library. Also, while at it, please no exit() or abort(). Thanks! atexit() related issues are insanely troublesome to correct after the use has been introduced. Case point: https://github.com/openssl/openssl/issues/22508 #development #coding #baddesign

harrysintonen, 8 months ago (edited 8 months ago) to random

Interesting #samba smbd #vulnerability CVE-2023-3961 allows samba client to connect to any server side unix domain socket. The access occurs as root user and thus any named unix domain socket is fully accessible. If suitable service exist on the server this will lead to unauthorized access to the service, assuming the socket file access rights are the only means of authorization. The impact depends entirely on the available services on the server, but may lead to #privilegeescalation or similar high severity impacts.

Updated to add: This vulnerability is made more difficult to exploit since the attacker has somewhat limited control on the data being sent to the socket.

https://www.samba.org/samba/security/CVE-2023-3961.html

harrysintonen, 5 months ago to random

Media keeps parroting the grossly misleading information about #Terrapin attack (CVE-2023-48795). This vulnerability is only a significant problem with versions of AsyncSSH that have other serious flaws that actually allow meaningful exploitation.

For the rest the only issue is downgrading the SSH Extension Negotiation. While this is theory will allow removing the restrictions set on the used signature algorithms, you'd still also need to have a client and server that both agree to use an algorithm that has a grave security flaw in it. This is not very likely. Removal of the keystroke timing countermeasures has very little practical impact as you'd still need to actually perform the timing attack to exploit this (and this extension was added for OpenSSH 9.5 to begin with, earlier versions don't even attempt to use this extension so there is nothing to attack against there).

I don't know why it is so difficult for media to get this right. Crying wolf for non-issues keeps diluting the messaging about actually impactful security issues.

Of course the security updates should be installed in a timely manner, especially if AsyncSSH is being used. But the messaging around Terrapin has been overly alarmistic, and not very helpful as a whole.

https://thehackernews.com/2024/01/new-terrapin-flaw-could-let-attackers.html

harrysintonen, 1 year ago to random

A friend had a rather sneaky #bug creep into his #C code:

if (thing == certainvalue) {
/* Comment explaining why we do this thing here 8/
firstthing();
}
else {
/* Comment for the other thing */
otherthing();
}

harrysintonen, 8 months ago to advice

I would seriously consider disabling "Generate Link Previews" feature in any critical communication applications you use. Such feature typically leaks some information about your device (typically at least the IP address). Such features also increase the attack surface for little practical benefit. #advice #privacy #infosec #foreshadowing

harrysintonen, 7 months ago to infosec

Finland has effectively stopped #calleridspoofing from faked Finnish phone numbers - "According to FICORA Regulation 28, the telecommunications operator of the call originating network must ensure that the calling party number it transfers in call origination and, in case of a forwarded (redirected) call, the forwarding number is valid and unambiguous." https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/regulation/EN%20Recommendation%20to%20Telecommunications%20Operators%20on%20Detecting%20and%20Preventing%20Caller%20ID%20Spoofing.pdf #infosec #telcos

harrysintonen, 6 months ago to apple

When running computational benchmarks on #applesilicon and other platforms it is only fair to run as optimal code as possible for all platforms in question. This is evident in the recent reporting where M3 Pro supposedly "beat" #RTX4090. Newsflash: It did not. The original test ran suboptimal code on the RTX4090. With proper code the RTX4090 crushes Apple Silicon - including fastest M3 Max. This is of course totally expected.

Updated results, including the NVIDIA optimized ones: https://owehrens.com/whisper-nvidia-rtx-4090-vs-m1pro-with-mlx/

I wonder if Apple Geared media has enough integrity to correct their reporting.

UPDATE: At least Apple Insider has now updated their story to reflect the facts.

#apple #benchmarking #nvidia

harrysintonen, 4 months ago to random

CVE-2023-6246 - #glibc syslog() heap-based buffer overflow #vulnerability - https://www.openwall.com/lists/oss-security/2024/01/30/6 - Impact: local privilege escalation to root #CVE

harrysintonen, 4 months ago to infosec

#NoName again trying to target Finnish presidential election, in vain. The targets include tulospalvelu.vaalit.fi - a website that is wholly unrelated to actual voting process. The voting in Finnish elections is pen and paper and no amount of #DDoS can affect it.

Finland specifically does NOT employ electronic or online voting systems. The reasons include:

• The existing pen and paper system has been honed to perfection: It's highly effective, secure and well established.
• Moving the system to online systems would allow potential interference from malicious parties.

#NoName target list for today: https://cyberplace.social/@GossiTheDog/111833295726201739 #infosec #elections #presidentinvaalit

harrysintonen, 5 months ago to apple

Daily #occamsrazor:

A) China has broken #Apple #AirDrop #cryptography

or

B) Chinese officials are exploiting the unfixed #vulnerability in the Apple AirDrop reported by #tudarmstadt researches in 2021 (disclosed to Apple in 2019) (*)

(*) https://www.crossing.tu-darmstadt.de/news_events/crossing_details_231552.en.jsp

harrysintonen, 7 months ago (edited 7 months ago) to retrocomputing

Some quality content from @h0ffman on twitch: #Cracking Rob Northen copylock protection live using #Amiga500 and Action Replay III #retrocomputing #amiga #hacking

harrysintonen, 7 months ago to ChatGPT

The news of #chatgpt being successful in diagnosing previously missed medical conditions are misleading. Undoubtedly there are a ton of situations where chatgpt has been totally wrong and following its advice would have lead to bodily harm or even fatalities. Hailing the successes only is a classic case of #confirmationbias. Having said that, it of course doesn't invalidate the possibility of using #AI and #ML for medical purposes, but chatgpt alone certainly isn't suitable as a diagnosis tool, nor should it be followed blindly without consulting health professionals. #thoughtoftheday

harrysintonen, 5 months ago to debian

#Debian stable cpio is currently #vulnerable to path traversal due to reverting a security patch for CVE-2015-1197. This allows malicious cpio archives to overwrite arbitrary files with permission of the user extracting the archive (think of crontab files, .authorized_keys, .bash_profile or similar). Note that tools and applications calling cpio indirectly are vulnerable as well. cpio update fixing this #vulnerability should become available shortly.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163

harrysintonen, 4 months ago to infosec

#TietoEvry datacenter has been impacted by apparent #ransomware attack. Various Swedish websites are down, including Systembolaget, several payment systems, several payroll and HR systems. While the initial impact is said to be loss of availability, it remains to be seen if some confidential information has been stolen as well.
https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2024/01/ransomware-attack-in-sweden-update/ #infosec

harrysintonen, 7 months ago (edited 7 months ago) to infosec

Bunch of us old geezers were reminiscing on #IRC (yes, IRC is alive and well, thanks for asking) about the #goodolddays. Thinking back, some of the stuff was quite wild. So gather around younglings:

• At one stage “IRC Wars” was a thing. Initially a bunch of kids would try to convince one of the channel operators to give them operator status, too. If some of the channel OPs was foolish enough to grant the status the attacker would promptly DEOP the original channel OPs and kickban them. This would usually be combined with adding insults to the channel topic and making the channel invite only. Retaliatory attacks were also quite common. At some stage there were multiple IRC channels held by various “factions”, while the actual discussion occurred on backup channels. Some channels were held for years.

• The “IRC Wars” (d)evolved over time. One feature weaponized was the “netsplit” where the loss of network connectivity would effectively split the network in two separate functional sub-networks. The protocol would self-heal when the connectivity returned: This involved reintegrating the channels by merging any divergencies. One result of this merge operation was to merge any operators on channels. Thus, if you found a server that was “in split” for long enough time and had no local users on the victim channel, you could join the channel and would gain operator status as the “first user” on this “new” channel. When the network eventually joined (so called “netjoin”), you would be awarded operator status on the victim channel and could proceed with channel takeover.

• “Nick collision” was one aspect of the netjoin (the network healing after a split): If two users had the same nick name, this conflict would be resolved by disconnecting both users from the network in a so called “kill”. Thus you would just have to obtain the nick name of the target user on one of the servers on the other side of the split and wait for the network to heal. Some highly coveted nicknames were stolen using this method. It would also commonly be used to collide all original operators in a channel takeover.

• Many bots were written as both defensive and offensive weapons in IRC Wars. The defensive bots would attempt to hold OP status away from malicious parties while granting it to the rightful owners of the channel. These bots grew highly sophisticated and attempted to dodge attacks such as nick collisions. Offensive bots would track the nicknames of the legitimate channel operators in an attempt to collide them.

• There were technical disagreements on how nick collisions should be handled. This, along with philosophical disagreement on whether there should be set rules defining what SysOps could or could not do, led to the EFnet network splitting in so called “Great Split” of 1996, resulting in creation of IRCnet.

• Phoenix IRCII script had a gaping security vulnerability in the message save feature that could be used to directly execute shell commands on the victim’s shell account. Needless to say this could be used to not only compromise the user but to also gain foothold on the actual (typically a brand of UNIX or BSD) server running the IRC client.

• At some point many users connected over modems. At the time isolation between control and data channels was poor or completely missing. If you could get the victim host to send special string towards the modem you could control it remotely. ICMP ECHO was particularly effective. ping -p 2D092B2B2B41544830 would send a “+++ATH0” towards the victim, and if the echo was responded, it would send back the same data through the modem. “+++” would enter the Hayes command mode. “AT” was a common prefix for “Hayes command set” commands, while “H0” meant “hang up”. Needless to say if the victim was a modem user and the system responded to ICMP ECHO the user would promptly have their modem hang up and connection would be lost.

• WinNuke (URG pointer mishandling in Windows TCP/IP stack) was used to disconnect IRC users. “Ping of death” (oversized ICMP ECHO with payload larger than 65535 bytes) was also used, as well as various other DoS bugs in network stack implementations, such as LAND attack. Eventually also flooding and primitive DDoS attacks were also used.

• I once found a #mIRC IRC client vulnerability that could be used to boot any mIRC user off the IRC network: The mIRC built-in IdentD had a bug where it would get confused if multiple concurrent connections were made towards it. If these connections would just sit there it would result in the whole mIRC network process to time out, disconnecting the user. I did demonstrate this vulnerability on #mirc channel – in hindsight this is something that I probably should not have done. I did learn a valuable lesson at least.

This all was many moons before my career in #infosec started. #oldschool #internethistory #exploits

harrysintonen, 5 months ago to random

The #GitLab #vulnerability allowing trivial account hijacking (CVE-2023-7028) will lead to ton of problems: It will allow malicious actors to perform #supplychain #attacks - something that will allow attacker to gain access to 3rd party who don't themselves run GitLab but just include from projects that do. I would suggest great caution regardless if you run GitLab yourself or not.

Naturally anyone using GitLab themselves must update as soon as possible. I would also suggest performing forensic investigation to find out if you have already been compromised, and take further action in case compromise has already occurred. Check "Were any accounts actually compromised due to this vulnerability?" section in this post for details: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

harrysintonen, 5 months ago to vmware

#VMware #Broadcom #dumpsterfire continues: "VMware has cancelled all existing product activation codes (PACs) issued that have not yet been activated." https://www.reddit.com/r/vmware/comments/194zwng/vmware_oem_partners_and_resellers_received_a/

harrysintonen, 4 months ago to infosec

Linux shim has a heap buffer overflow #vulnerability CVE-2023-40547 that allows arbitrary code execution and full system compromise when attacker is able to control the HTTP response.

Fix: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d #cve #infosec

harrysintonen, 4 months ago to random

"With 84.8% of votes counted, the Yle forecast puts Alexander Stubb on track to place first with 27.3% of the vote. The forecast puts Pekka Haavisto in second place with 25.8% of the vote. The forecast predicts a second round will be necessary."

source: https://vaalit.yle.fi/pv2024-k1/tulospalvelu/en/ #presidentinvaalit #elections

harrysintonen, 4 months ago to infosec

Russian scriptkiddie group #Noname keeps on targeting Finnish websites. Their current targets seem to be websites of various cities and municipalities and other seemingly randomly selected targets they believe to be somehow critical for Finnish society.

This of course is nothing new, and low-skill harassment such as this has been going on for years. The impact of their activity is nuisance at best, and it is not something to get overly worried about.

There naturally are more serious Russian #threatactors - they are the ones who don't make noise. #DDoS #infosec #cybersecurity

harrysintonen, 4 months ago to infosec

#t2infosec lineup looks fantastic again - https://t2.fi/schedule/2024/ #infosec #cybersecurity