The Federal TLS Chronicles: A Litany of Failed Certificate Governance
via the always informative Catalin Cimpanu, writing at ZDNet, comes the anticipated TLS Certificate renewal failures for at least 80 United States federal websites due to the federal government shutdown. Color us a bright shade of completely not surprised.
"In the end, nothing good will come out of this shutdown. May it be a cyber-attack that goes undetected or agencies losing cyber-security personnel leaving for the private sector, the ripple effects of this shutdown will haunt agencies for months or years to come." - via Catalin Cimpanu, writing at ZDNet, comes news of federal website TLS Certificate renewal failures.
No Direction Home: Large Scale Worldwide DNS Attacks
via Muks Hirani, Sarah Jones and Ben Read writing at FireEye's threat research blog, comes notification of world-wide-dns-at-scale hijacks. Pre-election first-pass, stakes-in-the-ground reconnaisance foundation building? Or simple larcency? You be the judge. H/T
"FireEye Intelligence identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors." - via Muks Hirani, Sarah Jones and Ben Read writing at FireEye's threat research blog
The Three
Three US Based Mobile Providers Still Selling User Location Data
The bad news was delivered to me on Tuesday afternoon by this outstanding post by Jon Brodkin, reporting for Ars Technica. Read it and weep my friends, as they will know you by your location... Think it's time to move to a dumb phone from your current leaky smartphone? Think again Binky, as your location can still be determined and sold (if only from triangulated tower geography when your phone mpves from cell to cell and registers with the tower).
"In June 2018, all four major US wireless carriers pledged to stop selling their mobile customers' location information to third-party data brokers. The carriers were pressured into making the change after a security problem leaked the real-time location of US cell phone users. But an investigation by Motherboard found that "T-Mobile, Sprint, and AT&T are [still] selling access to their customers' location data and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country." - via Jon Brodkin, reporting for Ars Technica*
C2 Hiding
Carrie Roberts, writing at the superlative Black Hills Information Security blog, presents, for your bits related pleasure, the hiding of C2 encapsulated by SSH. Today's Must Read.
ZeroNights 2018, Eric Sesterhenn's, Luis Merino's, Markus Vervier's 'Zero Fax Given' →
From The Video Description: FAX machines, although being a reminiscent of a not-so-far past, are still present in lots of office spaces and can be frequently used for business and legal communications. Most of its technology was developed decades ago and, quite probably, remained mostly unchanged over the years. Legacy boxes, accessible via a phone call through the phone line and, frequently, connected to local networks via Ethernet. It sounds like a good plan for summertime research! - via ZeroNights 2018 Eric Sesterhenn's, Luis Merino's, Markus Vervier's video 'Zero Fax Given'
ZeroNights 2018, Junyu Zhou's, Wenxu Wu's 'Attack Surfaces Against GIT Web Servers Used By Thousands Of Developers' →
From The Video Description: We, Tencent Security Xuanwu Lab, have successfully carried out serveral remote attacks on the most popular git web servers in 2018. This time we are willing to share our full, in-depth details on this research. In this presentation, we will explain the inner working of this technique. Multiple 0-days of different git web servers are included in this presentation.
We will also present an in-depth analysis of the attack surfaces in the most popular git web servers, including the Gitlab, Github enterprise, Gogs and Gitea. For instance, we exploited a vulnerability on CI Runner to hack into the intranet of Gitlab; we have also found serveral remote code execution (RCE) and server-side request forgery (SSRF) vulnerabilities in Gogs and Gitea.
Finally, we will talk about two attack chains to successfully perform remote code execution on Gogs. To the best of our knowledge, this presentation will be the first to demonstrate these new attack surfaces of git web servers. - via ZeroNights 2018 and Junyu Zhou's, Wenxu Wu's 'Attack Surfaces Against GIT Web Servers Used By Thousands Of Developers'
The Forking
To be specific, the forking of the Ethereum blockchain has resulted in the theft of nearly $500,000 USD.
ZeroNights 2018, HC Ma's 'Massive Scale USB Device Driver Fuzz WITHOUT Device' →
From the Video Description: USB is one of the most common interfaces supported on modern computers. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB devices, Microsoft provides automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows. via ZeroNights 2018 and HC Ma's 'Massive Scale USB Device Driver Fuzz WITHOUT Device'