Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Plausibly Deniable Hidden Linux Filesystems

One of the nice features of the old TrueCrypt encrypted filesystem (and its replacement, Veracrypt) was its ability to create hidden volumes - a feature of great value to journalists, human rights activists and others who need to transit borders where their computers could come under scrutiny. Now a new tool fom Kudelski Security Research introduces a new open-source tool for Linux which provides further improvements.

Shufflecake allows the creation of multiple hidden volumes on a storage device, with each volume encrypted with a different secret key, scrambled across the empty space of the underlying storage medium and indistinguishable from random noise. Because the software can manage up to 15 volumes per device, with hiddent volumes nested under other hidden volumes, it proves a high level of plausible deniability, whereby a user can, under pressure, surrender a password to decrypt a less sensitive "decoy" volume while the really sensitive volume remains undetectable, even under forensic investigation. (Image © Randall Munroe, licensed under CC BY-NC 2.5.)

Despite the multiple layers of encryption, Shufflecake remains reasonably efficient; the performance penalty is roughly double that of a conventional LUKS encrypted volume and barely noticeable. The space overhead is also less than 1% of the available disk space. The code is based on the M.Sc. thesis of Elias Anzuoni at EPFL.

Gagliardoni, Tommaso, Introducing Shufflecake: Plausible Deniability for Multiple Hidden Filesystems on Linux, blog post, 10 November 2022. Available online at https://research.kudelskisecurity.com/2022/11/10/introducing-shufflecake-plausible-deniability-for-multiple-hidden-filesystems-on-linux/.

Data Breach at Russian Scooter Service

Russian scooter rental service Whoosh has confirmed a data breach which has seen the theft of over 7.2 million customer numbers and 6.9 email addresses. On Monday, chat about the publication of the data set appeared in Telegram channels and the conpany has now revealed that it is carrying out an internal investigation and working with law enforcement to try to stop distribution of the data.

The company claims that no sensitive data, such as transaction information, credit card numbers or travel details, was stolen.

Uncredited, В Whoosh подтвердили утечку данных клиентов, RIA, 14 November 2022. Available online at https://ria.ru/20221114/whoosh-1831302705.html; English translation at https://ria-ru.translate.goog/20221114/whoosh-1831302705.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp.

CSRF Vuln in Plesk Web Hosting Dashboard

Many SME web sites are hosted with retail hosting providers and managed via the Plesk administration dashboard, which accounts for 86.7% of such dashboards and 4.4% of all websites. Overall, Plesk is well secured, but researcher Adrian Tiron at Fortbridge managed to find a cross-site request forgery vulnerability which affects most of the Plesk RESTful API's, which are intended to allow third-party programs to access Plesk services.

The vulnerability flows from a misconfigured CORS (Cross-Origin Resource Sharing) policy. CORS, which is layered on top of HTTP, allows HTTP responses to declare that they can be shared with other origins, and in the case of the Plesk API's, was completely open, having been set to a wildcard '*' and allowing access from any origin.

Tiron was able to abuse several API endpoints, adding a database user that can connect to any database from any remote host, and most importantly, changing the admin password and gaining full control of the site. Other possible exploit techniques include adding an FTP user and adding malicious Plesk extension, which could be a web shell.

Fortbridge responsibly disclosed the vulnerability, and Plesk users should check for a patch.

Tiron, Adrian, Compromising Plesk via its REST API, blog post, 10 November 2022. Available online at https://fortbridge.co.uk/research/compromising-plesk-via-its-rest-api/.

Is Functional Programming the Way of the Future?

We wrote yesterday of the NSA's promotion of memory-safe programming languages such as Java and Rust, with the latter rapidly growing, according to usage statistics. But memory management is only one - admittedly large - class of bugs and hence vulnerabilities; there are many others, including time-of-check/time-of-use, null references and side effects caused by shared state.

An article in IEEE Spectrum suggests that many of these problems are addressed by functional programming languages such as Haskell, Elm and PureScript. Functional programming is characterised by a number of constraints:

• Functions cannot access any variables other than their arguments and local variables, eliminating side effects
• System state can only be affected via composed functions
  
• Variables are immutable (this can be somewhat mind-bending for programmers transitioning from the traditional imperative programming paradigm)
• Null references are not allowed and dealt with via Maybe or Option constructs

The result is claimed to be much more reliable and easily-maintained code, but the first two of these restrictions also provide thread-safety which will allow higher performance on modern multi-core processors. I guess that if you are re-tooling and moving to a language anyway, this may be worth considering.

Scalfani, Charles, Why Functional Programming Should Be the Future of Software Development, IEEE Spectrum, 23 October 2022. Available online at https://spectrum.ieee.org/functional-programming.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.