Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
WatchGuard Fixes Medium and Critical Severity Vulns
Firewall vendor WatchGuard has released patches for several vulnerabilities in its Firebox and XTM appliances. Security engineer Charles Fol investigated the boxes as part of a red team engagement, coming up with several exploitable bugs - two of which, an RCE vulnerability and a privilege escalation, would allow attackers remote root access.
This follows a series of breaches by the Russian state-sponsored group Sandworm, which allowed them to build a botnet called Cyclops Blink, by using a privilege escalation vulnerability. Thanks to all of the publicity surrounding that campaign, network administrators have hardened their Watchguard configurations, with far fewer exposing admin interfaces on the Internet.
Woollacott, Emma, WatchGuard firewall exploit threatens appliance takeover, The Daily Swig, 1 September 2022. Available online at https://portswigger.net/daily-swig/watchguard-firewall-exploit-threatens-appliance-takeover.
No-touch Activation of Touchscreens
Researchers at Zhejiang University and TU Darmstadt have shown that capacitive touchscreens can be fooled using electromagnetic interference to inject fake touch points without actually touching them. In a presentation at the 31st USENIX Security Symposium, they related how they were able to successfully run their GhostTouch attack against nine different smartphone models, injecting targeted taps continuously with a standard deviation as low as 14.6 x 19.2 pixels from the target area, a delay of less than half a second and at a distance of up to 40mm.
The researchers came up with various adversarial scenarios for this capability, including implanting malware without the owner's knowledge, establishing a malicious connection and answering an eavesdropping phone call.
The required setup is quite complex, involving an arbitrary waveform generator, RF amplifier, an antenna array and a ChipSHOUTER device. However, it is quite within the capabilities of a moderately sophisticated adversary and a dedicated device could probably be made substantially smaller. The lesson: keep your phone close to your chest, and don't lay it down on any untrusted desks or boardroom tables.
Wang, Kai, et. al., GhostTouch: Targeted Attacks on Touchscreens without Physical Touch, 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1543–1559. Available online at https://www.usenix.org/conference/usenixsecurity22/presentation/wang-kai.
Hackers Create Large Traffic Jam in Moscow
According to Twitter user @runews, somebody hacked the largest taxi service in Russia, Yandex Taxi, and booked every available cab to pick up at an address on Kutevsky Prospekt. The result was a massive traffic jam which reportedly held up drivers for 40 minutes while police tried to deal with the confusion. News site South Front blamed the hack on the usual suspects: the criminal Kiev (Kyiv) regime and their Yankee neocolonial imperialist puppetmasters.
Russian Market (@runews), Someone hacked #YandexTaxi, tweet, 1 September 2022. Available online at https://twitter.com/runews/status/1565319649683804160.
Doubts Arise Over International Contributors to Open Source
The nature of most open source projects make it possible for anyone, anywhere, to contribute, provided they establish their competence - open source projects are a meritocracy, and there are usually gatekeepers who review commits (Linus Torvalds is legendary for his scathing critiques of Linux kernel commits). With the growth of supply-chain attacks, you can bet your bottom dollar that foreign governments (for all values of 'foreign') are looking at this as a vector for injecting back doors into popular FLOSS projects.
A study by Dan Geer and his colleagues examined two popular open-source code repositories which have recently suffered supply-chain attack problems - the Python Package Index (PyPI) and Node Package Manager (npm) - to see where the major contributors are. Reassuringly, only a small fraction are in China or Russia. Less reassuringly, a growing proportion of developers provide no location information whatsoever - in 2020 21.7% of the top 100 contributors to PyPI and 9.6% of npm's top 100 had no profile information whatsoever on their GitHub profiles.
Previous research by the same group found no examples in which knowing the geographic location of a developer would have prevented a software supply chain compromise. The question therefore becomes less one of knowing where a developer is, so much as using a number of other identity-related signifiers of trustworthiness. Of course, it is in the nature of trust that a 'sleeper' can behave well in order to establish trust, until such time as they are willing to sacrifice this in order to gain an advantage. But then, that's true for all links in the software supply chain.
Geer, Dan, Joehn Speed Meyers, Jacqueline Kazil and Tom Pike, Should Uncle Sam Worry About 'Foreign' Open-Source Software? Geographic Known Unknowns and Open-Source Software Security, Lawfare blog, 25 August 2022. Available online at https://www.lawfareblog.com/should-uncle-sam-worry-about-foreign-open-source-software-geographic-known-unknowns-and-open-source.
Royal Australian Mint Puts Ciphertext on 50c Coin
2022 sees the 75th anniversary of the Australian Signals Directorate (formerly Defence Signals Directorate), the down-under equivalent to the NSA and GCHQ. To celebrate this, the Royal Australian Mint has produced fifty thousand 50c coins.
These are no ordinary coins bearing anodyne statements in Latin. Rather, the coins carry a hidden message which will be revealed once four layers of encryption have been broken. Although some layers appear to be based on classical ciphers which can be broken with paper and pencil (as well as a heaping dollop of persistence), the presence of a long hexadecimal string on one side of the coin suggests a computer will be necessary at some point. There are some curious patterns on the heads side, too.
The coin also functions as a recruitment advertisement - those who think they have cracked the message are invited to fill out a form, answering four (plus bonus) questions. The Royal Australian Mint site says the coins are "unavailable" (sold out already, at $A12.50 a pop?), but the high-res images on the ASD and Mint sites should provide enough for amateur cryptanalysts to work on.
ASD, 75th Anniversary Commemorative Coin, Australian Signals Directorate, 1 September 2022. Available online at https://www.asd.gov.au/75th-anniversary/events/2022-09-01-75th-anniversary-commemorative-coin.
Royal Australian Mint, 75th anniversary of the Australian Signals Directorate - 50c Uncirculated coin 2022, product page, September 2022. Available online at https://eshop.ramint.gov.au/2022-aluminium-bronze-uncirculated-75-anniversary-australian-signals-directorate.
Update
Well, that didn't take long. Just over one hour after the coin was launched, a 14-year-old from Tasmania broke all four levels of encryption.
Smith, Dan, Australian Signals Directorate 5-cent coin code cracked by Tasmanian 14yo in 'just over an hour', ABC News 2 September 2022. Available online at https://www.abc.net.au/news/2022-09-02/asd-50-cent-code-cracked-by-14yo-tasmanian-boy/101401978.
Epic RickRoll Hack
This goes back to April 2021, but it's still an entertaining and moderately educational read. A group of four students in the Cook County, Illinois school district were able to gradually - over several years - gain access to the school district's internal systems, including a classroom management system, which they used to run scans and exploit computers, and the school district's IP TV system, which ran all projectors and TV's across the district. The final part of the puzzle was to crack the public address system; while default passwords did not work, they found the default had been changed to the example given in the user manual, which was available online.
Having gained access to the TV system, the goup cleverly decided against compromising the servers, but instead stealthily inserted scripts into all the TV's and projectors, which triggered at10:55 am on 30 April 2021. Just what happened - well, you'll have to read the article, but it was certainly highly noticeable and memorable.
The hack was ultimately quite sophisticated, but the students managed to escape disciplinary action by the expedience of submitting a 26-page report, including security suggestions, which they sent to the school district's IT admins immediately after the incident. In fact, the school district confirms the events and views them as a penetration test, claiming "the incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students".
Burgess, Matt, Inside the World's Biggest Hacker Rickroll, Wired, 22 August 2022. Available online at https://www.wired.com/story/biggest-hacker-rickroll-high-school-prank/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.