This Week In Security: GoDaddy, Joomla, And ClamAV

We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.

That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.

Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.

Joomla’s Force Persuasion

Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV”

Answering Some Pico Balloon Questions

When the US Air Force shot down some suspected Chinese spy balloons a couple of weeks ago, it was widely reported that one of the targets might have been a much more harmless amateur radio craft. The so-called pico balloon K9YO was a helium-inflated Mylar balloon carrying a tiny solar-powered WSPR beacon, and it abruptly disappeared in the same place and time in which the USAF claimed one of their targets. When we coveredĀ  the story it garnered a huge number of comments both for and against the balloonists, so perhaps it’s worth returning with the views of a high-altitude-ballooning expert.

[Dave Akerman] has been sending things aloft for a long time now, we think he may have been one of the first to put a Raspberry Pi aloft back in 2012. In his blog post he attempts to answer the frequently asked questions about pico balloons, their legality, whether they should carry a beacon, and what the difference is between these balloons and the latex “weather balloon” type we’re familiar with. It’s worth a read, because not all of us are part of the high-altitude balloon community and thus it’s good to educate oneself.

Meanwhile, you can read our original report here.

Tiny Machine Learning On As Little As 2 KB Of RAM

All of the machine language stuff coming out lately doesn’t affect you if you are developing with embedded microcontrollers, right? Perhaps not. Microsoft Research India wants you to use their EdgeML tool to do machine learning tasks such as gesture recognition in tiny devices like an Arduino Uno. According to the developers, you might need as little as 2 KB of RAM. There’s no network connection required and the work is using Tensorflow underneath, so it is compatible with much of what you’ll find for bigger computers.

If you add processing power, you can get more capability. For example, one of the demonstrations is a wake-word recognizer on a Raspberry Pi Zero (although the page for that demo seems to be missing at the moment; try the GesturePod, instead).

The system generally uses Python, but there are efficient C++ implementations for selected algorithms. The code lives on GitHub. There are also a number of research papers about each tool that you can find on the GitHub page. There’s also a recent paper on MinUn, an attempt to make things even more efficient for ARM microcontrollers. In particular, MinUn can store approximate numbers to save space, allows for variable precision of tensors, and tries to reduce memory fragmentation, an important feature for CPUs that don’t have memory management units.

If you haven’t studied TensorFlow yet, start here. Why use something like this with a microcontroller? How about smarter robots?