In the past week, AT&T has announced an absolutely massive data breach. This is sort of a multi-layered story, but it gives me an opportunity to use my favorite piece of snarky IT commentary: The cloud is a fancy way to talk about someone else’s servers. And when that provider has a security problem, chances are, so do you.
The provider in question is Snowflake, who first made the news in the Ticketmaster breach. As far as anyone can tell, Snowflake has not actually been directly breached, though it seems that researchers at Hudson Rock briefly reported otherwise. That post has not only been taken down, but also scrubbed from the wayback machine, apparently in response to a legal threat from Snowflake. Ironically, Snowflake has confirmed that one of their former employees was compromised, but Snowflake is certain that nothing sensitive was available from the compromised account.
At this point, it seems that the twin problems are that big organizations aren’t properly enforcing security policy like Two Factor Authentication, and Snowflake just doesn’t provide the tools to set effective security policy. The Mandiant report indicates that all the breaches were the result of credential stealers and other credential-based techniques like credential stuffing.
Cisco’s Easy Password Reset
Cisco has patched a vulnerability in the Smart Software Manager On-Prem utility, a tool that allows a business to manage their own Cisco licenses. The flaw was a pretty nasty one, where any user could change the password of any other user.
While there are no workarounds, an update with the fix has been released for free. As [Dan Goodin] at Ars speculates, full administrative access to this management console could provide unintended access to all the rest of the Cisco gear in a given organization. This seems like one to get patched right away.
Bye Bye Kaspersky
Kaspersky Labs has officially started started winding down their US operations, as a direct result of the US Commerce Department ban. As a parting gift, anyone who wants it gets a free six-month subscription.
Just a reminder, any Kaspersky installs will stop getting updates at that six-month mark, so don’t forget to go on a Kaspersky uninstall spree at that time. We’ve got the twin dangers, that the out-of-date antivirus could prevent another solution like Windows Defender from running, and that security products without updates are a tempting target for escalation of privilege attacks.
Uncoordinated Vulnerability Disclosure
Let’s chat a bit about coordinated vulnerability disclosure. That’s the process when a researcher finds a vulnerability, privately reports it to the vendor, and together they pick a date to make the details public, usually somewhere around 90 or 120 days from disclosure. The researcher gets credit for the find, sometimes a bug bounty payout, and the vendor fixes their bug.
Things were not always this way. Certain vendors were once well known for ignoring these reports for multiple months at a time, only to rush out a fix if the bug was exploited in the wild. This slapdash habit led directly to our current 90-day industry standard. And in turn, a strict 90-day policy is usually enough to provoke responsible behaviors from vendors.
Usually, but not always. ZDI discovered the Internet Explorer technique that we discussed last week being used in the wild. Apparently [Haifei Li] at Check Point Research independently discovered the vulnerability, and it’s unclear which group actually reported it first. What is clear is that Microsoft dropped the ball on the patch, surprising both research teams and failing to credit the ZDI researcher at all. And as the ZDI post states, this isn’t an isolated incident:
microsoft: Exploit Code Unporoven
me: i literally gave you a compiled PoC and also exploit code
m$: No exploit code is available, or an exploit is theoretical.
me: pic.twitter.com/tIXJAbkRu4
— chompie (@chompie1337) June 12, 2024
While these are Microsoft examples, there are multiple occasions from various vendors where “coordination” simply means “You tell us everything you know about this bug, and maybe something will happen.”
Bits and Bytes
Claroty’s Team82 has documented their rather impressive entry in the 2023 Pwn2Own IoT contest. The two part series starts with a WAN side attack, targeting a router’s dynamic DNS. We briefly discussed that last week. This week is the juicy details of an unauthenticated buffer overflow, leading to RCE on the device. This demonstrates the clever and terrifying trick of attacking a network from the Internet and establishing presence on an internal device.
There are times when you really need to see into an SSL stream, like security research or auditing. Often times that’s as easy as adding a custom SSL certificate to the machine’s root store, so the application sees your forced HTTPS proxy as legitimate. In the case of Go, applications verify certificates independently of the OS, making this inspection much more difficult. The solution? Just patch the program to turn on the InsecureSkipVerify feature. The folks at Cyberark have dialed in this procedure, and even have a handy Python script for ease of use. Neat!
Speaking of tools, we were just made aware of EMBA, the EMBedded Analyzer. That’s an Open Source tool to take a look into firmware images, automatically extract useful data.
Breaking BSOD
Just as we were wrapping this week’s column, a rash of Windows Blue Screens of Death, BSODs, starting hitting various businesses around the world. The initial report suggests that it’s a Crowdstrike update gone wrong, and Crowdstrike seems to be investigating. It’s reported that renaming the C:\windows\system32\drivers\crowdstrike folder from within safe mode will get machines booting again, but note that this is not official guidance at this point.
Something super weird happening right now: just been called by several totally different media outlets in the last few minutes, all with Windows machines suddenly BSoD’ing (Blue Screen of Death). Anyone else seen this? Seems to be entering recovery mode: pic.twitter.com/DxdLyA9BLA
— Troy Hunt (@troyhunt) July 19, 2024
Good thing I disabled Windows automatic update since Windows 7.
Good thing I abandoned windows back in 2014
Me to. Somewhere back then (2012 I guess) I got an PC for free with windoze ME. It started up with some weird screen with all sorts of blue tiles. Just like the blue screen of death, but with more tiles. Then I plugged in an USB stick I had prepared, installed Linux and never used windoze again.
well ME would have been 12 years old at that point, and in who know’s what kind of condition, plus the BSOD would have been text mode, so cool story bro
that is not going to help you if you have crowdstrike installed as it will update itself, and, as far as i understand, it was not even in a software update but a definition file, the bug apparently was already lurking in all those systems, it just needed an in valid definition file to trigger it
As someone who is not a Windows user, I have a question for those who are: is it really impossible to disable auto updates on enterprise Windows systems, or admins of those systems are just lazy fools?
If it is possible to disable auto updates, why would anyone keep it enabled on production systems? If it is not possible, why would anyone use such system? Updates should be deployed after they have been tested, that’s why we have test systems, to catch problems like this, and if you notice a problem on test, you do not deploy on production.And when you do deploy, you don’t do it in parallel on all systems, you do one by one…
I dontthinl CrowdStrike’s updates go through the standard Microsoft channels. It’s some sort of antivirus/security monitoring tool so it probably updates automatically every few hours or so. Which begs the question, why didn’t they stop advertising the bogus update when the first reports of the problem came up in Australia?
“No host reported any problems, Boss!”
What I don’t understand, why someone needs a kernel driver and/or does not hardened the shit out of it…
Back when I had to deal with Windows servers on a daily basis, you could set up your own update server. It would pull all the update packages from the Microsoft servers and store them locally. You could then apply the updates to a selected group of PCs and do your testing. Once the testing was done, you could let your clients update from your update server.
——
A quick google search tells me that things are pretty much still as I remember them. An organisation can setup their own update server and schedule updates after testing.
Why any organisation doesn’t do it that way I can’t say.
Along with that, it is entirely possible for the tests to pass but for the update to still cause problems on production clients.
Mmmpf.
CrowdStrike isn’t Microsoft. There’ll be a different distribution system, which may or may not include local policies and distribution.
I’m told that crowd strike deployed this in a way which bypassed the local update policy. Presumably because it was urgent but …
If they did, they should now get sued to hell by half of the world.
Crowdstrike is also available for Linux and works there similarly.
I don’t want it, or need it. Especially if it works similarly.
With regards to Windows updates… Prior to Win 10, you could disable Windows updates pretty easily. from Win 10 onwards, Microsoft removed this direct ability. However, with some sleuthing, registry value changes, etc one can permanently disable Windows 10 updates. We had to do this on some specialty Win 10 servers that “had” to be Windows based and could not easily be migrated to Linux. Since Win 10 updates can render a computer inoperable for extended periods during the updates or if a reboot was needed, disabling the updates was very much a necessity. So… yes… it can be done, but takes effort and no doubt much to the chagrin of Microsot=ft.
It is possible, but difficult
> What is clear is that Microsoft dropped the ball on the patch, surprising both research teams and failing to credit the ZDI researcher at all. And as the ZDI post states, this isn’t an isolated incident you got solid evidence who reported what when…
Should solve some of the mentioned squabble.
Wtf happened to my comment? I put in some “” and 2/3ds get eaten?
Lets try again…
{{What is clear is that Microsoft dropped the ball on the patch, surprising both research teams and failing to credit the ZDI researcher at all. And as the ZDI post states, this isn’t an isolated incident}}
1. get sha512 of your first full text for the company.
2. post sha512 to twitter/fediverse.
3. include 2. into your first mail/contact to company.
-> everyone got semi-public documentation of who posted what when…
Should solve some of the mentioned squabble.
ah, okay HaD just eats everything in between a “less-than” and the next “greater-than” sign no matter how much or how many lines are in between.
5 of the following 10 lines will suffer:
1
2
3
9
10
It’s WordPress’s anti cross-site scripting protection. If you can make comments with greater and less than symbols, maybe you could find a way to write HTML tags. So they just nuke anything that looks at all like a tag.
This is an html problem. For greater than,
& g t ;
For less than
& l t ;
without spaces.
I don’t think it’s a good idea to run Kaspersky, free or otherwise. Their software was used in the past to spy on people’s computers on behalf of Russian state security. In other words, it’s spyware that claims to protect you from spyware.
You really think that isn’t already happening with whatever you use?
Microsoft already sends loads of “telemetry” data to a number of their servers, where the IP addresses are not easily traced back to them. On top of this the remote telemetry data is an encrypted data stream and so who really knows what information is being sent. “Trusting” Microsoft or others for what they say they are doing is incredibly naive. Secondly, how does one not know if Microsoft has hidden backdoor mechanisms in place… which could be exploited by them, others, or perhaps some nefarious groups? Overall it is very unsettling.
There is a backdoor on every windows PC worldwide:
“Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence”
Kaspersky “spyware” was never proven. Meanwhile, Microsoft, Apple and other crapware spying and sending stuff to the motherships is well documented. You can see it yourself with packet analysis.
The big difference between the two is that one actually flags government spyware and the others all green-light it.
I never looked into details what’s going on with kasperski, but when you can make more money with selling data then with selling software, morals tend to degrade.
It’s one of the most important reasons I use Open Source software. No security through obscurity. Open Source software also has it’s dark pages and bugs, even deliberately injected weaknesses, but they tend to get found and fixed. Linux is maybe only 3% of the desktop user market, but I also guess that the persentage of knowledgeable people on Linux is higher then on windoze or the fruit brand.
linux users need to know more to get by. the other oses cater to the bottom of the barrel and so few if any really need to dig into the meat of the system to get anything done. phone oses take this to an extreme obfuscating a lot of the inner workings from the user.
“bottom of the barrel” AKA normal people.
Sometimes the bottom of the barrel is the top of the barrel.
It is not always normal people. I’ve seen a CEO of a very large company demand that problems be fixed right “NOW”, or heads would roll. After much investigation by many people it eventually turned out that no one had sent the CEO an email in over 120 minutes. That the CEO’s assumption was that the global IT systems were down or not functioning correctly. The CEO reached out to the head of globally IT, explaining his problem with no actual technical details, the head of IT reached out to the local IT, saying “fix it and fix it now” and very little else and the further and further it got away from management to the grunts on the ground the less and less information that was provided. Eventually a “grunt” called the CEO and sent a test email to the CEO and was instantly hailed as a hero by all management, because they must have fixed the problem. But after further investigation and checking of many log files it was discovered that for whatever reason it was just that no one internally or externally, or any automated scripts, had sent any email to the CEO. That was the root cause analysis in the high severity incident report.
I’m a retired vacuum tube engineer and I’ve been running Linux for 15 years. My wife knows less about computers in general, but I get less complaints after I switched her to Mint. Even after 20 years of Windows I find Linux easier to use. So let’s stop spreading the “Linux is hard” FUD.
“The cloud is a fancy way to talk about someone else’s servers. ”
And everything in-between is someone else’s networking hardware.
How quickly people forget most are computers in disguise.
I used to make the same joke, that they are just someone else’s servers.
Cloud is more than that. It is an ecosystem built for easy software development – so easy that it is impossible to pass.
The thing they don’t tell you: you are heavily locked in to that ecosystem. And then they start asking for more money each day. Don’t get me started “but you can then just switch the Cloud ecosystem”. Technically yes, but it is so expensive that you cannot get that through in your management.
It is just easier to throw Microsoft with money.
Nobody cares, actually.
This, cloud services are basically ransom ware
It’s not a joke, it’s a fact, clouds are just someone else’s servers.
There was a meme about the cloud:
Son, looking at the sky: “Dad, what are clouds made of?”
Dad: “Servers, son, servers…”