You may have heard about a very large data breach, exposing the Social Security numbers of three billion individuals. Now hang on. Social Security numbers are a particularly American data point, and last time we checked there were quite a few Americans shy of even a half of a billion’s worth. As [Troy Hunt] points out, there are several things about this story that seem just a bit odd.
First up, the claim is that this is data grabbed from National Public Data, and there’s even a vague notice on their website about it. NPD is a legitimate business, grabbing data on as many people as possible, and providing services like background checks and credit checks. It’s not impossible that this company has records on virtually every citizen of the US, UK, and Canada. And while that’s far less than 2.9 billion people, it could feasibly add up to 2.9 billion records as was originally claimed.
The story gets strange as we consider the bits of data that have been released publicly, like a pair of files shared with [Troy] that have names, birthdays, addresses, phone numbers, and social security numbers. Those had a total of 2.69 billion records, with an average of 3 records for each ID number. That math is still just a little weird, since the US has to date only generated 450 million SSNs and change.
So far all we have are partial datasets, and claims on the Internet. The story is that there’s a grand total of 4 TB of data once uncompressed. The rest of the details are unclear, and it’s likely to take some time for the rest of the story to come out.
Windows IPv6 RCE
Microsoft has patched a Remote Code Execution (RCE) in Windows 10, 11, and server systems. By all accounts, it’s a nasty one, but there’s a redeeming wrinkle to the story, that may also be bad news. It’s an IPv6 vulnerability. The actual details are scarce, for obvious reasons. By next week, I anticipate someone will have reverse engineered the patch enough to have some details on the flaw.
What we do know is that Microsoft scores this a 9.8 out of 10 for severity, and considers it a low complexity attack that is likely to be used in the wild. Trend Micro considers it a wormable flaw. The built-in Windows firewall doesn’t block it, because the vulnerability triggers before processing by the firewall. This leads to a theory that it’s another problem related to defragmenting incoming IPv6 packets, or a similar process.
The good news is that it requires actual IPv6 connectivity, which at least in my corner of the world is a rather rare thing. It’s hard to know definitively without more details, but it’s at least likely that a proper stateful firewall would block these unsolicited IPv6 packets from the wider Internet. There’s still a lot of room for trouble inside the network — where you probably have working IPv6 connectivity even without routable IPv6 from your ISP. In conclusion, get this one patched ASAP.
Considering its harm, I will not disclose more details in the short term.
— wei (@XiaoWei___) August 14, 2024
Don’t Roll Your Own Crypto!
There’s a rallying cry, aimed at anyone responsible for build secure systems: “Don’t roll your own crypto!” But why? Surely a secret algorithm that only you understand is more secure, right? No. Particularly not when tools like Ghidra that put firmware reverse engineering within grasp of every security researcher. Case in point, the Vstarcam CB73 security camera that [Brown Fine Security] took a look at.
The first clue that somethign was wrong was that packets were being repeated, byte-for-byte identically. As [Brown] points out, a good cryptography scheme has some sort of protection against replay attacks. This one had none at all. Another issue with this homebrew crypto scheme is that it only has 256 possible internal states, and once you know the trick the whole thing is trivially decryptable, no key required. This is why you don’t roll your own crypto.
Old School CSS Trick
This write-up from Adepts of 0xCC is a trip down memory lane, to a time when browsers let websites get away with way more, like detecting whether links had been visited by detecting the style that the browser used to display them. Browsers eventually locked down those sorts of tricks, but what’s old is new again, with just a bit of cleverness. In this case, generate a captcha, and set the page’s CSS to make the visited links blend in with the background. The user completes the captcha, and based on which characters were typed, you have some basic history information. Clever!
Ring -2
The classic x86 architecture has a four ring system, where userspace applications run in Ring 3 and the kernel runs in Ring 0. But the sneaky truth is that our X86 processors are actually emulating the x86 instruction set, Rings 1 and 2 are never used, and there’s a CPU management engine running all the way down at Ring -3. This suggests to the security minded, that it would be particularly bad for something malicious to run at one of those hidden ring levels. And that’s exactly what [jjensn] managed to pull off.
In this case it’s in the motherboard firmware, in the System Management Engine. A bit of vulnerable code in a couple places allows writing data into protected SMRAM memory, into Ring -2. A bit of clever work corrupts the SMRAM just enough to jump into shellcode without crashing the machine. And suddenly an attacker can own a machine on a level two layers below the OS.
Bits and Bytes
Careful with your artifacts. Apparently quite a few Github CI scripts take the easy wqy out, and just zip up the entire work directory as an artifact. That’s not great, as generally artifacts are accessible to anyone with a GitHub account, and the .git folder very likely has a Github token in it.
Speaking of GitHub, another Chrome type confusion vulnerability was written up there in detail. As objects in JavaScript are manipulated, the engine is continually updating the underlying data structures. Cloning objects can be particularly tricky, and changing the properties of an object after a shallow copy can result in memory corruption. Memory corruption, fake objects, and finally code execution outside the JavaScript sandbox.
In Windows, the mark of the Web is rather important for security, warning users when they’re about to access or execute something from the Internet. It’s also been broken in many interesting ways over the years. Most recently, Web-based Distruted Authoring and Versioning (WEBDAV) shares are used, as they can be accessed by either the browser, or the Windows File Explorer. The most recent fix here adds Mark of the Web to files copied from WEBDAV shares using Explorer. Sneaky.
Think I can offer some insight into those clearly misleading numbers.
You are correct in your assumption that they are extremely high considering the number of active SSN in the USA. However having worked at one of these places and then having used their services for many years afterwards while working as a skip tracer/private investigator.
So the first thing you have to take into considering is that they are given and purchase identities, SSN’s, any associated information by the barrel-full. Doesn’t matter if they’re old, deceased or incorrect, they buy and integrate it. Because this information is bought from anyone offering it (Cell phone companies, marketers, banks, collection agencies are huge sources of updates and most recently are the info broker companies that offer updating services en masse).
However, do you think a bank gathering your info for a mortgage has the same information as a blockbuster video would? Obviously not.
So what happens is you can have 5 different records for the same person, one with a SSN attached, the second with only one address and its different then all the rest of the files, a third could be for a different person but has the same address and another could be for a matching cell phone and lastly the fifth is for the right person but it has a typo in the name.
Ideally each person gets a single identity in the system and all is tied to that, however in reality people end up with duplicates with partially different information. So you could end up with 5 differing records for the same person.
The companies actually use this to their advantage by stating they have X gajillion records of people when in reality the number of accurate information is much smaller.
Now all that said, if they’ve been breached its so much worse then just your SSN being out there.
These companies build profiles, I remember looking mine up when I started there to see what they had (with their permission of course) and I was blown away.
They had every single address I’ve lived over the last 40 years, who I lived with, almost every employer of mine, for how long. Every payment I’ve made to any debts or credit cards reported by all the differing credit services.
Some people have court records and divorce info integrated, others I’ve seen had the details of the murder’s they commits and then their subsequent missing of payments to the electricity company while they rotting in jail.
They in effect for specific people have you’re entire history as relevant to an identity thief. How easy would it be to steal an identity and prevent it being taken back by the original owner when I know more about them then they do?
Lastly, I will just say. While credit protection services can help in some regards don’t get complacent. 1) They offer for a fee what all credit unions already offer us all for free. 2) All they do is put a temporary lock on your credit file, so that if anyone attempts to get credit in your name they will call the number on file to verify that you are you.
I can also verify I’m you as I have all your info, so I can have the lock removed or updated to my fraudulent phone number and thus locking you out temporarily.
Sometimes they offer to put a password on your credit file but this is also pointless as you can easily claim to forget it. In which cause they default back to the information on file to prove you’re you.
TLDR;
Numbers are def lower then stated in regards to many of the records will be duplicates. However the information stolen could potentially be even worse then just the SSN.
Source: Industry Worker for 5+ Years, Sold information to these folks for 2+ years, Skip Tracker and Private Investigator for 10+ Years and used their services.
“scripts take the easy wqy out”
i hope the situation isn’t dire enough that you can’t afford a spell checker
“How the CrowdStrike Tech Outage Reignited a Battle Over the Heart of Microsoft Systems”
Microsoft obfuscating c/c++ technologies do not believe in certification of procs/subroutines/modules?
FOIA for
2022 F-35C crash aboard Carl Vinson
software certification information
https://www.prosefights2.org/irp2023/usnavy1.htm