Author: Jonathan Bennett

469 Articles

This Week In Security: Snowflake, The CVD Tension, And Kaspersky’s Exit — And Breaking BSOD

July 19, 2024 by 37 Comments

In the past week, AT&T has announced an absolutely massive data breach. This is sort of a multi-layered story, but it gives me an opportunity to use my favorite piece of snarky IT commentary: The cloud is a fancy way to talk about someone else’s servers. And when that provider has a security problem, chances are, so do you.

The provider in question is Snowflake, who first made the news in the Ticketmaster breach. As far as anyone can tell, Snowflake has not actually been directly breached, though it seems that researchers at Hudson Rock briefly reported otherwise. That post has not only been taken down, but also scrubbed from the wayback machine, apparently in response to a legal threat from Snowflake. Ironically, Snowflake has confirmed that one of their former employees was compromised, but Snowflake is certain that nothing sensitive was available from the compromised account.

At this point, it seems that the twin problems are that big organizations aren’t properly enforcing security policy like Two Factor Authentication, and Snowflake just doesn’t provide the tools to set effective security policy. The Mandiant report indicates that all the breaches were the result of credential stealers and other credential-based techniques like credential stuffing. Continue reading “This Week In Security: Snowflake, The CVD Tension, And Kaspersky’s Exit — And Breaking BSOD”

FLOSS Weekly Episode 792: Rust Coreutils

July 17, 2024 by 9 Comments

This week Jonathan Bennett and Jeff Massie chat with Sylvestre Ledru about the Rust Coreutils! Why would we want to re-implement 50 year old utilities, what’s the benefit of doing them in Rust, and what do the maintainers of the regular coreutils project think about it?

Continue reading “FLOSS Weekly Episode 792: Rust Coreutils”

This Week In Security: Blast-RADIUS, Gitlab, And Plormbing

July 12, 2024 by 6 Comments

The RADIUS authentication scheme, short for “Remote Authentication Dial-In User Service”, has been widely deployed for user authentication in all sorts of scenarios. It’s a bit odd, in that individual users authenticate to a “RADIUS Client”, sometimes called a Network Access Server (NAS). In response to an authentication request, a NAS packages up the authentication details, and sends it to a central RADIUS server for verification. The server then sends back a judgement on the authentication request, and if successful the user is authenticated to the NAS/client.

The scheme was updated to its current form in 1994, back when MD5 was considered a cryptographically good hash. It’s been demonstrated that MD5 has problems, most notably a chosen-prefix collision attack demonstrated in 2007. The basis of this collision attack is that given two arbitrary messages, it is possible to find a pair of values that, when appended to the end of those messages, result in matching md5 hashes for each combined message. It turns out this is directly applicable to RADIUS.
Continue reading “This Week In Security: Blast-RADIUS, Gitlab, And Plormbing”

FLOSS Weekly Episode 791: It’s All About Me!

July 10, 2024 by 1 Comment

This week David Ruggles chats with Jonathan Bennett about his origin story! What early core memory does Jonathan pin his lifelong computer hobby on? And how was a tense meeting instrumental to Jonathan’s life outlook? And how did Jonathan manage to score a squashable brain toy from an equipment manufacturer? Watch the whole show to find out!

Continue reading “FLOSS Weekly Episode 791: It’s All About Me!”

This Week In Security: Hide Yo SSH, Polyfill, And Packing It Up

July 5, 2024 by 9 Comments

The big news this week was that OpenSSH has an unauthorized Remote Code Execution exploit. Or more precisely, it had one that was fixed in 2006, that was unintentionally re-introduced in version 8.5p1 from 2021. The flaw is a signal handler race condition, where async-unsafe code gets called from within the SIGALARM handler. What does that mean?
Continue reading “This Week In Security: Hide Yo SSH, Polyfill, And Packing It Up”

FLOSS Weekly Episode 790: Better Bash Scripting With Amber

July 3, 2024 by 8 Comments

This week Jonathan Bennett and Dan Lynch chat with Paweł Karaś about Amber, a modern scripting language that compiles into a Bash script. Want to write scripts with built-in error handling, or prefer strongly typed languages? Amber may be for you!

Continue reading “FLOSS Weekly Episode 790: Better Bash Scripting With Amber”

This Week In Security: Kaspersky Ban, Project Naptime, And More

June 28, 2024 by 11 Comments

The hot news this week is that Kaspersky is banned in the USA. More specifically, Kaspersky products will be banned from sale in the US starting on September 29. This ban will extend to blocking software updates, though it’s unclear how that will actually be accomplished. It’s reasonable to assume that payment processors will block payments to Kaspersky, but will ISPs be required to block traffic that could contain antivirus updates?

WordPress Plugin Backdoor

A Quartet of WordPress plugins have been found to have recently included backdoor code. It’s a collection of five Open Source plugins, seemingly developed by unrelated people. Malicious updates first showed up on June 21st, and it appears that all five plugins are shipping the same malicious code.

Rabbit AI API

The Rabbit R1 was released to less than thunderous applause. The idea is a personal AI device, but the execution has been disappointing, to the point of reviewers suggesting some of the earlier claims were fabricated. Now it seems there’s a serious security issue, in the form of exposed API keys that have *way* too many privileges.

The research seems to be done by the rabbitude group, who found the keys back in May. Of the things allowed by access to the API keys, the most worrying for user privacy was access to every text-to-speech call. Rabbitude states in their June 25 post, that “rabbit inc has known that we have had their elevenlabs (tts) api key for a month, but they have taken no action to rotate the api keys.” On the other hand, rabbit pushed a statement on the 26th, claiming they were just then made aware of the issue, and made the needed key rotations right away.

Continue reading “This Week In Security: Kaspersky Ban, Project Naptime, And More”