This Week in Security

238 Articles

This Week In Security: Rackspace Falls Over, Poison Ping, And The WordPress Race

December 9, 2022 by 17 Comments

In what’s being described as a Humpty-Dumpty incident, Rackspace customers have lost access to their hosted Exchange service, and by extension, lots of archived emails. The first official word of trouble came on December 2nd, and it quickly became clear that this was more than the typical intern-tripped-over-the-cable incident. Nearly a week later, Rackspace confirmed what observers were beginning to suspect, it was a ransomware attack. There’s not a lot of other answers yet, and the incident FAQ answers are all variations on a theme.

Our investigation into the incident is ongoing and will take time to complete. To ensure the integrity of the ongoing investigation, we do not have additional details to share at this time.

Knowing the security issues that have plagued Microsoft Exchange over the last couple of months, one has to wonder if Rackspace was breached as a result of the PowerShell problems. What’s staggering is that a week after the incident, Rackspace still has no timeline for service restoration.

Rackspace isn’t the only major ransomware attack this week, as a hospital in Versailles has partially shut down due to another ransomware attack. Operations were canceled, and work has to be done the old fashioned way, without the network to support.

Continue reading “This Week In Security: Rackspace Falls Over, Poison Ping, And The WordPress Race”

This Week In Security: Huawei Gets The Banhammer, Lastpass, And Old Code Breaking

December 2, 2022 by 37 Comments

While many of us were enjoying some time off for Thanksgiving, the US government took drastic action against Huawei and four other Chinese companies. The hardest hit are Huawei and ZTE, as the ban prevents any new products from being approved for the US market. The other three companies are Dahua and Hikvision, which make video surveillance equipment, and Hytera, which makes radio systems. FCC Commissioner Brendan Carr noted the seriousness of the decision.

[As] a result of our order, no new Huawei or ZTE equipment can be approved. And no new Dahua, Hikvision, or Hytera gear can be approved unless they assure the FCC that their gear won’t be used for public safety, security of government facilities, & other national security purposes.

There is even the potential that previously approved equipment could have its authorization pulled. The raw FCC documents are available, if you really wish to wade through them. What’s notable is that two diametrically opposed US administrations have both pushed for this ban. It would surely be interesting to get a look at the classified reports detailing what was actually found. Maybe in another decade or two, we can make a Freedom of Information Act request and finally get the full story.

Continue reading “This Week In Security: Huawei Gets The Banhammer, Lastpass, And Old Code Breaking”

This Week In Security: Mastodon, Fake Software Company, And ShuffleCake

November 18, 2022 by 15 Comments

Due to Twitter’s new policy of testing new features on production, the interest in Mastodon as a potential replacement has skyrocketed. And what’s not to love? You can host it yourself, it’s part of the Fediverse, and you can even run one of the experimental forks for more features. But there’s also the danger of putting a service on the internet, as [Gareth Heyes] illustrates by stealing passwords from, ironically, the infosec.exchange instance.
Continue reading “This Week In Security: Mastodon, Fake Software Company, And ShuffleCake”

This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All

November 11, 2022 by 3 Comments

The pair of Outlook vulnerabilities we’ve been tracking have finally been patched, along with another handful of fixes this Patch Tuesday, a total of six being 0-day exploits. The third vulnerability was also a 0-day, discovered by the Google Threat Analysis Group. This one resulted in arbitrary code execution when a Windows client connected to a malicious server.

A pair of escalation of privilege flaws were fixed, one being yet another print spooler issue, and the other part of a key handling service. The final zero-day fixed was a mark-of-the-web bypass, that being the tag that gets added to file metadata to indicate it’s a download from the internet. If you deliver malware inside an ISO or marked read-only in a zip file, it doesn’t show the warning when executing.

Will Typosquat For Bitcoin

A trend that doesn’t show signs of slowing down is Typosquatting, the simple malware distribution strategy of uploading tainted packages using misspelled variations of legitimate package names. The latest such scheme, discovered by researchers at Phylum, delivered a crypto-stealer in Python packages. These packages were hosted on PyPi, under names like baeutifulsoup4 and cryptograpyh. The packages install a JavaScript file that runs in the background of the browser, and monitors for a cryptocurrency address on the clipboard. When detected, the intended address is swapped for an attacker-controlled address. Continue reading “This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All”

This Week In Security: OpenSSL Fizzle, Java XML, And Nothing As It Seems

November 4, 2022 by 3 Comments

The security world held our collective breaths early this week for the big OpenSSL vulnerability announcement. Turns out it’s two separate issues, both related to punycode handling, and they’ve been downgraded to high severity instead of critical. Punycode, by the way, is the system for using non-ASCII Unicode characters in domain names. The first vulnerability, CVE-2022-3602, is a buffer overflow that writes four arbitrary bytes to the stack. Notably, the vulnerable code is only run after a certificate’s chain is verified. A malicious certificate would need to be either properly signed by a Certificate Authority, or manually trusted without a valid signature.

A couple sources have worked out the details of this vulnerability. It’s an off-by-one error in a loop, where the buffer length is checked earlier in the loop than the length variable is incremented. Because of the logic slip, the loop can potentially run one too many times. That loop processes the Unicode characters, encoded at the end of the punycode string, and injects them in the proper place, sliding the rest of the string over a byte in memory as a result. If the total output length is 513 characters, that’s a single character overflow. A Unicode character takes up four bytes, so there’s your four-byte overflow. Continue reading “This Week In Security: OpenSSL Fizzle, Java XML, And Nothing As It Seems”

This Week In Security: IOS, OpenSSL, And SQLite

October 28, 2022 by 13 Comments

Earlier this week, a new release of iOS rolled out, fixing a handful of security issues. One in particular noted it “may have been actively exploited”, and was reported anonymously. This usually means that a vulnerability was discovered in the wild, being used as part of an active campaign. The anonymous credit is interesting, too. An educated guess says that this was a rather targeted attack, and the security company that found it doesn’t want to give away too much information.

Of other interest is the GPU-related fix, credited to [Asahi Lina], the VTuber doing work on porting Linux to the Apple M1/M2 platform, and particularly focusing on GPU drivers. She’s an interesting case, and doing some very impressive work. There does remain the unanswered question of how the Linux Kernel will deal with a pull request coming from a pseudonym. Regardless, get your iOS devices updated.

Continue reading “This Week In Security: IOS, OpenSSL, And SQLite”

This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

October 14, 2022 by 12 Comments

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.


The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG”