šŸŽ“ļø Vulnerable U | #058

Let's talk a lot about the XZ incident, Facebook snooping on encrypted Snapchat traffic, CISA tears apart Microsoft, IntelBroker US Governemnt breach, Chrome feature to stop hackers from using stolen cookies

Read Time: 5 minutes

Howdy friends!

Writing you from SFO, waiting for my flight back to ATX. Came out here to host a meetup @ Reddit HQ we called SnooSec. It went awesome, we had a great turnout, and great talks. The sentiment was, ā€œMan, we missed these kinds of in-person meetups.ā€

Speaking of, Vulnerable U is sponsoring a few meetups at RSA, so keep an eye out. The first one is the Securosis Recovery Breakfast on Thursday morning. We all need to recover after the RSA marathon, so come decompress for a bit.

ICYMI

šŸ–Šļø Something I wrote: Ranted about how security vendors need to integrate into security teamā€™s pipelines/workflows. Gone are the days of analysts interpreting PDFs.

šŸŽ§ļø Something I heard: Rachel Tobac is awesome. Darknet Diaries is awesome. Rachel on Darknet Diaries is very awesome.

šŸŽ¤ Something I said: Was on the Phillip Wylie show this week talking about infosec career paths and mental health in cyber.

šŸ”– Something I read: Rich Mogull makes some great points about the recent scathing report out of CISA about Microsoft. Itā€™s Time for a Microsoft Trustworthy Cloud Initiative

Vulnerable News

Letā€™s be honest. This is basically the XZ special edition. There are a lot of great pieces to make sure we cover on the story as it is one of the bigger stories in our industry in years. Letā€™s start with my high level 90 second description of the incident:

(TikTok or Instagram if youā€™d rather over Twitter)

TL;DR - XZ which is on almost all Linux boxes was being maintained by 1 person. A threat actor gained that maintainers trust by committing helpful code and then eventually used that trust to slip a backdoor in.

Here is the post that started it all. This backdoor was found by Andres from Microsoft who was benchmarking some things and noticed his login time was 500ms slower than heā€™d expected. This had him dig in more and he found the backdoor. (read more)

Magoo is a major role model of mine, but besides that, here he created a great splash page with links, resources, and timeline for the XZ incident. (read more)

Evan has one of the other best writeups iā€™ve seen of things found out in real time detailing even the attackers Git history. (read more)

A great thread into the mental state of the XZ maintainer and how that was crucial in this attack even getting as far as it did. (read more)

A great Wired article that looks back into the Jia Tan persona and itā€™s behavior. A lot of folks jumped to point to China for this. The name and time zone are definitely meant to make you think Asia. But some researchers note that the time zone was not consistent and we even see some possible slip ups where they mightā€™ve forgot to set the right time zone and actually commit from eastern Europe.

There are some clues about them working through Chinese holidays but missing Christmas that point towards the possibility of someone trying to make it look Chinese but not really Chinese. (read more)

What do you think?

Based on the evidence, Where do you think "Jia Tan" is from?

Login or Subscribe to participate in polls.

Rob Mensching's blog post provides a detailed narrative of the issues in open-source project maintenance, particularly highlighted by the xz/liblzma vulnerability incident. He discusses the burnout of the original maintainer, the entry of a malicious actor into the project, and the complex dynamics and pressures within open-source communities. The post reflects on the need for change in how open source projects are managed and maintained, emphasizing the heavy reliance on individual maintainers and the risks it poses. (read more)

There is a court case going on right now that is causing a lot of documents to be public that are teaching us all sorts of things about Facebookā€™s behavior and data privacy abuses. Notably, here, Facebook saw Snapchat as a competitor, realized they didnā€™t have good analytics on how Snapā€™s users were using that platform, and decided to do something about it. Doing something here means - acquiring a VPN company, secretly paying teenagers to use it, and snooping on the encrypted traffic to Snap to collect said data. (read more)

Remember that AT&T breach we talked about in the last few episodes? The one they denied? Well raise your hand if you got a breach notification and a forced password reset this week. Looks like they found evidence the breach was legit and started forcibly resetting passwords as a defense. (read more)

The Pakistan-based cyber crime team, the Manipulators, are the ones behind a phishing/spam tool called HearSender. Domain Tools wrote a good breakdown of their activities including how theyā€™re claiming to operate as a legitimate business. Great writeup here showing the whole scale of their malicious domains and the groups security lapses that allowed this kind of tracking. (read more)

Going to steal Rich Mogullā€™s line from the blog I linked up top. ā€œCISA just released their report on the big Summer 2023 Microsoft Exchange Online Intrusion. You could call it blistering, but I call it more of a third degree plasma burn.ā€

We covered this Microsoft breach a lot in the newsletter, but if youā€™re new here - Microsoft has been a nation-state punching bag a bit over the last few years. The most recent major attack was a rough one in particular because the comms was handled poorly around what the impact actually was. They stated no source code was stolen and then had to fix that. This happens in Incident Response, and Iā€™m glad they kept looking for info after initial comms, but it didnā€™t help the public eye battle they were fighting. This new CISA report certainly adds fuel to that fire. Worth a read, Iā€™ve never seen them come out so pointed at a single private company like this. (read more)

A classic thank you to Troy from haveibeenpwned. If youā€™re not using his service and resetting your userā€™s accounts that pop up here, you should be. Here is a new 4 million user breach of SurveyLama that includes: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses (read more)

File this under a watch item. It's not verified, but it made my spidey senses tingle as it could be a very big deal once we find out more.

404media has been on a tear going after any AI companies that are aiding in non-consensual deepfake porn. I find the space super interesting as it crosses many ethical lines to use peopleā€™s likeness in this way. One of the pieces of tech that was common in these schemes was a face swap app used to put victimsā€™ faces onto adult film stars. After making enough noise about it, it seems Google has taken action to remove the app from the Play Store. I fear this will be cat and mouse for a while, though, as a lot of copycats exist and donā€™t even need the mobile app stores to distribute. (read more)

Google is introducing a new Chrome security feature called 'Device Bound Session Credentials' (DBSC) to enhance account protection. This feature cryptographically ties authentication cookies to the user's device, preventing stolen cookies from being used on different devices. By utilizing the Trusted Platform Module (TPM) chip, DBSC ensures that stolen cookies are useless to attackers, enhancing security for both consumers and enterprise users (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay