- Vulnerable U
- Posts
- šļø Vulnerable U | #058
šļø Vulnerable U | #058
Let's talk a lot about the XZ incident, Facebook snooping on encrypted Snapchat traffic, CISA tears apart Microsoft, IntelBroker US Governemnt breach, Chrome feature to stop hackers from using stolen cookies
Read Time: 5 minutes
Howdy friends!
Writing you from SFO, waiting for my flight back to ATX. Came out here to host a meetup @ Reddit HQ we called SnooSec. It went awesome, we had a great turnout, and great talks. The sentiment was, āMan, we missed these kinds of in-person meetups.ā
Speaking of, Vulnerable U is sponsoring a few meetups at RSA, so keep an eye out. The first one is the Securosis Recovery Breakfast on Thursday morning. We all need to recover after the RSA marathon, so come decompress for a bit.
ICYMI
šļø Something I wrote: Ranted about how security vendors need to integrate into security teamās pipelines/workflows. Gone are the days of analysts interpreting PDFs.
š§ļø Something I heard: Rachel Tobac is awesome. Darknet Diaries is awesome. Rachel on Darknet Diaries is very awesome.
š¤ Something I said: Was on the Phillip Wylie show this week talking about infosec career paths and mental health in cyber.
š Something I read: Rich Mogull makes some great points about the recent scathing report out of CISA about Microsoft. Itās Time for a Microsoft Trustworthy Cloud Initiative
Vulnerable News
Letās be honest. This is basically the XZ special edition. There are a lot of great pieces to make sure we cover on the story as it is one of the bigger stories in our industry in years. Letās start with my high level 90 second description of the incident:
Did my best to explain the XZ issue to my TikTok and IG audience.
TikTok delisted and demonetized for unspecified community guidelines violations
So here Twitter you get it.
ā Matt Johansen (@mattjay)
11:31 PM ā¢ Apr 1, 2024
TL;DR - XZ which is on almost all Linux boxes was being maintained by 1 person. A threat actor gained that maintainers trust by committing helpful code and then eventually used that trust to slip a backdoor in.
Here is the post that started it all. This backdoor was found by Andres from Microsoft who was benchmarking some things and noticed his login time was 500ms slower than heād expected. This had him dig in more and he found the backdoor. (read more)
(hacker news comments) Backdoor in upstream xz / liblzma leading to SSH server compromise
Magoo is a major role model of mine, but besides that, here he created a great splash page with links, resources, and timeline for the XZ incident. (read more)
Evan has one of the other best writeups iāve seen of things found out in real time detailing even the attackers Git history. (read more)
The xz backdoor just got even *more* interestingā¦ (h/t @FiloSottile )
ā Dino A. Dai Zovi (@dinodaizovi)
7:26 PM ā¢ Mar 30, 2024
Here is an OSQuery query that can help - https://gist.github.com/jamesspi/ee8319f55d49b4f44345c626f80c430f
A great thread into the mental state of the XZ maintainer and how that was crucial in this attack even getting as far as it did. (read more)
The xz backdoor was initially caught by a software engineer at Microsoft. He noticed 500ms lag and thought something was suspicious.
This is the Silver Back Gorilla of nerds. The internet final boss.
ā vx-underground (@vxunderground)
1:49 PM ā¢ Mar 30, 2024
A great Wired article that looks back into the Jia Tan persona and itās behavior. A lot of folks jumped to point to China for this. The name and time zone are definitely meant to make you think Asia. But some researchers note that the time zone was not consistent and we even see some possible slip ups where they mightāve forgot to set the right time zone and actually commit from eastern Europe.
There are some clues about them working through Chinese holidays but missing Christmas that point towards the possibility of someone trying to make it look Chinese but not really Chinese. (read more)
What do you think?Based on the evidence, Where do you think "Jia Tan" is from? |
Rob Mensching's blog post provides a detailed narrative of the issues in open-source project maintenance, particularly highlighted by the xz/liblzma vulnerability incident. He discusses the burnout of the original maintainer, the entry of a malicious actor into the project, and the complex dynamics and pressures within open-source communities. The post reflects on the need for change in how open source projects are managed and maintained, emphasizing the heavy reliance on individual maintainers and the risks it poses. (read more)
There is a court case going on right now that is causing a lot of documents to be public that are teaching us all sorts of things about Facebookās behavior and data privacy abuses. Notably, here, Facebook saw Snapchat as a competitor, realized they didnāt have good analytics on how Snapās users were using that platform, and decided to do something about it. Doing something here means - acquiring a VPN company, secretly paying teenagers to use it, and snooping on the encrypted traffic to Snap to collect said data. (read more)
This thing Facebook did ā running an MITM on Snapchat and other competitorsā TLS connections via their Onavo VPN ā is so deeply messed up and evil that it completely changes my perspective on what that company is willing to do to its users.
ā Matthew Green (@matthew_d_green)
2:13 PM ā¢ Mar 31, 2024
Remember that AT&T breach we talked about in the last few episodes? The one they denied? Well raise your hand if you got a breach notification and a forced password reset this week. Looks like they found evidence the breach was legit and started forcibly resetting passwords as a defense. (read more)
The Pakistan-based cyber crime team, the Manipulators, are the ones behind a phishing/spam tool called HearSender. Domain Tools wrote a good breakdown of their activities including how theyāre claiming to operate as a legitimate business. Great writeup here showing the whole scale of their malicious domains and the groups security lapses that allowed this kind of tracking. (read more)
Going to steal Rich Mogullās line from the blog I linked up top. āCISA just released their report on the big Summer 2023 Microsoft Exchange Online Intrusion. You could call it blistering, but I call it more of a third degree plasma burn.ā
We covered this Microsoft breach a lot in the newsletter, but if youāre new here - Microsoft has been a nation-state punching bag a bit over the last few years. The most recent major attack was a rough one in particular because the comms was handled poorly around what the impact actually was. They stated no source code was stolen and then had to fix that. This happens in Incident Response, and Iām glad they kept looking for info after initial comms, but it didnāt help the public eye battle they were fighting. This new CISA report certainly adds fuel to that fire. Worth a read, Iāve never seen them come out so pointed at a single private company like this. (read more)
A classic thank you to Troy from haveibeenpwned. If youāre not using his service and resetting your userās accounts that pop up here, you should be. Here is a new 4 million user breach of SurveyLama that includes: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses (read more)
File this under a watch item. It's not verified, but it made my spidey senses tingle as it could be a very big deal once we find out more.
404media has been on a tear going after any AI companies that are aiding in non-consensual deepfake porn. I find the space super interesting as it crosses many ethical lines to use peopleās likeness in this way. One of the pieces of tech that was common in these schemes was a face swap app used to put victimsā faces onto adult film stars. After making enough noise about it, it seems Google has taken action to remove the app from the Play Store. I fear this will be cat and mouse for a while, though, as a lot of copycats exist and donāt even need the mobile app stores to distribute. (read more)
Google is introducing a new Chrome security feature called 'Device Bound Session Credentials' (DBSC) to enhance account protection. This feature cryptographically ties authentication cookies to the user's device, preventing stolen cookies from being used on different devices. By utilizing the Trusted Platform Module (TPM) chip, DBSC ensures that stolen cookies are useless to attackers, enhancing security for both consumers and enterprise users (read more)
Miscellaneous mattjay
Someone asked me for a copy of document that doesn't exist because a genAI hallucinated it to them and said I authored it. It feels weird that a robot had a dream about me.
ā Scott Piper (@0xdabbad00)
4:11 PM ā¢ Apr 2, 2024
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay