Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Guest Blog Post: Leaking silhouettes of cross-origin images – Attack & Defense

    This is a writeup of a vulnerability I found in Chromium and Firefox that could allow a malicious page to read some parts of an image located on an origin it is not supposed to be able to access. Although technically interesting, it is quite limited in scope—I am not aware of any major websites it could’ve been used against. As of November 17th, 2020, the vulnerability has been fixed in the most recent versions of both browsers.

    [....]

    I reported this bug to Mozilla on May 29th, 2020 through the Mozilla Security Bug Bounty program and to Google through the Chrome Vulnerability Reward the next day. It took some time to figure out which graphics backend is used in Firefox by default these days. With the help of a Google engineer and some profiling tools, we identified that the same piece of Skia code was responsible for this behavior in both browsers.

    Google updated Skia to remove branching on alpha value in blit_row_s32a_opaque completely on August 29th, 2020 and merged that change into Chromium on the same day. Mozilla merged the change on October 6th, 2020.

    Google has issued CVE-2020-16012 to notify users about this bug.

    Both vendors offered very generous bounties for my reports. It’s been a pleasure working with Mozilla and Google to get this fixed, and I would like to take this opportunity to thank Mike Klein from Google and Lee Salzman from Mozilla for their work on diagnosing and fixing the bug. I would also like to thank Tom Ritter and Lee Salzman from Mozilla for their helpful feedback on drafts of this blog post.

  • Kaspersky: old malware and SolarWinds attack code similar, but don't leap to conclusions

    Russian security firm Kaspersky says it has found some similarities in the methods used by the SUNBURST malware, that was used in a supply chain attack on a number of US firms disclosed in December, and long-time attacker, the Turla Group.

  • Why The Latest Cyberattack Was Different

    What sets the SolarWinds attack apart from previous incidents is its sheer scale. The company has over 300,000 customers worldwide, according to filings made to the U.S. Securities and Exchange Commission. Throughout 2020, SolarWinds sent out software updates to roughly 18,000 of them. To date, at least 250 networks have reportedly been affected by the booby-trapped file. Shortly after being downloaded, the virus executes commands that create a backdoor in the network to transfer files, disable services, and reboot machines. Targeted institutions include the U.S. departments of Defense, Homeland Security, State, Energy, and the Treasury; all five branches of the U.S. military; the National Nuclear Security Administration, and 425 of the Fortune 500 companies, including Cisco, Equifax, MasterCard, and Microsoft. There have been other major cyberattacks in the past, but none has achieved this kind of penetration. By compromising powerful governments and businesses, including some of the most successful technology companies, the SolarWinds exploit shatters the illusion of information security. The [attack] has also spooked the financial services sector.

  • Russia, Reuters and postcards make for a very silly red scare

    The kind of silly claims made by Western news media when it comes to cyber security attacks can be gauged from the latest "exclusive" put out by the British news agency Reuters: a claim that the FBI is investigating a postcard sent to security firm FireEye after it began looking closely at an attack on its own infrastructure.

  • Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks [iophk: Windows kills]

    he security vendor’s latest data covers the period from the beginning of November to the end of 2020, and compares it with the previous two months (September-October), a spokesperson confirmed to Infosecurity.

    It revealed a 45% increase in attacks on the healthcare sector, versus less than half this figure (22%) for all other verticals. November was particularly bad, with HCOs suffering 626 weekly attacks on average per organization, compared with 430 in the previous two months.

    Although the attacks span a variety of categories — including ransomware, botnets, remote code execution and DDoS — perhaps unsurprisingly, it is ransomware that displayed the largest increase overall and poses the biggest threat to HCOs, according to Check Point.

    Ryuk and Sodinokibi (REvil) were highlighted as the main culprits.

  • New Year, New Ransomware: Babuk Locker Targets Large Corporations [iophk: Windows TCO]

    The ransomware, which comes in the form of a 32-bit .EXE file, notably lacks obfuscation. It’s also not yet clear how the ransomware is initially spread to victims.

    “So far, we don’t know how the ransomware got into the company, but it’s most likely phishing similar to other ransomware groups’ approaches,” Dong told Threatpost.

  • Ransomware attack forces three-week shutdown of NT Government IT system [iophk: Windows TCO]

    The NT Department of Corporate and Digital Development has told the ABC that an undisclosed perpetrator targeted the unnamed supplier of its web-based corporate software system last year.

  • Staffing firm target of cyber attack [iophk: Windows TCO]

    The [attackers] did not demand a ransom, though Ehrnrooth speculated that such a request would likely have followed if the company had messaged the addresses specified by the [attackers].

    The attack may have put at risk the personal details of tens of thousands of people whose information was on file with the staffing company.

  • Ubiquiti: Change Your Password, Enable 2FA

    Ubiquiti, a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. The company says an incident at a third-party cloud provider may have exposed customer account information and credentials used to remotely manage Ubiquiti gear.

  • State Department Website Briefly Altered to Say Trump’s Presidency Ends Jan. 11

    On Monday, an update to the U.S. State Department site said President Trump’s time in office was ending on Jan. 11, before the page was removed.

    [...]

    BuzzFeed News reported that a “disgruntled employee” had made the changes. Reps for the State Department did not immediately respond to a request for comment.

  • Microsoft fixes Windows 10 bug forcing restarts

    Microsoft has finally fixed a troublesome bug in Windows 10 that caused forced reboots on some systems running the October 2020 Update.

More in Tux Machines

JingOS arrives as China’s first Linux Distro, offers iPadOS-like features and functions

JingOS was built with the idea of improving the functionality and productivity of a tablet overall. So, the team behind the new operating system took inspiration from the Cupertino based giant’s iPadOS platform to offer a simple/clean, yet productive and efficient UI design that can ensure that your tablets are a mini computer that one can work on, on the go. JingOS is not only a tablet OS but a full function Linux distro. Read more

9to5Linux Weekly Roundup: January 17th, 2021

Thank you everyone for following 9to5Linux on social media; we’re nearing 6K followers on Twitter and that’s only possible thanks to you guys! Thank you again to everyone who donated so far to help me keep this website alive for as long as possible. This week has been quite interesting despite the fact that no major releases were planned. We saw the launch of a new PinePhone Linux phone edition, the release of the Flatpak 1.10 and Wine 6.0 software, and much more. Read more

Security Leftovers

  • New coalition aims to combat growing wave of ransomware attacks [iophk: Windows TCO]

    The California-based nonprofit aims to produce recommendations that will help governments and the private sector tackle the scourge of ransomware attacks.

    [Attackers] have increasingly used these types of attacks -- which involve accessing and encrypting the victim’s network and demanding payment to allow access again -- to hit major targets, with city governments in Atlanta, Baltimore and New Orleans severely impaired by ransomware attacks over the past two years.

    More recently, hospitals have become a target during the COVID-19 pandemic, with cyber criminals seeing vulnerable hospitals as easy targets more likely to pay a quick ransom as health care systems struggle to keep up with coronavirus cases. In some instances, the cyberattacks have been blamed for deaths due to delayed care.

  • This tiny shortcut can completely crash your Windows 10 device

    A zero-day exploit has been discovered that can crash your Windows 10 device – and, even more worrying, can be delivered inside a seemingly harmless shortcut file. The vulnerability can corrupt any NTFS-formatted hard drive and even be exploited by standard and low privilege user accounts.

    Security researcher Jonas Lykkegaard referenced the vulnerability on Twitter last week and had previously drawn attention to the issue on two previous occasions last year. Despite this, the NTFS vulnerability remains unpatched.

    There are various ways to trigger the vulnerability that involve trying to access the $i30 NTFS attribute on a folder in a particular way. One such exploit involves the creation of a Windows shortcut file that has its icon location set to C:\:$i30:$bitmap. Bleeping Computer found that this triggered the vulnerability even if users did not attempt to click on the file in question. Windows Explorer’s attempts to access the icon path in the background would be enough to corrupt the NTFS hard drive.

  • This Easily-Exploitable Windows 10 NTFS Bug Can Instantly Corrupt Your Hard Drives

    Jonas says that this Windows 10 bug isn't new and has been around since the release of Windows 10 April 2018 Update, and remains exploitable on the latest versions, as well. BleepingComputer shared that the problematic command includes $i30 string, a Windows NTFS Index Attribute associated with directories.

    [...]

    After running the command, Windows 10 will start displaying prompts to restart the device and repair the corrupted drive. Apparently, the issue also impacts some Windows XP versions and similar NTFS bugs have been known for years but are yet to be addressed by the Windows maker.

  • Nidhi Razdan, Phishing, And Three Hard Lessons

    Nidhi Razdan, a career journalist, became a victim of an elaborate phishing attack that made her quit her 21-year-old job and part with many of her personal details.

  • Windows Finger command abused by phishing to download malware

    Attackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on victims' devices. The 'Finger' command is a utility that originated in Linux/Unix operating systems that allows a local user to retrieve a list of users on a remote machine or information about a particular remote user. In addition to Linux, Windows includes a finger.exe command that performs the same functionality.

Security Auditing Tools For Ubuntu

Malware, where aren’t thou found? Well, even our wonderful Ubuntu can be infected. So what can we do about it? Hope and pray we keep our system safe and better yet, audit our systems regularly for malwares and rootkits. There are 4 system auditors for Ubuntu that we will review - lynis, rkhunter, chkrootkit, and clamav. [...] Oddly enough, there aren’t many tools to scan for malware out there for Linux. Why? I’m not sure. However, these 4 tools are more than enough to detect malwares, rootkits, and viruses. Read more Also: Windows Finger command abused by phishing to download malware