Hallowed Bugtraq infosec list killed then resurrected over the weekend: We heard your feedback, says Accenture

Plus: Watch out for NTFS-corrupting folder, Mimecast hack, and more

In brief Last week ended with news that the venerable infosec mailing list Bugtraq was being shutdown at the end of the month.

From its first posts in November 1993, Bugtraq aimed to get details of vulnerabilities, as well as defence and exploitation techniques, onto netizens' radar, and discussed among admins and security researchers. Posts to this once high-volume Symantec-owned list stopped on February 22 last year, and now we know why – a lack of funding and resources.

"Assets of Symantec were acquired by Broadcom in late 2019, and some of those assets were then acquired by Accenture in 2020," an email from the list administrators read.

"At this time, resources for the Bugtraq mailing list have not been prioritized, and this will be the last message to the list. The archive will be shut down January 31st, 2021."

Then on Sunday, Accenture had a change of heart. It's now looking like Bugtraq could last a while longer.

"Bugtraq has been a valuable institution within the Cyber Security community for almost 30 years. Many of our own people entered the industry by subscribing to it and learning from it," the Accenture team said. "So, based on the feedback we've received both from the community-at-large and internally, we've decided to keep the Bugtraq list running. We'll be working in the coming weeks to ensure that it can remain a valuable asset to the community for years to come."

If you're using non-Chromium Edge on Windows, don't. A bug-hunter known as Jonas L found that accessing a specially named folder path on NTFS will corrupt the file-system on Windows 10 1803 and later, requring a reboot and repair operation. Non-Chromium Edge browsers will try to open the path if it's in a URL in a malicious webpage, triggering the flaw. There are other ways to get people to open the path, such as by hiding the folder in a zip file. It's hoped Microsoft will fix this soon. We're not going to share the folder name until then.

Mimecast cert hack: Enterprise security shop Mimecast revealed last week that one of its security certificates, used to link its products to Microsoft 365 deployments, was compromised, potentially allowing miscreants to, for instance, snoop on oragnizations' data in transit between the affected Mimecast and Microsoft services. Mimecast wouldn't comment further mid-investigation, though said in a statement:

Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor.

Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to remediate the issue.

As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning.

COVID-19 data leaked: The EU Medicines Agency said some of the coronavirus vaccine approval documents stolen during a network intrusion it disclosed last month has been shared online.

"Some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet," it said in a statement.

"Necessary action is being taken by the law enforcement authorities. The Agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access."

The thieves abused a single vulnerable application to extract the info, EMA said in an earlier update.

How zero-days are exploited in the real world: Patch Tuesday is always a busy time as vendors emit scores of product fixes, which made it surprising that Google's Project Zero hotshots used the day to publish a six-part detailed report into a fairly unusual incident involving four zero-day holes being abused in the wild to hijack people's computers and devices.

The exploitation of the programming blunders was picked up early last year, and carried out by "a highly sophisticated" outfit, we're told. The intruders were observed using two different servers, one going after Windows machines and the other Android, in so-called watering-hole attacks – which is where the snoops figure out the websites or services routinely used by their targets, and compromise said platforms to then infect the visitors.

One of the exploited Chrome zero-day holes was a faulty JIT compiler issue, and the intruder chained this with three zero-days flaws in Windows' font handling and CSRSS to gain control of PCs. While the Android attack used exploits for known bugs in older builds of the OS, the Googlers said they think the attacker has zero-day exploits for the mobile operating system, too.

"These exploit chains are designed for efficiencya and flexibility through their modularity," Project Zero said.

"They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains."

Install an ad-blocker, says CISA: There were two alerts last week from the US government's Cybersecurity and Infrastructure Security Agency (CISA), one warning of hackers succeeding in busting open several enterprise clouds and another [PDF] suggesting federal agencies use ad blockers.

"CISA is aware of several recent successful cyberattacks against various organizations’ cloud services," agency said. "The cyber threat actors involved in these attacks used a variety of tactics and techniques - including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack - to attempt to exploit weaknesses in the victim organizations’ cloud security practices."

The pass-the-cookie attack is noteworthy as it may have allowed one miscreant to bypass multifactor authentication and get into protected areas of a network. Curiously, financial information was targeted in many of the intrusions.

Elsewhere, in a newly released Capacity Enhancement Guide, the CISA recommends US federal agencies install ad blockers to avoid malicious ad injections; standardize on a single, secure browser deployment; use DNS to block access to malicious sites and services; and isolate the browser from other software where possible

NSA issues do's and DoHn'ts: While we're on the topic of American advice, the National Security Agency has issued guidance on the correct way to run DNS-over-HTTPS (DoH) and claimed it isn't all plain sailing.

"DoH is not a panacea," the super-snoops' report states [PDF]. "DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied."

In addition, DoH's encrypted traffic makes life harder for systems that examine traffic for suspicious activity, and can be a pain to configure correctly, the agency said. It recommends DoH is suitable for home and mobile workers, and care should be taken when deploying it on core enterprise systems. ®

Speaking of the NSA... Long-time government advisor Rob Joyce has been appointed director of the NSA's Cybersecurity Directorate.

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022