Have I Been Pwned goes open source, bags help from FBI
Plus: More Rowhammer research, Feds warn of Fortinet attacks, etc
In brief The creator of the Have I Been Pwned (HIBP) website, which alerts you if it turns out your credentials have been swiped and leaked from an account database, has open sourced the project's internals.
Troy Hunt set up HIBP in 2013, and the dot-com is now said to be getting a billion requests a month. Last year, the man Down Under announced plans to make key portions of the system open source for others to pick up, use, and improve. Now the Pwned Passwords code base is available from GitHub under a BSD three-clause license.
Hunt also said the FBI has offered to feed known compromised passwords into HIBP.
"Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised," he said.
In addition to the code, there's also a 3D print schematic of the HIBP logo if that interests you.
New DRAM still susceptible to Rowhammer
Google's Project Zero last week detailed Half-Double, a new Rowhammer-like technique for altering memory that application code shouldn't otherwise be able to affect – which can lead to privilege escalation and other bad outcomes.
Rowhammer attacks usually involve repeatedly writing to one memory address to change bits in nearby RAM cells. Half Double, developed by Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu and Mattias Nissler, is able to affect RAM further away, simply put.
"Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly, bit flips were found only in the two adjacent rows," Team Google explained. "However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength."
The Googlers disclosed this info because they believe "it significantly advances the understanding of the Rowhammer phenomenon, and that it will help both researchers and industry partners to work together to develop lasting solutions" to protect systems from malware and rogue users that seek to use Rowhammer effects to hijack computers.
For pity's sake, patch Fortinet
The FBI has sent out an urgent memo pleading with Fortinet customers to patch their Fortigate installations after miscreants were spotted exploiting vulnerabilities in a firewall belonging to a local government in America. Fixes are available for the abused bugs.
"As of at least May 2021, an advanced persistent threat (APT) actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a US municipal government," the Feds warned [PDF]. "The APT actors likely created an account with the username 'elie' to further enable malicious activity on the network."
Horse, meet stable gate
The US Department of Homeland Security has issued a directive regarding the computer network defenses of oil, gas, and hazardous waste pipelines, two weeks after a ransomware attack led to the shutdown of a major American fuel system and panic buying among some citizens.
According to Uncle Sam:
The security directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week. It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro Mayorkas.
“The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
Malware has its finger on the Pulse
In April, Chinese snoops were fingered for exploiting Pulse Connect Secure VPN appliances. Now FireEye's Mandiant surveillance squad has reported four families of malware abusing the Pulse vulnerabilities, for which patches are available. Intrusions appear to be automated.
"Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized," it said.
Apply patches as soon as you can. ®