Security

Hallowed Bugtraq infosec list killed then resurrected over the weekend: We heard your feedback, says Accenture

Plus: Watch out for NTFS-corrupting folder, Mimecast hack, and more


In brief Last week ended with news that the venerable infosec mailing list Bugtraq was being shutdown at the end of the month.

From its first posts in November 1993, Bugtraq aimed to get details of vulnerabilities, as well as defence and exploitation techniques, onto netizens' radar, and discussed among admins and security researchers. Posts to this once high-volume Symantec-owned list stopped on February 22 last year, and now we know why – a lack of funding and resources.

"Assets of Symantec were acquired by Broadcom in late 2019, and some of those assets were then acquired by Accenture in 2020," an email from the list administrators read.

"At this time, resources for the Bugtraq mailing list have not been prioritized, and this will be the last message to the list. The archive will be shut down January 31st, 2021."

Then on Sunday, Accenture had a change of heart. It's now looking like Bugtraq could last a while longer.

"Bugtraq has been a valuable institution within the Cyber Security community for almost 30 years. Many of our own people entered the industry by subscribing to it and learning from it," the Accenture team said. "So, based on the feedback we've received both from the community-at-large and internally, we've decided to keep the Bugtraq list running. We'll be working in the coming weeks to ensure that it can remain a valuable asset to the community for years to come."

If you're using non-Chromium Edge on Windows, don't. A bug-hunter known as Jonas L found that accessing a specially named folder path on NTFS will corrupt the file-system on Windows 10 1803 and later, requring a reboot and repair operation. Non-Chromium Edge browsers will try to open the path if it's in a URL in a malicious webpage, triggering the flaw. There are other ways to get people to open the path, such as by hiding the folder in a zip file. It's hoped Microsoft will fix this soon. We're not going to share the folder name until then.

Mimecast cert hack: Enterprise security shop Mimecast revealed last week that one of its security certificates, used to link its products to Microsoft 365 deployments, was compromised, potentially allowing miscreants to, for instance, snoop on oragnizations' data in transit between the affected Mimecast and Microsoft services. Mimecast wouldn't comment further mid-investigation, though said in a statement:

Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor.

Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to remediate the issue.

As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning.

COVID-19 data leaked: The EU Medicines Agency said some of the coronavirus vaccine approval documents stolen during a network intrusion it disclosed last month has been shared online.

"Some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet," it said in a statement.

"Necessary action is being taken by the law enforcement authorities. The Agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access."

The thieves abused a single vulnerable application to extract the info, EMA said in an earlier update.

How zero-days are exploited in the real world: Patch Tuesday is always a busy time as vendors emit scores of product fixes, which made it surprising that Google's Project Zero hotshots used the day to publish a six-part detailed report into a fairly unusual incident involving four zero-day holes being abused in the wild to hijack people's computers and devices.

The exploitation of the programming blunders was picked up early last year, and carried out by "a highly sophisticated" outfit, we're told. The intruders were observed using two different servers, one going after Windows machines and the other Android, in so-called watering-hole attacks – which is where the snoops figure out the websites or services routinely used by their targets, and compromise said platforms to then infect the visitors.

One of the exploited Chrome zero-day holes was a faulty JIT compiler issue, and the intruder chained this with three zero-days flaws in Windows' font handling and CSRSS to gain control of PCs. While the Android attack used exploits for known bugs in older builds of the OS, the Googlers said they think the attacker has zero-day exploits for the mobile operating system, too.

"These exploit chains are designed for efficiencya and flexibility through their modularity," Project Zero said.

"They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains."

Install an ad-blocker, says CISA: There were two alerts last week from the US government's Cybersecurity and Infrastructure Security Agency (CISA), one warning of hackers succeeding in busting open several enterprise clouds and another [PDF] suggesting federal agencies use ad blockers.

"CISA is aware of several recent successful cyberattacks against various organizations’ cloud services," agency said. "The cyber threat actors involved in these attacks used a variety of tactics and techniques - including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack - to attempt to exploit weaknesses in the victim organizations’ cloud security practices."

The pass-the-cookie attack is noteworthy as it may have allowed one miscreant to bypass multifactor authentication and get into protected areas of a network. Curiously, financial information was targeted in many of the intrusions.

Elsewhere, in a newly released Capacity Enhancement Guide, the CISA recommends US federal agencies install ad blockers to avoid malicious ad injections; standardize on a single, secure browser deployment; use DNS to block access to malicious sites and services; and isolate the browser from other software where possible

NSA issues do's and DoHn'ts: While we're on the topic of American advice, the National Security Agency has issued guidance on the correct way to run DNS-over-HTTPS (DoH) and claimed it isn't all plain sailing.

"DoH is not a panacea," the super-snoops' report states [PDF]. "DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied."

In addition, DoH's encrypted traffic makes life harder for systems that examine traffic for suspicious activity, and can be a pain to configure correctly, the agency said. It recommends DoH is suitable for home and mobile workers, and care should be taken when deploying it on core enterprise systems. ®

Speaking of the NSA... Long-time government advisor Rob Joyce has been appointed director of the NSA's Cybersecurity Directorate.

Send us news
8 Comments
Get our Security newsletter

Sysadmin for FIN7 criminal cracking group gets 10 years in US prison for managing card slurping malware scam

Plus Pwn2Own faces fire and update Chrome immediately

In Brief The former systems administrator for the FIN7 card-slurping gang has been sentenced to 10 years in a US prison.

Fedir Hladyr, 35, pled guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking last year, and on Friday was sentenced for his role in the theft and resale of over than 20 million customer card records from over 6,500 point-of-sale terminals across the US using the malware dubbed Carbanak.

Hladyr set up a front company, Combi Security, to cover his actions as he funneled the purloined data around the criminal underworld. He managed the encrypted comms network the gang used, ran the server farms used to spread and exploit malware, and coordinated individual attacks.

Continue reading

Japanese auto chipmaker Renesas expects to resume full production next month following fab blaze

Glimmer of hope on the semiconductor front – for the car industry anyway

Japanese chipmaker Renesas has said it will restore full production capacity at its N3 Naka plant by the middle of next month following a blaze in March that destroyed equipment and contaminated the clean room.

Renesas, which accounts for a third of all automotive semiconductor sales globally, said it expects to be at half-capacity by the end of April. CEO Hidetoshi Shibata confirmed in a press conference the company plans to install new fire suppression equipment to prevent any future fires.

Operations at the Naka N3 clean room resumed on 9 April. According to a notice from Renesas, the company had to rely on over 1,600 workers each day (both internal and from third parties) to rebuild and decontaminate the clean room, illustrating both the scale of destruction and difficulty in restoration.

Continue reading

Huawei could have snooped on the Dutch prime minister's phone calls thanks to KPN network core access

Nobody caught – er, held us responsible, says Chinese firm

Huawei was able to snoop on the Dutch prime minister's phone calls and track down Chinese dissidents because it was included in the core of the Netherlands' mobile networks, an explosive news report has claimed.

Dutch national daily Volkskrant (behind a pay wall) reported over the weekend that mobile operator KPN, which used Huawei-supplied equipment in the core of its network, discovered the full extent of the Chinese company's doings in 2010 after it commissioned Capgemini to write an outsourcing risk analysis report .

Not only could the prime minister be eavesdropped on by Huawei, along with millions of other customers, said KPN as it quoted the report, but it could also identify people being snooped on by the Dutch state as well.

Continue reading

On a dusty red planet almost 290 million km away... NASA's Ingenuity Mars Helicopter flies

NASA’s JPL lab speaks to The Reg

The first human-made helicopter to take flight on another planet, Ingenuity, has hovered in Martian skies after NASA at last launched the device into the air.

Amid cheers, engineers confirmed the diminutive helicopter had spun up its rotors, taken off, landed and spun everything down, leaving the stage set for further tests. An image from the helicopter's onboard navigation camera showing its shadow on the surface of Mars was swiftly followed by another sequence from the Perseverance rover showing the helicopter hovering.

Continue reading

Oracle cuts support for South African energy biz Eskom in long-running licensing dispute

'Eskom should pay the pending dues for the Oracle software that they use'

Oracle has pulled the plug on support for software described as "quite essential" to "crucial operations" at South African energy firm Eskom as part of an ongoing licensing dispute.

Eskom spokesman Sikonathi Mantshantsha said Big Red had withdrawn support for multiple software systems after the electricity provider failed to have the courts compel Oracle to continue while the dispute was settled. Eskom had also offered to pay what it thought it owed upfront until the figure was agreed in court.

Mantshantsha confirmed that Oracle had withdrawn some of its technical support services. "Eskom has contingency plans in place to reduce the risk of disruption resulting from the dispute with Oracle," he said.

Continue reading

Plot twist! South Korean telco uses 5G to fight coronavirus via hospital-patrolling robot

Modified Keemi disinfects, takes temperatures, tells you off for not socially distancing

South Korea Telecom (SKT) has linked up with Yongin Severance Hospital to commercialise and deploy facility-roaming robots that minimise the need for face-to-face contact, thus supporting reduced COVID transmission.

"The plan is to ensure that citizens can safely use the hospital through a 24-hour constant quarantine system, and to further strengthen the infection control system in the hospital so that patients in the Corona 19 environment can receive treatment at the National Safety Hospital without anxiety of infection," said SKT in a canned statement.

The robots take temperatures via facial measurements. Mask checks are done through facial recognition, AI technology, and voice guidance warnings. Social distancing is analysed via AI technology and 3D cameras that can calculate distance. During the day, the robot offers hand-sanitising services. At night, it sterilises the environment via UV rays. Operation and other real-time data is communicated to operators over 5G.

Continue reading

UK Home Office tenders £5m for a supplier to help it greenlight IT projects. Yes, you read that correctly

Procurement raises questions over supplier creating its own sales pipeline within govt

The UK's Home Office is tendering to recruit a supplier to help manage the selection of its IT projects, leading to concerns over conflict of interest.

The notice published in the public sector Digital Marketplace is seeking a company to help deliver and operate the "discovery-as-a-service" capability for the "Innovation - Law Enforcement" (I-LE) function within the Police and Public Protection Technology Portfolio (PPPT), with a £5m contract on the table.

The snappy moniker – DaaS – alludes to the discovery phase in the UK government's IT project service manual. Discovery, it says, means learning about users and what they're trying to achieve; constraints the project faces in making changes to how the service is run because, for example, of technology or legislation; and the underlying policy intent the project is set to address and so on.

Continue reading

Brit authorities could legally do an FBI and scrub malware from compromised boxen without your knowledge

Would move for The Greater Good™ actually be good, though?

Comment UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments – but some members of the British infosec industry are remarkably quiet about whether this would be a good thing.

In the middle of last week the American authorities made waves after deleting web shells from Exchange Server deployments compromised in the Hafnium attacks. The agency had gone to the US federal courts for permission, which it received.

The entire infosec world had been bellowing at IT admins to update and mitigate the vulns, which were being exploited by skilled and malicious people who found the remote-code-execution bug. Nonetheless, some laggards still hadn't bothered – and with compromised boxen providing a useful base for criminals to launch further attacks from, evidently the FBI felt the wider risk was too great not to step in.

Continue reading

Truth and consequences for enterprise AI as EU know who goes legal: GDPR of everything from chatbots to machine learning

Regulations On A European Approach For Artificial Intelligence

One of the Brexit bonuses we’ve been enjoying since January 1st is that we have abandoned our influence within the world’s regulatory superpower.

America and China may have industrial and military dominance, but by placing a decent proportion of global economic activity under the world’s strongest regulatory regime, the EU forces the pace for everyone else. GDPR commands respect around the world.

So when the draft "Regulation On A European Approach For Artificial Intelligence" leaked earlier this week, it made quite the splash - and not just because it’s the size of a novella. It goes to town on AI just as fiercely as GDPR did on data, proposing chains of responsibility, defining "high risk AI" that gets the full force of the regs, proposing multi-million euro fines for non-compliance, and defining a whole set of harmful behaviours and limits to what AI can do with individuals and in general.

Continue reading

Debian devs decide best response to Richard Stallman controversy is … nothing

Two-week vote dismissed options to back or sack controversial FOSS figure

The Debian developer community has decided to say nothing about the new controversy surrounding Richard Stallman relection to the board at the Free Software Foundation.

The decision to say nothing came after a call for the project to support an open letter that called for Stallman’s removal from all leadership positions in the free software community and the removal of the entire Free Software Foundation for enabling Stallman.

Stallman resigned from the Foundation in 2019 after making incredibly insensitive remarks, in which he questioned whether the term “sexual assault” was applicable in the case of a woman who, aged 17, was coerced to have sex with MIT professor Marvin Minksy.

Continue reading

You want a reboot? I'll give you a reboot! Happy now?

Two windows, one tetchy techie – what could possibly go wrong?

Who, me? Today's tale from The Register's Who, Me? files is a reminder that a momentary loss of focus is all that is required to trigger a potentially catastrophic error.

Our contributor, Regomised as "Sam", regaled us with a story from a mere five years ago when he was still a fresh-faced worker doing time as second-line support at the service desk of a large motorcycle broker.

He had been called into the office on a Sunday to deal with a problem with the systems. "My boss," he said, with a less than fresh-faced weariness, "was nagging me about something another colleague did (as she saw everything as my fault) and she wanted me to restart a training server of the main brokerage platform because the restore had failed."

Continue reading