When Microsoft patched the vulnerability in October 2022—at least two years after it came under #attack by the Russian hackers—the company made no mention that it was under active exploitation.
#patch #update #exploit #Russia #security #CyberSecurity #news #os #software #hack #hacker
Source: https://www.theregister.com/2024/04/21/microsoft_national_security_risk/
Microsoft has a shocking level of #control over IT within the US federal #government
#technology #CyberSecurity #economy #politics #software #problem #usa #news
Source: https://arxiv.org/abs/2404.08144
To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the #CVE description. When given the CVE description, GPT-4 is capable of exploiting 87% of these vulnerabilities compared to 0% for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and #Metasploit).
#ai #technology #Software #chatgpt #bug #hack #news #cybersecurity
The XZ attack has taken the world of cybersecurity by storm. This video provides a concise overview. (If you prefer text, there is a link to a text-based FAQ below.)
It begins with a clever "social engineering" attack, where two people play "good cop bad cop" to guilt-trip the maintainer of XZ. First I should probably mention that XZ Utils is a compression system used by Linux, in lots of places including package managers, build (code compilation) systems, and ssh, the "secure shell" system that enables people to log in to remote servers and run commands. (I myself use ssh dozens of times every day -- if you don't work with servers you wouldn't know, but this is how servers are managed all over the internet.) Getting back to the "social engineering" attack, the attackers successfully demoralized the project maintainer, who was an open source developer working in his spare time and not paid. He eventually gave up and made the "good cop" co-maintainer of the project.
The attack itself is pretty interesting, too. The attacker did not touch ssh, or at least not the code for ssh itself. He changed test code. And not in an obvious way -- he changed a "binary blob" that is opaque to people examining changes to the code to decide whether to accept the changes on their systems or not. The binary blog would get decompressed at build time, and it turned out inside it was a bash script (bash is another one of those Linux shells), and the bash script would get executed. The bash script would modify the ssh system in such a way that a certain public key would be replaced by a different one. The purpose of the original public key was to make sure only trusted people with the corresponding private key could update a running ssh system. With the attacker's key in place, the attacker can now change running ssh systems. Not only that, but because an ssh installation on a server runs with root privileges, because it has to because it has to be able to authenticate any user and then launch a command-line shell for that user with that user's privileges, the attacker becomes able to log in as root on any Linux server infected with the attack -- which could have eventually become more or less all of them had the attack not been discovered.
To me, this attack is interesting on so many levels:
1) It comes through the "supply chain" -- attacking open source at the point where contributors (often unpaid) submit their contributions.
2) It involves a "social engineering" attack on the supply chain, something it had never occurred to me was even possible before.
3) There was a long delay between the social engineering attack and the technical attack -- about 2 years. The attackers spent 2 years building trust to exploit later.
4) It attacks one piece of software (ssh) by attacking a completely different and apparently unrelated piece of software (XZ Utils).
5) It attacks the software not by attacking the code to the software directly, but to its test code.
6) It carries out the attack by running malicious code at build time instead of runtime. (The build of XZ Utils is part of the build of ssh.)
7) It attacks a cryptosystem by replacing a legitimate key with the attacker's key and getting the attacker's key "officially" distributed.
8) Had it been successful, the implications would have been huge -- it would have given the attacker access to practically every Linux server everywhere. (Well, every Linux server, pretty much, uses ssh but the attack initially targeted RedHat & Debian, so maybe it wouldn't have spread to everywhere.)
9) The attack was discovered accidentally, because it modified its target's performance, not any other aspect of its behavior.
I hadn't mentioned that last one yet, but yeah, the attack was discovered by a person who was doing performance benchmarks on a completely unrelated project (to do with the Postgres database), which just happened to include automated ssh logins as part of the testing system, and the ssh logins suddenly slowed down for no apparent reason. In trying to figure out what had gone wrong, he discovered the attack.
This has huge implications for the future for open source software and trust in all the projects and maintainers and regular software updates that are done on a daily basis all over the world. Some are predicting wholesale abandonment of the package distribution systems used currently throughout the Linux world. At the very least, everyone contributing to projects that become standard parts of Linux distributions is going to come under much greater scrutiny.
And in case you're wondering, no, nobody knows who the attackers were, at least as far as I know. And no, no one knows how many other attacks might exist "out there" in the Linux software supply chain.
#Microsoft employees exposed internal passwords in #security lapse
source: https://techcrunch.com/2024/04/09/microsoft-employees-exposed-internal-passwords-security-lapse/
Security researchers Can Yoleri, Murat Özfidan and Egemen Koçhisarlı with #SOCRadar, a #cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft’s #Azure #cloud service that was storing internal information relating to Microsoft’s #Bing search engine.
source: https://krebsonsecurity.com/2024/04/twitters-clumsy-pivot-to-x-com-is-a-gift-to-phishers/
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”
#internet #fail #security #phishing #cybersecurity #twitter #news
https://youtu.be/cmeDwZgw_6Y?si=uHRgAVXaBo3ci2MP
#cybersecurity #opensource #linux
Configuring a Qubes workstation was a new challenge for the team as we abandoned years of experience writing Infrastructure as Code for the cloud and started learning how to write #Salt #configuration. Salt (also know as SaltStack) is a management engine available by default in Qubes.
#cybersecurity #news #journalism #linux #technology #software #securedrop
The embarrassing #security lapse is linked to a book he published on #Amazon, which left a digital trail to a private Google account created in his name, along with his unique ID and links to the #account’s maps and calendar profiles.
#Israel #internet #Anonymity #privacy #spy #military #CyberSecurity #news #online #leak #identity
#PriateBin #communication #turorial #password #security
♲ Digital Angel - 2024-04-04 23:03:12 GMT
How to communicate securely over an insecure network with #PriateBin.https://0.0g.gg/?d08350fc097ceab0#9acFE89JXzDDKP9podRjnFEQCbchtJYA2dnvnjugJKaj
#communication #internet #privacy #security #cybersecurity #surveillance #spy #passwort #howto #instructions #tutorial #help
#hack #security #news #problem
♲ Digital Angel - 2024-04-04 23:15:13 GMT
#IBIS hotel check-in terminal keypad-code leakagesource: https://www.pentagrid.ch/en/blog/ibis-hotel-check-in-terminal-keypad-code-leakage/
However, when entering a '------' as booking ID, the check-in terminal lists other people's bookings and keypad codes.
I'm not talking about your nerd friends, who can be counted on one hand and who know a thing or two about the subject. I'm talking about your normal friends, business partners and colleagues with whom you communicate both professionally and privately.
I was recently called by my support via Microsoft Teams because I had to enter some passwords. The support team proudly said that they were contacting me via Teams because it was more secure than the normal phone. He was then very surprised when I told him that Teams is unencrypted and can be intercepted much more easily.
#messenger #email #question #security #cybersecurity #internet #spy #surveillance #privacy #nsa #snowden #5eyes
the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
The infamous Nemesis Market, a leading figure in the darknet marketplace ecosystem, has been successfully seized.
This operation dismantles a major hub of illegal online trade, ranging from narcotics to stolen data, affecting thousands of users worldwide.
Nemesis Market emerged as a dominant player in the darknet space, filling the void left by previous marketplaces that were taken down by law enforcement.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
It quickly gained notoriety for its sophisticated security measures, a wide array of illicit goods, and its ability to evade the authorities.
The platform was known for trading in drugs, weapons, stolen identity data, and other illegal goods and services.
The seizure of Nemesis Market was the culmination of Operation Dark Hunt, a coordinated effort by law enforcement agencies in several countries.
The operation involved months of meticulous planning, surveillance, and collaboration between various international cybersecurity units.
Details of the operation remain classified, but sources indicate that combining cutting-edge digital forensics and traditional detective work was vital to infiltrating the market’s defenses.
The breakthrough came when investigators traced transactions to the market’s administrators, leading to their identification and arrest.
According to a recent tweet by Dark Web Informer, the Nemesis Market, one of the top five online marketplaces on the dark web, has been taken down.
🚨BREAKING🚨Nemesis Market, a top 5 darknet market, has been seized.
[
](https://twitter.com/hashtag/Nemesis?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/DarkWeb?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Infosec?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/CTI?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Darknet?src=hash&ref_src=twsrc%5Etfw)
[
pic.twitter.com/P22VDSo79v
— Dark Web Informer (@DarkWebInformer)
[
March 21, 2024
](https://twitter.com/DarkWebInformer/status/1770787868975210700?ref_src=twsrc%5Etfw)
The takedown of Nemesis Market sends a powerful message to the darknet community: no entity is beyond the reach of the law.
This operation has significantly disrupted the supply chains of various illegal goods and services, temporarily decreasing their availability on the dark web.
However, experts warn that the void left by Nemesis Market is likely to be filled by other emerging platforms.
The dynamic nature of the darknet means that as one market falls, others rise to take its place.
Law enforcement agencies know this cycle and continuously develop new strategies to combat illegal online trade.
The successful seizure of Nemesis Market highlights the growing sophistication and international cooperation of cyber law enforcement.
Agencies are increasingly relying on advanced technology and cross-border collaborations to tackle the challenges posed by the darknet.
As the digital landscape evolves, so do the strategies of those operating within it.
The battle against illegal online marketplaces is ongoing, with both sides continuously adapting to the ever-changing environment.
The seizure of Nemesis Market is a significant milestone in the fight against darknet marketplaces.
It demonstrates the effectiveness of international law enforcement cooperation and the importance of staying ahead in the technological arms race against cybercriminals.
While challenges remain, the takedown of Nemesis Market is a testament to the global commitment to combating cybercrime and protecting citizens from the dangers of the dark web.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Nemesis Market: Leading Darknet Market Seized appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder
The infamous Nemesis Market, a leading figure in the darknet marketplace ecosystem, has been successfully seized.
This operation dismantles a major hub of illegal online trade, ranging from narcotics to stolen data, affecting thousands of users worldwide.
Nemesis Market emerged as a dominant player in the darknet space, filling the void left by previous marketplaces that were taken down by law enforcement.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
It quickly gained notoriety for its sophisticated security measures, a wide array of illicit goods, and its ability to evade the authorities.
The platform was known for trading in drugs, weapons, stolen identity data, and other illegal goods and services.
The seizure of Nemesis Market was the culmination of Operation Dark Hunt, a coordinated effort by law enforcement agencies in several countries.
The operation involved months of meticulous planning, surveillance, and collaboration between various international cybersecurity units.
Details of the operation remain classified, but sources indicate that combining cutting-edge digital forensics and traditional detective work was vital to infiltrating the market’s defenses.
The breakthrough came when investigators traced transactions to the market’s administrators, leading to their identification and arrest.
According to a recent tweet by Dark Web Informer, the Nemesis Market, one of the top five online marketplaces on the dark web, has been taken down.
🚨BREAKING🚨Nemesis Market, a top 5 darknet market, has been seized.
[
](https://twitter.com/hashtag/Nemesis?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/DarkWeb?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Infosec?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/CTI?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/Darknet?src=hash&ref_src=twsrc%5Etfw)
[
pic.twitter.com/P22VDSo79v
— Dark Web Informer (@DarkWebInformer)
[
March 21, 2024
](https://twitter.com/DarkWebInformer/status/1770787868975210700?ref_src=twsrc%5Etfw)
The takedown of Nemesis Market sends a powerful message to the darknet community: no entity is beyond the reach of the law.
This operation has significantly disrupted the supply chains of various illegal goods and services, temporarily decreasing their availability on the dark web.
However, experts warn that the void left by Nemesis Market is likely to be filled by other emerging platforms.
The dynamic nature of the darknet means that as one market falls, others rise to take its place.
Law enforcement agencies know this cycle and continuously develop new strategies to combat illegal online trade.
The successful seizure of Nemesis Market highlights the growing sophistication and international cooperation of cyber law enforcement.
Agencies are increasingly relying on advanced technology and cross-border collaborations to tackle the challenges posed by the darknet.
As the digital landscape evolves, so do the strategies of those operating within it.
The battle against illegal online marketplaces is ongoing, with both sides continuously adapting to the ever-changing environment.
The seizure of Nemesis Market is a significant milestone in the fight against darknet marketplaces.
It demonstrates the effectiveness of international law enforcement cooperation and the importance of staying ahead in the technological arms race against cybercriminals.
While challenges remain, the takedown of Nemesis Market is a testament to the global commitment to combating cybercrime and protecting citizens from the dangers of the dark web.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Nemesis Market: Leading Darknet Market Seized appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder
"Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc."
"Our key finding is that all the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a branch misprediction attack, turning all architecturally race-free critical regions into Speculative Race Conditions, allowing attackers to leak information from the target."
Um. What? That's crazy!
"Mutex" here means "mutual exclusion". It is a lock that allows only one concurrent threat to enter a section. "Spinlock" refers to a more primitive technique, where a threat asks "are you unlocked yet?" over and over in a loop until the lock is released and it can acquire it. In modern systems, the hardware and the operating system work together to enable threads to go to sleep and get woken up when their locks are released instead of doing the spinlock thing.
Digging into this further, the researchers say:
"Since 2018, after the discovery of Spectre and Meltdown, transient execution attacks have become an intensively studied area of research."
You know, I remember hearing about Spectre but didn't look into the details of it.
"Whenever a modern CPU implements speculative optimizations (e.g., branch prediction), it speculatively executes a sequence of instructions. The two possible outcome for these instructions are that either they are committed and made visible to the architectural level or they are squashed due to mispeculation (e.g., misprediction) -- leading to transient execution. When the instructions are squashed, the CPU rollbacks the state. Despite the rollback, some microarchitectural side effects are left and can be observed through one of the many side channels available (e.g., data cache, branch target buffer, port contention, etc.) to leak sensitive information."
"Spectre-PHT, also known as Spectre-v1, is the first known attack of this kind, targeting the pattern history table and exploiting a code pattern. The code checks for x to be in-bound before performing a double array access. For exploitation purposes, the attacker can ensure x is out-of-bound and array1_ size is not present in the cache. In this scenario, instead of waiting for array1_size to be loaded from main memory to perform the comparison, the CPU speculates and starts to transiently execute the instructions beyond the comparison. If the comparison has been executed several times before with x in-bound, the CPU is prone to speculate that x is once again in-bound, hence transiently performing the out-of-bound access of array1. When the not cached array2 is accessed using the byte retrieved from the out-of-bound access of array1, the specific accessed location is loaded into the cache. The attacker can complete the 1 byte leak by testing which location of array2 can be accessed faster than the others. Its position within the buffer reveals the secret byte value. Notably, Spectre-PHT remains unmitigated in hardware. Software developers remain responsible to harden potentially vulnerable branches with mitigations (e.g., fencing to prevent speculation), but the extent to which all the 'right' branches have been adequately hardened in large high-value codebases such as the Linux kernel remains an open question."
"Concurrency bugs are a category of bugs which affect multithreaded programs and occur due to the absence or the incorrect use of synchronization primitives. Due to their nondeterministic behavior, concurrency bugs are one of the most elusive and difficult to triage classes of bugs. Under certain conditions, concurrency bugs can also lead to memory error vulnerabilities. In modern operating systems such as the Linux kernel, one of the most common memory error vulnerability caused by concurrency bugs is use-after-free."
"In a use-after-free attack, the first step is generally to free a memory object. This operation invalidates all the pointers to that object, which become dangling. The second step generally involves forcing the allocator to reuse the memory slot of the free object for the allocation of a new object. This step reinitialize the previously freed memory slot. The final step of the attack is generally to force the victim to use one of the dangling pointers, which now points to the newly allocated object. A read from or write to such pointer to controlled data can be used to exploit the bug in a variety of ways."
"When this attack is performed in concurrency settings, and the free step and the use step are executed by distinct threads sharing the underlying object. Such concurrent use-after-free vulnerability is harder to exploit than the single-threaded use-after-free case, since exploitation depends on thread interleaving and the availability of a sufficient race window. While the community has invested significant effort in investigating traditional concurrency bugs and concurrent use-after-free -- e.g., studies demonstrating that more than 40% of the use-after-free vulnerabilities patched in Linux kernel drivers are concurrent use-after-free -- their microarchitectural properties have largely been neglected. In this paper, we study such properties and their security implications for the first time, uncovering a new class of speculative execution vulnerabilities in the process."
They go on to explain their new exploitation technique to precisely interrupt any (kernel) thread and create an architecturally unbounded use-after-free exploitation window. This works by first identifying use-after-free exploitation windows as tiny as eight instructions. Then they employ high-precision hardware timers to interrupt the victim thread at just the right time and amplify the original UAF window. After that, they rely on user interfaces to trigger an interrupt storm to interrupt the victim thread in the amplified window, which has the effect of stretching the UAF window indefinitely. Probably should menton that by "user interfaces", here they mean things like the host controller interface layer of the near field communication (NFC) driver.
Then they go on to exploit speculative race conditions, their new term for speculative execution vulnerabilities "affecting all common synchronization primitives", by which they mean mutexes, spinlocks, etc. "We can consistently trick speculative execution into acquiring a mutex and entering the guarded critical region. Since this is the case regardless of the current (architectural) state of the mutex, we can speculatively acquire a mutex already held by another thread. In other words, the mutex becomes a no-op on the speculative path, leading to a speculative race condition and opening the door to arbitrary concurrency vulnerabilities at the microarchitectural level."
The end result of all this is that they can leak memory from the Linux kernel at a rate of 12 KB/s.
I have to say, I'm amazed people exist who can pull stuff like this off.
GhostRace: Exploiting and mitigating speculative race conditions - Syssec@IBM Research
source: https://www.theinformation.com/articles/microsoft-security-breaches-rile-u-s-government-customers
Microsoft became the world’s biggest seller of cybersecurity software by bundling it with Office and Teams apps. But after a series of hacks exploited that software in the past year, several of Microsoft’s biggest customers are considering whether their reliance on Microsoft’s #software bundle puts their security at risk.
The clearest sign that Microsoft may face real consequences for its security lapses can be seen in #Washington. After the company disclosed last summer that Chinese hackers had broken into customers’ systems, including the U.S. State Department’s, the agency began to move its stored data into servers of other cloud providers such as #Amazon Web Services and #Google #Cloud, according to a technical adviser to the agency and an executive at one of the rival companies. And the agency has been discussing possible bigger cloud deals with those rivals, these people said.
