Notices by Dan Goodin (dangoodin@infosec.exchange), page 2

Historian begs Americans not to downplay Trump's threats to use the military against them

If Donald Trump becomes the 47th president, Presidential historian Michael Beschloss said he believes there is going to be a severe danger of instituting the Insurrection Act and putting soldiers on missions to police American soil.

During a rally in Iowa, the 2024 Republican frontrunner described the metropolises of New York City and Chicago as “crime dens” and vowed to move fast to bring in the country's military might.

“The next time, I’m not waiting," he said. "One of the things I did was let them run it and we’re going to show how bad a job they do,” he said. “Well, we did that. We don’t have to wait any longer.”

Beschloss says we should be taking Trump at his word.

https://www.rawstory.com/trump-insurrection-act-2666371202/

@vidister

Wait, are you serious? If so what do 30-40 meter cables do that a 10 meter one doesn't? And what is special about the 3.5 mm TRS plug?

If you were making a joke, sorry. I have a very compromised sense of humor and also know very little about sound equipment. 🤷

@tillshadeisgone @are0h

What do you mean by "as a treat"?

@are0h

Can we at least agree that a statistically significant proportion of women and people of color think abortion should be illegal in all/most cases, according to Pew Research? I'm guessing these folks, also vote for sexist public officials who hate women?

Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

“The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering.”

Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don’t know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM’s CoreSight

The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.

With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn’t survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.

A fresh infusion of details disclosed Wednesday said that “Triangulation”—the name Kaspersky gave to both the malware and the campaign that installed it—exploited four critical zero-day vulnerabilities, meaning serious programming flaws that were known to the attackers before they were known to Apple. The company has since patched all four of the vulnerabilities.

https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

@lyda

How so?

It's hard to overstate the importance of SSH in securing home networks, massive cloud centers and everything in between. Now, researchers have devised a novel cryptographic attack that breaks integrity of this widely used protocol. Dubbed Terrapin, it's the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. Terrapin exploits weaknesses in the specification of SSH when paired with widespread algorithms (ChaCha20-Poly1305 and CBC-EtM) to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

As an added bonus, @trueskrillor, the lead author of the Terrapin paper (who still isn't active on Mastodon 🙁 ) is holding court in the comments forum. Now would be a good time to mosey on over and ask questions.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/?comments=1&comments-page=1

Did you or someone you know work with SSH back in the late 90s and early 2000s? I'd love to get some perspective on something. Please DM me by Signal.

@matrosov

Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient.

A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected.

Also, no CVEs.

¯_(ツ)_/¯

https://kb.cert.org/vuls/id/811862

@matrosov

It's 2023, and not only can malicious images still remotely execute malicious code on your devices, but they can do it at the UEFI level, during bootup, enabling invisible firmware bootkits. This new post-exploit attack, known as LogoFAIL, is mind-blowing. Amazing that an entire ecosystem comprising dozens of wealthy companies couldn't be bothered to fuzz the UEFIs they provide to billions of people. With a small amount of effort, this attack could have been closed off a decade ago.

https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

If you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.

https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

@mmasnick has done the world a solid for devoting considerable time and effort transcribing Elmo's rambling comments that were indecipherable except for the repeated exhortations that people exercising their rights to free speech and association fuck themselves.

My favorite section:

ARS: I understand that, but there’s a reality too, right? I mean Linda Yaccarino’s right here and she’s gotta sell advertising.

Elon: Yes, no, no, right. Yes. No. Absolutely so. No, no, totally. So, no, no, so. Actually what this advertising boycott is going to do, it’s going to kill the company.

ARS: [realizing that Elon seems to be encouraging a boycott that will, as he just said, kill the company] And you think that the…

Elon: But, the whole world will know that the advertisers killed the company. And we will document it in great detail.

ARS: But those advertisers are going to say “we didn’t kill the company…”

Elon: Oh yeah? Tell that to Earth!

https://www.techdirt.com/2023/11/30/elon-after-personally-driving-away-advertisers-tells-them-to-go-fuck-themselves-repeatedly-and-says-earth-will-judge-them-for-killing-extwitter/

Now seems like as good a time as any to goad the remaining Twitter advertisers that their dollars support a platform that not only tolerates hate and far-right content but in many cases actively promotes it. If you interact with any of these businesses, please remind them that said platform rightfully deserves to be treated like the pariah it is and it's time for them to act accordingly.

https://www.mygalaxyroses.com
https://www.netwrix.com/
https://nocode.mba
https://linktr.ee/blaze_ai

In the stretch of a few days, two municipal water facilities that serve more than 2 million residents in parts of Pennsylvania and Texas have reported network security breaches that have hamstrung parts of their business or operational processes.

In response to one of the attacks, the Municipal Water Authority of Aliquippa in western Pennsylvania temporarily shut down a pump providing drinking water from the facility’s treatment plant to the townships of Raccoon and Potter, according to reporting by the Beaver Countian. A photo the Water Authority provided to news outlets showed the front panel of a programmable logic controller—a toaster-sized box often abbreviated as PLC that’s used to automate physical processes inside of industrial settings—that displayed an anti-Israeli message. The PLC bore the logo of the manufacturer Unitronics. A sign above it read “Primary PLC.”

A second hack hitting the North Texas Municipal Water District came to light on Monday after a ransomware group tracked as DAIXIN added the district, abbreviated as NTMWD, to its leak site. The post said the group has stolen sensitive data contained in 33,844 files. A text file that accompanied the post showed what appeared to be an extensive file directory tree of the network belonging to the NTMWD.

It’s tempting to think that the hacks of two different water facilities coming to light within a few days signals an escalation. It’s easier to bear in mind that water facilities are notoriously underfunded and employ IT staff who receive little training and resources and are underpaid. Either way, the attacks should serve as a wake up call to political leaders at every level of government that critical infrastructure is vulnerable to hacking and will remain that way until they make the necessary investments.

https://arstechnica.com/security/2023/11/2-municipal-water-facilities-report-falling-to-hackers-in-separate-breaches/

Security researchers are tracking what they say is the “mass exploitation” of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open-source filesharing server app.

The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing “mass exploitation” in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

“We're seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of security research & detection engineering at Greynoise, said in an interview on Mastodon. “At the moment, we've seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”

https://arstechnica.com/security/2023/11/owncloud-vulnerability-with-a-maximum-10-severity-rating-comes-under-mass-exploitation/

@filippo

For those of us following along at home, can you provide a little more context? I am also curious to know if you agree that 128 bits is enough. I always thought 256 was the greed upon number of bits.

@ryanc @sophieschmieg @filippo

My very foggy and distant recollection is that quantum computing effectively cuts the number of bits in symmetric encryption by half. Am I just dreaming that, or is that right? If so, seems like cutting 128 in half wouldn't be enough entropy. Sorry if I'm completely wrong on all accounts here.

It should be clear now that it was and remains a catastrophic mistake for people to view privately owned social media platforms as any kind of public resource. People didn't know better a decade ago. They have no excuse now.