News
This is issue 300. That sort of snuck up on me. I only noticed when I clicked the button :D
Awesome though, right? I'm grateful that you're (still?) here to read it. All ~6,000 of you, plus a few thousand more through RSS from what I can see. I still can't quite fathom that.
I'm also kinda proud of myself for having stuck with something this long, albeit with some breaks.
Don't expect anything special though, it's just the same old cybersecurity news wrap-up ;-)
Enjoy!
Issue 300
Well ok, after I wrote the intro above I decided to actually do change it up a bit.
I'm going to write this one as a continuous piece of markdown/html, and wrap it in the existing newsletter.
It's a first step in the plan to move to a more "elemental" (;-)) approach: plain text or html, no tracking, self-hosted (and secured) mailing list, website and RSS feed. But step by step.
It's also a day late because, well, because I felt like it. To those who told me to do this in a way that feels comfortable to me, instead of pressuring myself for no reason: look, I'm listening! (and thank you ;-) )
(Also because I lost way too much time playing around with a new markdown-based flow. I got tired `¯_(ツ)_/¯)
You can tell though that I enjoyed myself since it's a longer issue than usual. I hope the read is also enjoyable :-) Cheers folks!
News
PyPI now blocks domain resurrection attacks used for hijacking accounts: link.
(bleepingcomputer.com)
Domain resurrection attacks are when someone has an email address tied to a certain domain (like securitynewsletter.co), but that someone lets that domain expire. An attacker can re-register that domain, take ownership of that email address and request a password reset.
From the article:
PyPI now checks whether the domains of verified email addresses on the platform have expired or are entering expiration phases, and marks those addresses as unverified.
Once the email addresses enter that state, they cannot be used for password resets or other account recovery actions, thus closing the opportunity window for exploitation even if an attacker registers the domain.
Very nice and sensible mitigation if you ask me. Good stuff.
Critical Docker Desktop flaw allows container to compromise the host: link.
(bleepingcomputer.com)
That's less good stuff. Although to be fair, you're taking a risk whenever you pull in a third-party Docker container, so don't pull containers you don't trust. But it's a serious vulnerability.
On Windows, it allows the attacker to mount, read and modify the entire C drive. It's less easy on MacOS because of the extra safeguards when it comes to disk access, but it's still possible. Linux isn't affected. Docker released a fix right away.
Major password managers can leak logins in clickjacking attacks: link.
(bleepingcomputer.com)
It comes down to playing around with pop-ups, opacity settings and such to trigger an unwanted click.
From the article:
The main attack mechanic is to run a script on a malicious or compromised website that uses opacity settings, overlays, or pointer-event tricks to hide the autofill dropdown menu of a browser-based password manager.
The attacker then overlays fake intrusive elements (e.g. cookie banners, popups, or CAPTCHA) so that the user’s clicks fall on the hidden password manager controls, resulting in completing the forms with sensitive information.
I'm not entirely clear though on how they leak the actual login information. You can trick a user into clicking somewhere, sure, but surely the extension only fills the credentials if the domain matches? Responses from vendors seem to be mixed, with some saying they fixed it, and others accepting clickjacking as essentially a risk they (have to) accept.
Considering what I read and the fact that this didn't blow up the infosec world, I lean towards the latter too.
Okta open-sources catalog of Auth0 rules for threat detection: link.
(bleepingcomputer.com)
Kudos, Okta, that's pretty sweet. It's a set of sigma queries to plow through your Auth0 logs to detect suspicious behaviour, published open-source as a "Customer Detection Catalog". More of this, please.
You can find the repo here. And you can learn more about sigma signatures on Wikipedia). The pdf linked to at "Further reading" looks pretty good.
Developer gets 4 years for activating network “kill switch” to avenge his firing: link.
(arstechnica.com)
Oh boy. From the article:
That "kill switch" was designed to "lock out all users if his credentials in the company’s active directory were disabled," the DOJ said Thursday. And it worked flawlessly, automatically activating when Lu "was placed on leave and asked to surrender his laptop" in 2019. It locked out "thousands of company users globally," and no one had a clue what was going on.
Don't do it folks. We often have a lot of power as engineers, use it responsibly.
CISA updates SBOM recommendations: link.
(cybersecuritydive.com)
CISA has released a new version of their SBOM guidelines.
SBOM stands for Software Bill Of Materials. It's a standardised format that lists all dependencies an application has, with data fields for things like licenses and cryptographic hashes. It's definitely something that is gaining importance, which is fantastic.
It's open for public (US-based?) comments till October 3rd. You can find the document itself here, but don't expect it to be a riveting read by itself.
Quick links
- Orange Belgium discloses data breach impacting 850,000 customers (shout-out to my home country \o/): link.
- FCC removes 1,200 voice providers from telephone networks in major robocall crackdown: link.
- Elastic rejects claims of a zero-day RCE flaw in Defend EDR: link.
- US Senator blasts cybersecurity of federal court, citing 'incompetence' and 'cover-ups of previous incidents': link.
- Oregon man arrested for the "Rapper Bot" ddos botnet: link.
- Apple fixes new zero-day flaw exploited in targeted attacks: link.
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa: link.
That's it! As always, shout-out to 1Password for being both a kickass password manager, and supporting this newsletter. It wouldn't exist without them.
Till next week!
Dieter
P.S.: Did you notice how I didn't include anything about Microsoft for once? Pretty good of me, right? Nothing they did felt individually more important than the news above. Even though they did have their updates break Windows recovery, cause severe streaming issues, cause SSD failures, all while having problems with Teams, Outlook and office.com and Copilot. In the last week. I'm sure it's fine, don't worry about it.