In this first lecture of Security Engineering (https://www.cl.cam.ac.uk/~rja14/book.html), Ross looks at the various kinds of attacker and their capabilities: the crooks, state actors, corporate competitors, and "the swamp". Sam then looks at the various tools they all use, and how real-world vulnerabilities are patched and/or exploited.

I've written a third edition of Security Engineering. The e-book version is available now for $44 from Wiley and Amazon; paper copies are available from Amazon here for delivery in the USA and here for the UK.

Here are the chapters, with links to the seven sample chapters as I last put them online for review: //

Here are fifteen teaching videos we made based on the book for a security engineering class at Edinburgh, taught to masters students and fourth-year undergrads: //

The Second Edition (2008)

Download for free here:

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Ebury backdoors SSH servers in hosting providers, giving the malware extraordinary reach. //

Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday. //

A 47-page report summarizing Ebury's 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac. //

There is no indication that either infection resulted in tampering with the Linux kernel source code.

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. //

We use DHCP option 121 to set a route on the VPN user’s routing table. The route we set is arbitrary and we can also set multiple routes if needed. By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates. We can set multiple /1 routes to recreate the 0.0.0.0/0 all traffic rule set by most VPNs. //

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. //

The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device.

A little-discussed detail in the Lavender AI article is that Israel is killing people based on being in the same Whatsapp group [1] as a suspected militant [2]. Where are they getting this data? Is WhatsApp sharing it?

Attacks coming from nearly 4,000 IP addresses take aim at VPNs, SSH and web apps. //

Talos said Tuesday that services targeted in the campaign include, but aren’t limited to:

Cisco Secure Firewall VPN
Checkpoint VPN
Fortinet VPN
SonicWall VPN
RD Web Services
Mikrotik
Draytek
Ubiquiti.

...

Additionally, remote access VPNs should use certificate-based authentication.

Hackers already received a $22 million payment. Now a second group demands money. //

Callow says the incident reinforces that cybercriminals can’t be trusted to delete data, even when they are paid. //

“Sometimes they use the undeleted data to extort victims for a second time, and the risk of re-extortion will only increase as law enforcement up their disruption efforts and throw the ransomware ecosystem into chaos,” Callow says. “What were always unpredictable outcomes will now be even more unpredictable.”

Similarly, DiMaggio says victims of ransomware attacks need to learn they can’t trust cybercriminals. “Victims need to understand that paying a criminal who promises to delete their data permanently is a myth,” DiMaggio says. “They are paying to have their data taken off the public side of the ransomware attackers' data leak site. They should assume it is never actually deleted.” //

quackmeister Smack-Fu Master, in training
7y
55
Makes perfect business sense that ransomware vendors are embracing the subscriber model. //

deviant_cocktail Wise, Aged Ars Veteran
4y
150
Subscriptor
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say:—

"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

(From the poem Dane-geld by Rudyard Kipling) //

Shavano Ars Legatus Legionis
11y
57,985
Subscriptor
Although Change Healthcare and their parent United Health rightly deserve to be pilloried and their stock to take a giant nose dive for this, and to lose all their doctor affiliations and patients, punishing them alone won't fix the problem. Everybody's data remains at risk as long as it's legal to pay ransomware companies.

Make it a felony for any US business or government entity to pay cyber-related ransom. Then the payments will stop, which will make the ransom attempts stop. //

freaq Ars Scholae Palatinae
6y
1,099
Stop… paying…
They will never stop if you keep paying…

its time that it becomes illegal to pay off ransomware, so that fewer people do.

Crime only stops when it stops paying…

No patch yet for unauthenticated code-execution bug in Palo Alto Networks firewall. //

beheadedstraw Ars Centurion 8y 373

cyberfunk said:
I find this article quite difficult to comprehend, we go from rooting firewalls to somehow magically obtaining Microsoft active directory secrets?

There’s no logical flow to how attackers are jumping around the network here and it just feels like bits and pieces of the security reports are copy and pasted here into the article without explanation. I think a better job needs to be done explaining the logical flow events here

The vast majority of firewalls have service accounts with full read access to AD for authentication, usually for VPN's. Microsoft still uses NTLM/NTLMv2 to encrypt their passwords, which is highly susceptible to simple brute force attacks because they don't use salts.

Regardless this is basically the worst of the worst case scenarios for a shitload of Fortune 500 companies, which is what Palo Alto caters to. //

fsck! Ars Centurion
12y
242

Having gone through the Ivanti ordeal as well, I can say AD integration isnt to be taken lightly. From a recovery standpoint, you are now not only looking at VPN remediation but also your entire AD... //

Focher Ars Scholae Palatinae
17y
1,054

KingKrayola said:
We're neither using a PAN firewall nor a blue-chip company.

Does using RADIUS for VPN auth provide a level of protection vs direct AD Access, or is it just a case of choosing one's poison?

That depends. RADIUS has a fully configurable authentication mechanism, but if you’re using a flavor of Active Directory then you’re subject to much of the same. Why certificates aren’t a required layer in environments continues to surprise me. I’m not suggesting other laypersons should have it but even I use it on my own network so it’s definitely manageable. //

pnellesen Ars Scholae Palatinae
12y
1,035
Subscriptor++
This kind of news never comes out on a Monday morning, does it? //

Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it.

The cybersecurity world got really lucky last week. An intentionally placed backdoor in xz Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. //

It was an incredibly complex backdoor. Installing it was a multi-year process that seems to have involved social engineering the lone unpaid engineer in charge of the utility. //

The sophistication of both the exploit and the process to get it into the software project scream nation-state operation. It’s reminiscent of Solar Winds, although (1) it would have been much, much worse, and (2) we got really, really lucky.

I simply don’t believe this was the only attempt to slip a backdoor into a critical piece of Internet software, either closed source or open source. Given how lucky we were to detect this one, I believe this kind of operation has been successful in the past. We simply have to stop building our critical national infrastructure on top of random software libraries managed by lone, unpaid, distracted, or worse individuals.

Clive Robinson • April 4, 2024 2:24 PM

@ Gert-Jan, ALL,

Re : Something’s can not be done.

“The question is, how can we guarantee a particular level of quality and security?”

We can not is the short but honest answer.
...
“Security is a quality process”

And like all quality processes,

“It needs management buy in at the highest level, and should be in place before the project is thought of let alone be the pre-specification wish-list thought up.”

Even then, basic information theory tells us it can not be shown to be secure…

Because to “process” information it has to be “communicated”.

Claude Shannon proved for information to be transmitted then there has to be “redundancy” in the resultant communications channel.

Gus Simmons proved that where there was a channel with redundancy then another channel could be created within it. Importantly this “side channel” could be made not just covert but impossible for an observer to show existed.

From that alone you can see it can not be secure.

I could go on and bring in work from Gödel from nearly a hundred years ago that pre-dates the work of Church and Turing that in effect gives further evidence, but there’s not enough space to go through it[1]. If you want to try you first have to get your head around the implications of the “Axiom of choice”(AoC) and Cantor’s Diagonal Argument both fundamental to set theory and both Gödel and Turing proofs.

But from a simpler perspective take a “black Box view” but with a slight difference…

There are two sets of inputs and two sets of outputs.

You as the observer can only see one set of outputs, and as a tester can only see and manipulate one set of inputs. Your task is to show that the set of outputs you observe are only generated by the set of inputs you control and some internal function that has both state and feedback and not in anyway effected by the other inputs you can neither control or observe.

[1] I’ve four hard back books on Gödel’s work and two on Turing’s in my dead tree cave, they are all hard work to read let alone get your head around…

cybershow • April 3, 2024 5:23 PM

@ Nick Alcock

Hey Nick, I do appreciate the compliment, but you are too kind, I am not sure it is possible to ever be too paranoid in this
business 🙂 In my tradition we call it radical scepticism.
...
Regardless then the perhaps ridiculous accusation of whether and how Microsoft caused this issue, the question of how could Microsoft benefit from it is a separate, good and worthy one I am pleased you ask.

The story of the backdoor so far is two-fold. It’s a technically great hack one has to admire, with undetectable RCE in the auth phase of the most used critical protocol. Hats-off!

But it’s also a story of sinister social engineering. A dark night. A lonely and isolated maintainer. Some well meaning visitors drop by “to help”…

What we’re left talking about is the very nature of open source development, of supply chains and trust models. Perhaps a long-overdue conversation, no?

But who have positioned themselves “to help”?

Who have replaced the entire pre-2010 ecosystem of individual and autonomous development with a single GitHub?

Who might we expect to soon come riding in on a white stallion with “solutions” to the vulnerability of FOSS supply chains? To protect the lonesome, unpaid, overworked and socially unskilled FOSS maintainer?

most respectfully. //

Winter • April 4, 2024 5:08 AM

@cybershow

Regardless then the perhaps ridiculous accusation of whether and how Microsoft caused this issue, the question of how could Microsoft benefit from it is a separate, good and worthy one I am pleased you ask.

Microsoft ships Linux as part of WSL. The targeted Linux distributions are the main deployments on Azure. Azure generated $45B of revenue (23%)[1]. That is more than Office or Windows. Azure is the biggest growth market for MS. AFAIK, MS have nothing to replace Linux available.

This means that anything that damages Linux will damage Azure and hence, MS’ bottom line. I find your “attribution” rather unrealistic.

[1] 2022 ‘https://www.kamilfranek.com/microsoft-revenue-breakdown/

Hales • April 2, 2024 6:25 PM

I like Ariadne Space’s take on this:

There is no “supply chain” in reality, but there is an effort by corporations which consume software from the commons to pretend there is one in order to shift the obligations related to ingesting third-party code away from themselves and to the original authors and maintainers of the code they are using.

That doesn’t completely cover all situations here — a distro like Debian or Arch isn’t a corporate paid product — but I think it still highlights an interesting point. Expecting the developer of a small project to up their game is ineffective (they don’t have the resources) and counterproductive (they’ll probably think twice about publishing anything ever again).

mustached-dog Seniorius Lurkius
22y
30
Subscriptor
Interestingly enough, "Jia Tan" is very close to 加蛋 in Mandarin, meaning "to add an egg". Unlikely to be a real name or a coincidence. //

choco bo Ars Praetorian
11y
402
Subscriptor++
Performance hit is quite substantial, actually. I have no doubt that this thing would have been detected, eventually. However, it might have happened months from now. Then it would have been everywhere already.

But this is a good thing. A very good thing, actually.

There have been discussions about supply chain attacks, for years. Decades, actually. We used to call it "poisoning the well" many years ago. But no matter how much we talk about it, it was all theoretical. I mean, people even assumed that compilers have been backdoored many years ago. But noone was going to spend this much effort just to show that it was possible and to make people accept the possibility. So not much was really done about it.

Until now.

Now we are already seeing changes being made to OpenSSH that would have not been possible few months ago. Native systemd notification integration is already been developed (since 30th of March), so no need for libsystemd linking anymore. It will take some time to get integrated but it will happen. We are seeing people understanding that there is absolutely no need to have binary blobs in source repositories (except rare cases, of course, but those are going to be audited even more now). Checking source repositories against tarballs have been done before, many times. But obviously it wasn't good enough or often enough. That will change as well. People being dicks to maintainers are going to get greeted with "go fuck yourself" now, without a second thought. It will be extreme but it will be safer. For eternity I was terrified of compiling software myself because every time I invoked "./configure ..." I would think "fuck knows what is going on there right now". I did occasionally check scripts, I would grep for unexpected things but I was aware I'd never detect a very skilled attacker, like this one. Now there is going to be much more checking of autoconf/make/CMake/etc files in source repos. It won't be easy to detect things, but it will be easier. More eyes will be put on sources. For example, I am going to pick a random smaller project and just read the commit history, look for oddities, etc. Not because I expect to find something but I want to see what else should be looked at, etc. Eventually, I might end up with toolset that might help speed this process up. So there will be at least one more set of eyes looking at sources. I imagine that companies/organizations with more resources are going to put tons of effort into automating all this. So yeah, xz backdoor is actually a good thing, in a very bizarre way.

Also, I can't hunt all the references at the moment but I believe it was certificate (not the SSH key) that is used as a vector of attack, because certs are checked early and no configuration options will disable that check, while it wouldn't be the case with keys. A change to OpenSSH has already been suggested so OpenSSH will only get more secure because of this and one less vector of attack is now available.

Amount of skill and time/effort invested in this is mind blowing. I don't think people outside security really comprehend the skill/time involved here, this was insanely well executed attack. My first thought was "This had to be TURLA" because it was insanely smart and whoever did this had lots of patience. This does not (and will not) happen often.

So yeah, we were incredibly lucky that a Postgres developer caught it early.

However, it is mind blowing how many times security incidents have been detected by looking at CPU/RAM usage on systems, it is really no surprise that this is how xz backdoor got detected.

Malicious code planted in xz Utils has been circulating for more than a month. //

GolbatsEverywhere
This might have been the worst Linux backdoor in history except that it was caught so soon. An SSH authentication backdoor is surely worse than the Debian weak keys incident and also worse than Heartbleed, the two most notorious Linux security incidents that I can think of. Probably this would have been abused to hack most if not all of the Fortune 500, except Mr. Freund decided to investigate some small performance issue that anybody else would have dismissed as unimportant. We are spared only due to sheer dumb luck. This guy has probably just averted at least billions of dollars worth of damages. Cannot emphasize enough how grateful we should be to him right now. //

dwrd Ars Tribunus Militum
6y
2,020
Subscriptor++
Big oof, after reading the commit messages, I'm going to have to assume they owed some bad people a lot of money, or they had an involuntary sleepover at an undisclosed location with several ill-tempered fellows from the state secret police agency. //

This could have made it into a lot more places had they not been doing benchmarking at just the right time.
Milliseconds. About 500 milliseconds. That's what started him down the rabbit hole. He was bothered by a half-second hiccup in an ssh connection refusal. //

crepuscularbrolly Ars Scholae Palatinae
17y
802
Subscriptor++
Andres Freund's post on OpenWall indicates the backdoor is only injected if:
targeting only x86-64 linux
Building with gcc and the gnu linker
Running as part of a debian or RPM package build
But, better safe than sorry.

Clive Robinson • March 28, 2024 6:04 AM

@ OldGuy, ALL,

Re : Chain of history

How we get from your,

“Then boss forgot his password, didn’t want to pay to get it unlocked, and turned me loose on it. Turned out their security consisted of XOR’ing every byte written to disk with the same hardcoded 8-bit value.”

To,

https://www.cnet.com/news/privacy/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/

And how history is being rewritten by AI agents etc.

Your comment brings back a memory from nearly a quarter of a century ago. With ElcomSoft’s Dmitry Sklyarov being arrested and as it later turned out illegally detained and coerced by the FBI on behalf of Adobe Systems and their P155 P00r security in their e-book reader that used what sounds like exactly the same encryption system,

“Dmitry Sklyarov the 27 year old Russian programmer at the center of this case was released from U. S. custody and allowed to return to his home in Russia on December 13 2001”

https://www.eff.org/cases/us-v-elcomsoft-sklyarov

Interestingly, searching around shows that slowly bit by bit write ups on,

1, What Dmitry had presented at Defcon-9 about the truly bad state of e-book software.
2, The fact he was arrested on behest of Adobe for embarrassing them publicly about the very poor security in their e-book system
3, The fact it was even Adobe Systems or their product
4, The unlawful behaviour of US authorities
5, The names of FBI and DoJ people involved
6, The fact Dmitry was a PhD researcher.
7, A jury found both Dmitry and Elcomsoft entirely innocent on all charges brought against them.

Is getting “deleted from history” or made difficult to find, via the likes of DuckDuckGo and Microsoft AI based Search engines…

The case was quite famous at the time as it showed the FBI was not just “over reaching” but actively trying to crush legitimate academic research. With even the usually non political and non feather ruffling “Nature” making comment,

https://www.nature.com/articles/35086729

And how speaking “truth unto power” can have consequences,

‘https://www.linux.com/news/sklyarovs-defcon-presentation-online-supporters-reputation-bonfire/

Much of which is what got repeated by the Massachusetts Government against the three students and the RfID “Charlie Card”.

Clive Robinson • March 28, 2024 6:41 AM

@ OldGuy, ALL,

I forgot to add the all important,

https://en.citizendium.org/wiki/Snake_oil_(cryptography)

Which tells you,

‘One company advertised “the only software in the universe that makes your information virtually 100% burglarproof!”; their actual encryption, according to Sklyarov, was “XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte”. Another used Rot 13 encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.
‘

You can see why your comment triggered my memory ancient memory 😉

The device that makes it possible is required in all American big rigs, and has poor security //

Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University.

The Russian propaganda outlet RT.com released a transcript Friday of senior German military officers discussing the deployment of the German Taurus stealth cruise missile to Ukraine.

Luftwaffe commander Ingo Gerhartz led the 38-minute call that took place on February 19 involved. Other participants were the German Air Force Head of the Operations and Training Section, Frank Graefe, a Luftwaffe Space Command Air Operations Center staff member, Stefan Fenske, and another staff from the center identified only by the surname Frostedte. The call was intercepted because General Gaefe, who was attending the biennial Singapore Airshow (sounds a lot like "hiking the Appalachian Trail"), participated in the discussion using an unsecured hotel telephone line. //

Divulging sensitive operational details in a call recorded by the SVR has caused a lot of problems for Scholz and Germany.

Germany's lack of seriousness in manning its armed forces and now in the way that it handles highly classified details is showing more and more EU nations that it can't look to Germany for competent leadership. The call, which apparently revealed Scholz's thinking on the subject of the Taurus missile that he hadn't shared with allies, foreign or domestic, has given his already flaccid credibility a body blow. This has caused France's Emanuel Macron to make a stab at wresting the leadership of the EU and European NATO from Germany. The tenor of the leaked conversation was one of lukewarm enthusiasm for assisting Ukraine with a strong shot of defeatism.

The long-term impact of the leaked conversation remains unclear. While it's unlikely to lead to an immediate shift in German policy, it has undoubtedly raised the stakes in the ongoing debate about military aid to Ukraine. The damage to diplomatic trust is very real, and the increased pressure from allies creates a complex situation for Scholz. Scholz's approval rate is roughly half that of Joe Biden (17%), and his coalition allies see self-preservation in jumping ship. However, Germany's constitution virtually guarantees that Scholz's government will continue to move zombie-like for the next two years when Germany's power and influence are sorely needed.

What is crystal clear is that this intelligence coup by the SVR has had a significant impact in dividing the pro-Ukraine coalition.

jhollinger said:
Sounds like this may explain the large number of password reset requests I'm suddenly getting...

My sisters instagram account was taken over before, interesting strategy they use.
Basically they start chit chatting with you about your posts to look friendly, then they message you saying that someone is trying to hack their account and send you pics of the reset text that instagram sends out and ask if you received anything similar.
In the background they try to reset your account and then you receive the text from instagram to recover it, then you obviously tell them yes i'm receiving the same texts, they ask for a screenshot of it to compare with their own which has a link to recover the account. Then they simply type in the link, make a new password and have access to the account.
My sister didn't have 2fa on because she used some other app to see who follows/unfollows her and it didn't work with 2fa, she eventually got her account back and learned her lesson... i hope lol