Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it.

The cybersecurity world got really lucky last week. An intentionally placed backdoor in xz Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. //

It was an incredibly complex backdoor. Installing it was a multi-year process that seems to have involved social engineering the lone unpaid engineer in charge of the utility. //

The sophistication of both the exploit and the process to get it into the software project scream nation-state operation. It’s reminiscent of Solar Winds, although (1) it would have been much, much worse, and (2) we got really, really lucky.

I simply don’t believe this was the only attempt to slip a backdoor into a critical piece of Internet software, either closed source or open source. Given how lucky we were to detect this one, I believe this kind of operation has been successful in the past. We simply have to stop building our critical national infrastructure on top of random software libraries managed by lone, unpaid, distracted, or worse individuals.

Clive Robinson • April 4, 2024 2:24 PM

@ Gert-Jan, ALL,

Re : Something’s can not be done.

“The question is, how can we guarantee a particular level of quality and security?”

We can not is the short but honest answer.
...
“Security is a quality process”

And like all quality processes,

“It needs management buy in at the highest level, and should be in place before the project is thought of let alone be the pre-specification wish-list thought up.”

Even then, basic information theory tells us it can not be shown to be secure…

Because to “process” information it has to be “communicated”.

Claude Shannon proved for information to be transmitted then there has to be “redundancy” in the resultant communications channel.

Gus Simmons proved that where there was a channel with redundancy then another channel could be created within it. Importantly this “side channel” could be made not just covert but impossible for an observer to show existed.

From that alone you can see it can not be secure.

I could go on and bring in work from Gödel from nearly a hundred years ago that pre-dates the work of Church and Turing that in effect gives further evidence, but there’s not enough space to go through it[1]. If you want to try you first have to get your head around the implications of the “Axiom of choice”(AoC) and Cantor’s Diagonal Argument both fundamental to set theory and both Gödel and Turing proofs.

But from a simpler perspective take a “black Box view” but with a slight difference…

There are two sets of inputs and two sets of outputs.

You as the observer can only see one set of outputs, and as a tester can only see and manipulate one set of inputs. Your task is to show that the set of outputs you observe are only generated by the set of inputs you control and some internal function that has both state and feedback and not in anyway effected by the other inputs you can neither control or observe.

[1] I’ve four hard back books on Gödel’s work and two on Turing’s in my dead tree cave, they are all hard work to read let alone get your head around…

cybershow • April 3, 2024 5:23 PM

@ Nick Alcock

Hey Nick, I do appreciate the compliment, but you are too kind, I am not sure it is possible to ever be too paranoid in this
business 🙂 In my tradition we call it radical scepticism.
...
Regardless then the perhaps ridiculous accusation of whether and how Microsoft caused this issue, the question of how could Microsoft benefit from it is a separate, good and worthy one I am pleased you ask.

The story of the backdoor so far is two-fold. It’s a technically great hack one has to admire, with undetectable RCE in the auth phase of the most used critical protocol. Hats-off!

But it’s also a story of sinister social engineering. A dark night. A lonely and isolated maintainer. Some well meaning visitors drop by “to help”…

What we’re left talking about is the very nature of open source development, of supply chains and trust models. Perhaps a long-overdue conversation, no?

But who have positioned themselves “to help”?

Who have replaced the entire pre-2010 ecosystem of individual and autonomous development with a single GitHub?

Who might we expect to soon come riding in on a white stallion with “solutions” to the vulnerability of FOSS supply chains? To protect the lonesome, unpaid, overworked and socially unskilled FOSS maintainer?

most respectfully. //

Winter • April 4, 2024 5:08 AM

@cybershow

Regardless then the perhaps ridiculous accusation of whether and how Microsoft caused this issue, the question of how could Microsoft benefit from it is a separate, good and worthy one I am pleased you ask.

Microsoft ships Linux as part of WSL. The targeted Linux distributions are the main deployments on Azure. Azure generated $45B of revenue (23%)[1]. That is more than Office or Windows. Azure is the biggest growth market for MS. AFAIK, MS have nothing to replace Linux available.

This means that anything that damages Linux will damage Azure and hence, MS’ bottom line. I find your “attribution” rather unrealistic.

[1] 2022 ‘https://www.kamilfranek.com/microsoft-revenue-breakdown/

Hales • April 2, 2024 6:25 PM

I like Ariadne Space’s take on this:

There is no “supply chain” in reality, but there is an effort by corporations which consume software from the commons to pretend there is one in order to shift the obligations related to ingesting third-party code away from themselves and to the original authors and maintainers of the code they are using.

That doesn’t completely cover all situations here — a distro like Debian or Arch isn’t a corporate paid product — but I think it still highlights an interesting point. Expecting the developer of a small project to up their game is ineffective (they don’t have the resources) and counterproductive (they’ll probably think twice about publishing anything ever again).

mustached-dog Seniorius Lurkius
22y
30
Subscriptor
Interestingly enough, "Jia Tan" is very close to 加蛋 in Mandarin, meaning "to add an egg". Unlikely to be a real name or a coincidence. //

choco bo Ars Praetorian
11y
402
Subscriptor++
Performance hit is quite substantial, actually. I have no doubt that this thing would have been detected, eventually. However, it might have happened months from now. Then it would have been everywhere already.

But this is a good thing. A very good thing, actually.

There have been discussions about supply chain attacks, for years. Decades, actually. We used to call it "poisoning the well" many years ago. But no matter how much we talk about it, it was all theoretical. I mean, people even assumed that compilers have been backdoored many years ago. But noone was going to spend this much effort just to show that it was possible and to make people accept the possibility. So not much was really done about it.

Until now.

Now we are already seeing changes being made to OpenSSH that would have not been possible few months ago. Native systemd notification integration is already been developed (since 30th of March), so no need for libsystemd linking anymore. It will take some time to get integrated but it will happen. We are seeing people understanding that there is absolutely no need to have binary blobs in source repositories (except rare cases, of course, but those are going to be audited even more now). Checking source repositories against tarballs have been done before, many times. But obviously it wasn't good enough or often enough. That will change as well. People being dicks to maintainers are going to get greeted with "go fuck yourself" now, without a second thought. It will be extreme but it will be safer. For eternity I was terrified of compiling software myself because every time I invoked "./configure ..." I would think "fuck knows what is going on there right now". I did occasionally check scripts, I would grep for unexpected things but I was aware I'd never detect a very skilled attacker, like this one. Now there is going to be much more checking of autoconf/make/CMake/etc files in source repos. It won't be easy to detect things, but it will be easier. More eyes will be put on sources. For example, I am going to pick a random smaller project and just read the commit history, look for oddities, etc. Not because I expect to find something but I want to see what else should be looked at, etc. Eventually, I might end up with toolset that might help speed this process up. So there will be at least one more set of eyes looking at sources. I imagine that companies/organizations with more resources are going to put tons of effort into automating all this. So yeah, xz backdoor is actually a good thing, in a very bizarre way.

Also, I can't hunt all the references at the moment but I believe it was certificate (not the SSH key) that is used as a vector of attack, because certs are checked early and no configuration options will disable that check, while it wouldn't be the case with keys. A change to OpenSSH has already been suggested so OpenSSH will only get more secure because of this and one less vector of attack is now available.

Amount of skill and time/effort invested in this is mind blowing. I don't think people outside security really comprehend the skill/time involved here, this was insanely well executed attack. My first thought was "This had to be TURLA" because it was insanely smart and whoever did this had lots of patience. This does not (and will not) happen often.

So yeah, we were incredibly lucky that a Postgres developer caught it early.

However, it is mind blowing how many times security incidents have been detected by looking at CPU/RAM usage on systems, it is really no surprise that this is how xz backdoor got detected.

Malicious code planted in xz Utils has been circulating for more than a month. //

GolbatsEverywhere
This might have been the worst Linux backdoor in history except that it was caught so soon. An SSH authentication backdoor is surely worse than the Debian weak keys incident and also worse than Heartbleed, the two most notorious Linux security incidents that I can think of. Probably this would have been abused to hack most if not all of the Fortune 500, except Mr. Freund decided to investigate some small performance issue that anybody else would have dismissed as unimportant. We are spared only due to sheer dumb luck. This guy has probably just averted at least billions of dollars worth of damages. Cannot emphasize enough how grateful we should be to him right now. //

dwrd Ars Tribunus Militum
6y
2,020
Subscriptor++
Big oof, after reading the commit messages, I'm going to have to assume they owed some bad people a lot of money, or they had an involuntary sleepover at an undisclosed location with several ill-tempered fellows from the state secret police agency. //

This could have made it into a lot more places had they not been doing benchmarking at just the right time.
Milliseconds. About 500 milliseconds. That's what started him down the rabbit hole. He was bothered by a half-second hiccup in an ssh connection refusal. //

crepuscularbrolly Ars Scholae Palatinae
17y
802
Subscriptor++
Andres Freund's post on OpenWall indicates the backdoor is only injected if:
targeting only x86-64 linux
Building with gcc and the gnu linker
Running as part of a debian or RPM package build
But, better safe than sorry.

Clive Robinson • March 28, 2024 6:04 AM

@ OldGuy, ALL,

Re : Chain of history

How we get from your,

“Then boss forgot his password, didn’t want to pay to get it unlocked, and turned me loose on it. Turned out their security consisted of XOR’ing every byte written to disk with the same hardcoded 8-bit value.”

To,

https://www.cnet.com/news/privacy/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/

And how history is being rewritten by AI agents etc.

Your comment brings back a memory from nearly a quarter of a century ago. With ElcomSoft’s Dmitry Sklyarov being arrested and as it later turned out illegally detained and coerced by the FBI on behalf of Adobe Systems and their P155 P00r security in their e-book reader that used what sounds like exactly the same encryption system,

“Dmitry Sklyarov the 27 year old Russian programmer at the center of this case was released from U. S. custody and allowed to return to his home in Russia on December 13 2001”

https://www.eff.org/cases/us-v-elcomsoft-sklyarov

Interestingly, searching around shows that slowly bit by bit write ups on,

1, What Dmitry had presented at Defcon-9 about the truly bad state of e-book software.
2, The fact he was arrested on behest of Adobe for embarrassing them publicly about the very poor security in their e-book system
3, The fact it was even Adobe Systems or their product
4, The unlawful behaviour of US authorities
5, The names of FBI and DoJ people involved
6, The fact Dmitry was a PhD researcher.
7, A jury found both Dmitry and Elcomsoft entirely innocent on all charges brought against them.

Is getting “deleted from history” or made difficult to find, via the likes of DuckDuckGo and Microsoft AI based Search engines…

The case was quite famous at the time as it showed the FBI was not just “over reaching” but actively trying to crush legitimate academic research. With even the usually non political and non feather ruffling “Nature” making comment,

https://www.nature.com/articles/35086729

And how speaking “truth unto power” can have consequences,

‘https://www.linux.com/news/sklyarovs-defcon-presentation-online-supporters-reputation-bonfire/

Much of which is what got repeated by the Massachusetts Government against the three students and the RfID “Charlie Card”.

Clive Robinson • March 28, 2024 6:41 AM

@ OldGuy, ALL,

I forgot to add the all important,

https://en.citizendium.org/wiki/Snake_oil_(cryptography)

Which tells you,

‘One company advertised “the only software in the universe that makes your information virtually 100% burglarproof!”; their actual encryption, according to Sklyarov, was “XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte”. Another used Rot 13 encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.
‘

You can see why your comment triggered my memory ancient memory 😉

The device that makes it possible is required in all American big rigs, and has poor security //

Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University.

The Russian propaganda outlet RT.com released a transcript Friday of senior German military officers discussing the deployment of the German Taurus stealth cruise missile to Ukraine.

Luftwaffe commander Ingo Gerhartz led the 38-minute call that took place on February 19 involved. Other participants were the German Air Force Head of the Operations and Training Section, Frank Graefe, a Luftwaffe Space Command Air Operations Center staff member, Stefan Fenske, and another staff from the center identified only by the surname Frostedte. The call was intercepted because General Gaefe, who was attending the biennial Singapore Airshow (sounds a lot like "hiking the Appalachian Trail"), participated in the discussion using an unsecured hotel telephone line. //

Divulging sensitive operational details in a call recorded by the SVR has caused a lot of problems for Scholz and Germany.

Germany's lack of seriousness in manning its armed forces and now in the way that it handles highly classified details is showing more and more EU nations that it can't look to Germany for competent leadership. The call, which apparently revealed Scholz's thinking on the subject of the Taurus missile that he hadn't shared with allies, foreign or domestic, has given his already flaccid credibility a body blow. This has caused France's Emanuel Macron to make a stab at wresting the leadership of the EU and European NATO from Germany. The tenor of the leaked conversation was one of lukewarm enthusiasm for assisting Ukraine with a strong shot of defeatism.

The long-term impact of the leaked conversation remains unclear. While it's unlikely to lead to an immediate shift in German policy, it has undoubtedly raised the stakes in the ongoing debate about military aid to Ukraine. The damage to diplomatic trust is very real, and the increased pressure from allies creates a complex situation for Scholz. Scholz's approval rate is roughly half that of Joe Biden (17%), and his coalition allies see self-preservation in jumping ship. However, Germany's constitution virtually guarantees that Scholz's government will continue to move zombie-like for the next two years when Germany's power and influence are sorely needed.

What is crystal clear is that this intelligence coup by the SVR has had a significant impact in dividing the pro-Ukraine coalition.

jhollinger said:
Sounds like this may explain the large number of password reset requests I'm suddenly getting...

My sisters instagram account was taken over before, interesting strategy they use.
Basically they start chit chatting with you about your posts to look friendly, then they message you saying that someone is trying to hack their account and send you pics of the reset text that instagram sends out and ask if you received anything similar.
In the background they try to reset your account and then you receive the text from instagram to recover it, then you obviously tell them yes i'm receiving the same texts, they ask for a screenshot of it to compare with their own which has a link to recover the account. Then they simply type in the link, make a new password and have access to the account.
My sister didn't have 2fa on because she used some other app to see who follows/unfollows her and it didn't work with 2fa, she eventually got her account back and learned her lesson... i hope lol

Buffer overflow in bootloader shim allows attackers to run code each time devices boot up. //

The risk of successful exploitation is mostly limited to extreme scenarios, as noted earlier. The one scenario where exploitation is most viable—when devices receive boot images over an unencrypted HTTP server—is one that should never happen in 2024 or the past decade, for that matter.

That said, the harm from successful exploitation is serious and is the reason for the severity rating of 9.8 out of a possible 10. People should install patches promptly once they become available.

A California man who lost $100,000 in a 2021 SIM-swapping attack is suing the unknown holder of a cryptocurrency wallet that harbors his stolen funds. The case is thought to be the first in which a federal court has recognized the use of information included in a bitcoin transaction — such as a link to a civil claim filed in federal court — as reasonably likely to provide notice of the lawsuit to the defendant. Experts say the development could make it easier for victims of crypto heists to recover stolen funds through the courts without having to wait years for law enforcement to take notice or help. //

On Dec. 14, 2023, a federal judge in the Eastern District of California granted Dellone permission to serve notice of his lawsuit directly to the suspected hackers’ bitcoin address — using a short message that was attached to roughly $100 worth of bitcoin Mora sent to the address.

Bitcoin transactions are public record, and each transaction can be sent along with an optional short message. The message uses what’s known as an “OP RETURN,” or an instruction of the Bitcoin scripting language that allows users to attach metadata to a transaction — and thus save it on the blockchain.

In the $100 bitcoin transaction Mora sent to the disputed bitcoin address, the OP RETURN message read: “OSERVICE – SUMMONS, COMPLAINT U.S. Dist. E.D. Cal. LINK: t.ly/123cv01408_service,” which is a short link to a copy of the lawsuit hosted on Google Drive. //

Let’s think about this for a second. We now can be served via an email that: inspires urgent action, cites consequences, is from an unknown/untrusted sender and, apparently, can use shortened links. Isn’t that EXACTLY the sort of thing we’ve all been telling our parents to be skeptical of?

Pay me or I'll tell everyone you were foolish enough to buy an internet connected broom.

Callias Ars Praetorian
10y
508
Subscriptor++
After 40 years, I still do not understand the reluctance to have one non-internet connected network for things like machinery, et al AND then the network for file shares, email, etc. that is connected to the Internet.

Now. I do understand that support vendors want remote access to the machinery, etc., but I have found remarkable success in saying (something to the effect of) “Hey no problem…it’s just…well, if the machinery or our network is hacked through your interface/accounts, you incur liability and agree to pay damages. OR, Option B, you get yourself onsite and fix it. No need to worry about liability and damages because you’d never let security lapses occur, would you?”

It has worked so, so, so many times over the decades that it just boggles the mind that such a negotiation stance is not a standard operating procedure. Of course, often I worked in high security industries where to play ball, a vendor had to have at least some semblance of their sh*t together.

If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.”

Terrapin isn't likely to be mass-exploited, but there's little reason not to patch.

Passkeys are an asymmetric key pair

Each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters. While they differ from each other, they do have a special relationship - one can decrypt messages that have been encrypted by the other. This feature can be used to verify a user and authenticate them.

The key pair is made up of a private key that’s kept securely on your device, inside a password manager supporting passkeys (also called a passkey provider), and a public key that’s stored on the website you are logging into. Your private key is secure and never leaves your device, and the password manager keeps it locked by biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, such as in the case of a website data breach, and your security wouldn't be compromised so long as the private key stays safe.

Think of it as the modern form of,

“Give me six lines…”

[1] Contrary to what people think, guard labour [police] has little or no interest in either justice or correctly solving crime. As I’ve noted before their process is,

1, Build a list of suspects.
2, Prune the list down.
3, Look not for evidence but what a prosecutor can use to confound a jury thus get them to believe in nonsense to obtain a conviction.
4, Get any kind of conviction to keep politicians / funds holders happy.

That is once you are on the guard labours short list they immediately fail to carry out one of their primary requirments which is that of “impartiality”. That is they don’t look for, ignore, or hide information that might show you are innocent, so they can get the case closed quickly and most importantly as cheaply as possible.

Novel Terrapin attack uses prefix truncation to downgrade the security of SSH channels.