35 Companies Including Apple Hacked in Supply Chain Attack

· Andrew Orr · Link

Generic image displaying the word hacked.

Security researcher Alex Birsan was able to breach over 35 companies’ internal systems, including Apple, Microsoft, PayPal, Spotify, Netflix, and others. He did this through bug bounty programs and pre-approved penetration testing arrangements (aka, he’s one of the good guys). He earned over US$100,000 in bounties.

The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company’s internal applications.

Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

Hackers Tried to Poison Florida Town’s Water Supply

· Andrew Orr · Link

Bottle of poison

Most security news I’ve shared involves purely digital hacking. This story from Reuters is a case of using hacking to affect the physical world, like an attempt to poison a town’s water supply.

The hackers then increased the amount of sodium hydroxide, also known as lye, being distributed into the water supply. The chemical is typically used in small amounts to control the acidity of water, but at higher levels is dangerous to consume.

Oldsmar Mayor Eric Seidel said in a press conference on Monday that the affected water treatment facility also had other controls in place that would have prevented a dangerous amount of lye from entering the water supply unnoticed.

Browser Favicons Can be Used to Track You Online

· Andrew Orr · Link

iPadOS show icons in tabs setting

Software designer Jonas Strehle discovered that browser favicons can be used to give you a unique ID that can be used to track you across the web. It works even if you use privacy tools like a VPN, incognito browsing, deleting cookies/browser cache, and others.

To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild. Strehle’s supercookie program (which uses a Cookie Monster favicon) is a proof of the concept described by the university researchers.

Washington State Suffers Data Breach due to Contractor ‘Accellion’

· Andrew Orr · Link

Image containing the words “data breach”

Washington’s state government reported a data breach on Monday that could affect over 1.6 million people. The breach is connected to Accellion, a contractor involved with the state auditor’s office.

During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service. Some of the SAO data files contained personal information of Washington state residents who filed unemployment insurance claims in 2020 […] may also include the personal information of other Washington residents who have not yet been identified but whose information was in state agency or local government files under review by the SAO.

How Apple Improved iMessage Security in iOS 14

· Andrew Orr · Link

Woman using iMessage on iPhone X

Project Zero, Google’s security team, reverse-engineered iMessage to see how Apple improved it in its latest OS 14 releases. Specially, how it has gained new protections against zero-day attacks using BlastDoor, resliding of the shared cache, and exponential throttling.

One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed “BlastDoor” service which is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads). Furthermore, this service is written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.

Password Manager Bitwarden Adds Touch ID to Browser Extension

· Andrew Orr · Link

Mac Touch ID

Password manager Bitwarden announced the addition of a couple of new features. One feature adds support for Touch ID and Windows Hello to its browser extensions.

Browser extensions will now be able to access this authentication inside the Desktop application. This allows a more streamlined integration with hardware that does not require a unique browser-level integration. Biometric authentication requires macOS users to download the Mac App Store version.

Buffer Overflow Bug Found in SUDO Dubbed ‘Baron Samedit’

· Andrew Orr · Link

macOS terminal icon

Tracked as CVE-2021-3156, a heap overflow bug found in sudo and dubbed “Baron Samedit” has been found recently. It allows an unprivileged user to gain root privileges on a vulnerable machine using a default sudo configuration.

The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.

2020-02-03: Looks like macOS is affected after all.

Microsoft Edge Update Adds Built-in Password Manager

· Andrew Orr · Link

Microsoft edge chromium

Version 88 of Microsoft Edge adds a new security feature for users. A built-in password manager makes it easy to keep your logins safe. It also scans for breached passwords on the dark web and notifies you if it finds a match.

Password Monitor will begin rolling out today with Microsoft Edge 88, but it may take a couple weeks for you to see it in your browser. For more information on how Password Monitor works, take a look at the latest blog from Microsoft Research.

Malwarebytes Reveals it Was Hacked by Nation State Behind ‘SolarWinds’

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

Malwarebytes co-founder and current CEO Marcin Kleczynski reveals the company was hacked. He believes it was the same nation state actor behind the SolarWinds attack. The state is believed to be Russia.

After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

Crazy stuff, and we’ll probably hear of the fallout for a long time.

Bug Lets Audio, Video be Transmitted Without Consent in Apps Like Signal

· Andrew Orr · Link

Signal group video call

Google’s Project Zero security team found a bug that lets audio and video be transmitted without user interaction in five messaging apps. These are Signal, JioChat, Mocha, Google Duo, and Facebook Messenger. All bugs have been fixed.

I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data. All these vulnerabilities have since been fixed. It is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor.

Apple Apps No Longer Bypass macOS Big Sur Firewalls

· Andrew Orr · Link

In macOS Big Sur, Apple deprecated third-party kernel extensions including Network Kernel Extensions (NKEs). NKEs are used by apps like firewalls to monitor network traffic. Apple’s new user-mode Network Extension Framework had a side-effect: Apple’s own apps wouldn’t be routed through it and thus could bypass third-party firewalls. But now that has changed.

I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall.  Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic.

Mozilla VPN Arrives on macOS and Linux

· Andrew Orr · Link

Image of mozilla VPN showing features you can get with the service

After rolling out on platforms like Windows, Android, and iOS, the Mozilla VPN arrives on macOS and Linux for US$5/month.

The Mozilla VPN isn’t the cheapest option on the market. However, Mozilla has said that, because it uses fewer lines of code than other VPNs, the service is faster than many rival ones. You can connect to more than 280 servers in more than 30 countries via the VPN without any bandwidth restrictions.

I think US$5/mo is definitely one of the cheapest VPNs on the market.

‘ElectroRAT’ is the First Mac Malware Spotted in 2021

· Andrew Orr · Link

Mac malware ElectroRAT code

We’re barely a week into 2021 and a piece of Mac malware has already been spotted. Dubbed “ElectroRAT” its primary goal is to steal personal information from cryptocurrency users.

These [malicous] applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware.