Archive for October 30, 2023

Horizon3.ai Publishes A POC & Deep Dive About Cisco IOS XE CVE-2023-20198 and CVE-2023-20273

Posted in Commentary with tags on October 30, 2023 by itnerd

Horizon3.ai’s Exploit Developer James Horseman has just published Cisco IOS XE CVE-2023-20198: Deep Dive and POC

Horizon3.ai Exploit Developer James Horseman said: “Previously, we explored the patch for CVE-2023-20273 and CVE-2023-20198 affecting Cisco IOS XE and identified some likely vectors an attacker might have used to exploit these vulnerabilities. Now, thanks to SECUINFRA FALCON TEAM’s honeypot, we have further insight into these vulnerabilities.”

Horseman also notes: “An attack would use CVE-2023-20273 to elevate to root and write an implant to disk. However, even without CVE-2023-20273, this POC essentially gives full control over the device. Cisco’s method for fixing this vulnerability seems a bit unconventional. We would have expected them to fix the path parsing vulnerability instead of adding a new header. This makes us wonder if there are other hidden endpoints that can be reached with this method.”

Today’s post is a follow up to Horizon3.ai’s October 25, 2023 theory crafting post on CVE -2023-20198.

Leave a comment »

Meta Gives The EU An Ad Free Option For Facebook And Instagram… For A Price

Posted in Commentary with tags on October 30, 2023 by itnerd

Meta who owns Facebook and Instagram put up a blog post saying that it will introduce an ad-free subscription option in the European Union, European Economic Area, and Switzerland in November:

To comply with evolving European regulations, we are introducing a new subscription option in the EU, EEA and Switzerland. In November, we will be offering people who use Facebook or Instagram and reside in these regions the choice to continue using these personalised services for free with ads, or subscribe to stop seeing ads. While people are subscribed, their information will not be used for ads. 

People in these countries will be able to subscribe for a fee to use our products without ads. Depending on where you purchase it will cost €9.99/month on the web or €12.99/month on iOS and Android. Regardless of where you purchase, the subscription will apply to all linked Facebook and Instagram accounts in a user’s Accounts Center. As is the case for many online subscriptions, the iOS and Android pricing take into account the fees that Apple and Google charge through respective purchasing policies. Until March 1, 2024, the initial subscription covers all linked accounts in a user’s Accounts Center. However, beginning March 1, 2024, an additional fee of €6/month on the web and €8/month on iOS and Android will apply for each additional account listed in a user’s Account Center.

Of course the only reason why Meta is doing this is to end years of litigation related to the fact that Meta tracked and profiled users for targeted ads in the EU. Something that it can no longer legally do. Now this isn’t available to users of Meta products anywhere else. And perhaps that’s a good thing because Meta’s essentially arguing that if you don’t want to be the product, you have to pay to use the product. Effectively, you have to pay for your privacy. I don’t know about you, but there’s something wrong about that.

Leave a comment »

EleKtra-Leak Cryptojacking Attacks Discovered By Palo Alto Networks

Posted in Commentary with tags on October 30, 2023 by itnerd

Palo Alto Networks Unit 42 Researchers today published details on an active campaign called EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations:

Unit 42 researchers have identified an active campaign we are calling EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations. We believe these operations have been active for at least two years and are still active today.

We found that the actor was able to detect and use the exposed IAM credentials within five minutes of their initial exposure on GitHub. This finding specifically highlights how threat actors can leverage cloud automation techniques to achieve their goals of expanding their cryptojacking operations.

Jeff Williams, co-founder and CTO of Contrast Security, commented: 

“Disappointing that we are struggling with the very simplest of cybersecurity issues.  It’s not complicated, you just don’t post your keys in public. However, it’s also not fair to blame developers.  There are thousands of these kinds of issues, and they have to perform perfectly on all of them or get dragged for being dumb or lazy.  We need better authentication systems that make it easier for developers to make good choices.  They should never be tempted to put their keys in AWS because doing things the right way is too difficult.  Let’s make the secure path the easiest one as well.”

This Unit 42 report is very much worth reading as it provides a ton of insightful and actionable information. Thus you should put reading this report on your to do list.

Leave a comment »

Here’s Proof That Twitter Is A Dumpster Fire When It Comes to Brand Impersonation

Posted in Commentary with tags on October 30, 2023 by itnerd

Earlier today, I listened to my wife sit on hold with Porter Airlines. For 95 minutes I listened to her endure hold music while trying to get to an actual human being. And what made this worse is that their phone system claimed that there was a five minute wait and she was number 26 in line. Clearly neither of those things were true. So I hopped onto Twitter to express my displeasure:

Now as an aside here, this is a horrible customer experience. If you say that a customer only has to wait a few minutes, then it should only be a few minutes. This experience suggests to me that the wait time that the phone system that Porter uses is lying to customers. Ditto for the number of people in line to wait to get connected to a human. This suggests to me that Porter’s call centre is likely understaffed relative to the number of calls that they receive. Again, that’s not a good customer experience.

Now, I’m not here to talk about how bad Porter’s customer experience is. What I am here to talk about is what happened after I posted that Tweet. I got this:

https://twitter.com/airlines__u/status/1719001470488498400

Now this looks like Porter’s Twitter account. Except it isn’t. Let’s start with the name of the account:

@Airlines_u is not Porter’s official Twitter account @PorterAirlines is. So right off the top, that’s a red flag. Second, there’s the quality of English. A phrase like “It’s unfortunate for the challenge encountered” isn’t something that a business would use. Finally, the ask to “DM your WhatsApp number” is not something that any business would ever ask. Clearly this is a fake account on Twitter that is trying to fool you into doing something that won’t end well for you.

But wait, there’s more. A second fake Porter Twitter account sent me a message:

https://twitter.com/porterairl/status/1719004244462755952

Again, let’s pick this apart. Starting with the twitter account name:

Well, “@porterairl” is marginally better than the last one, and this might fool someone who isn’t looking too closely. But it’s still fake. And the second tip off is that the phrase “Kindly follow back and share your number via DM so we can assist you promptly” sounds like a phrase that a non-native English speaker might use.

Here’s why this matters. This sort of thing is now an epidemic on Twitter as Elon Musk has just simply destroyed any means for Twitter users to use Twitter to get assistance from a company. And it’s not just me saying that. Sticking with fake airline accounts, here’s what others have said:

https://twitter.com/realtraindev/status/1716312193241891268
https://twitter.com/DanaHFreeman/status/1718271517694296433

Such is the dumpster fire that is Twitter. Given what I’ve experienced, I am surprised that any company would want to have a presence on Twitter as there’s just no way that they could conduct business in any meaningful way. Thus I would say that if you need help, and you need to reach out to a company, you can’t rely on Twitter to get that help. As for companies who are on Twitter, consider this your big hint to dump Twitter and beef up your other support channels. Because Twitter is not a credible platform for you to do business on.

UPDATE: I am now up to four fake accounts that have tried to reach out to me:

I honestly don’t know how Porter or any other company can conduct business on Twitter given this.

2 Comments »

White House Issues Executive Order on Safe, Secure, and Trustworthy AI

Posted in Commentary with tags on October 30, 2023 by itnerd

Today the White House has announced on using an executive order to mitigate AI risks:

As part of the Biden-Harris Administration’s comprehensive strategy for responsible innovation, the Executive Order builds on previous actions the President has taken, including work that led to voluntary commitments from 15 leading companies to drive safe, secure, and trustworthy development of AI.

The link above has a very extensive document that is worth reading as it goes into a lot of detail as to what this executive order covers.  John Gunn, CEO, Token had this comment:

The aim is noble and the need is certain, but the implementation will be challenging considering that Generative AI technology is already being used extensively by hackers and enemy states to attack US companies with phishing emails that are nearly impossible to detect. Most AI technologies that deliver benefits can also be used for harm, so almost every company developing AI solutions needs to make the required disclosure today.

This is likely to be a hot topic today. Thus as I get other reactions to this, I will post it here.

UPDATE: Anurag Gurtu, CPO, StrikeReady had this comment:

As President Biden prepares to leverage emergency powers for AI risk mitigation, it’s a clear signal of the critical juncture at which we find ourselves in the evolution of AI technology. The administration’s decision reflects a growing awareness of the transformative impact AI has on every sector, and the need for robust frameworks that govern its ethical use and development.

This initiative isn’t just about preemptive measures against potential misuse; it’s a foundational move towards establishing a global standard for AI that aligns with our values of safety, security, and trustworthiness. It’s an acknowledgment that while AI presents unparalleled opportunities for advancement, it also brings challenges that must be addressed to protect societal welfare and national interests.

For businesses and developers, this move will likely mean a more stringent regulatory environment, but also a clearer direction for innovation within safe and secure boundaries. It’s time for all stakeholders to engage in dialogue and contribute to a balanced approach that fosters innovation while safeguarding against the risks that have kept policymakers and citizens alike vigilant.

UPDATE #2: George McGregor, VP, Approov had this to say:

If you market a cybersecurity solution in the USA, you had better read through this Executive Order (EO)  – it may affect your business!  If your solution is deterministic in nature, then life will be easier, but if you are promoting the use of AI in your product, then life may well get more complicated: Not only do you need to demonstrate to customers that false-positives and management overhead due to AI are not an issue,  but with these new guidelines, the AI methods you employ will be under the microscope also.

Here are some other comments, each followed by the relevant text from the EO:

First – if you are an AI based cybersecurity vendor, you may be expected to share your test results with the government. The success or failure of a security solution, by its very nature, “poses a risk to national security”.

  • From the EO text:  Require that developers of the most powerful AI systems share their safety test results and other critical information with the U.S. government. In accordance with the Defense Production Act, the Order will require that companies developing any foundation model that poses a serious risk to national security, national economic security, or national public health and safety must notify the federal government when training the model and must share the results of all red-team safety tests. These measures will ensure AI systems are safe, secure, and trustworthy before companies make them public.

Second, attestation techniques will become critical – this is already true for mobile app code which can easily be reverse-engineered and replicated unless steps are taken. Fingerprinting techniques used in mobile may be applicable here.

  • From the EO text: Protect Americans from AI-enabled fraud and deception by establishing standards and best practices for detecting AI-generated content and authenticating official content. The Department of Commerce will develop guidance for content authentication and watermarking to clearly label AI-generated content. Federal agencies will use these tools to make it easy for Americans to know that the communications they receive from their government are authentic—and set an example for the private sector and governments around the world.

A program to use AI to eliminate vulnerabilities is a very noble pursuit but should not be viewed as a replacement for good software development discipline and implementing run time visibility and protection.

  • From the EO text:  Establish an advanced cybersecurity program to develop AI tools to find and fix vulnerabilities in critical software, building on the Biden-Harris Administration’s ongoing AI Cyber Challenge. Together, these efforts will harness AI’s potentially game-changing cyber capabilities to make software and networks more secure.

The use of AI will not only be a power for good. The hackers will seek to use these techniques also and there will inevitably be an arms-race between security teams and hackers. To start with however, the cost of entry for bad actors will be high, in terms of knowledge required and complexity of the task, and this will mean that only well funded “nation state” teams will be the primary users of AI for nefarious purposes.   National Security teams will need to have the resources to track and counter these efforts.

  • From the EO text: Order the development of a National Security Memorandum that directs further actions on AI and security, to be developed by the National Security Council and White House Chief of Staff. This document will ensure that the United States military and intelligence community use AI safely, ethically, and effectively in their missions, and will direct actions to counter adversaries’ military use of AI.

Leave a comment »

Visa and BMO Expand Flexible Payment Options in Canada 

Posted in Commentary with tags , on October 30, 2023 by itnerd

Visa and BMO announced a new collaboration to provide eligible BMO credit cardholders access to Installments, enabled by Visa. The convenient payment option is expected to launch in 2024 and enables consumers to convert qualifying purchases into smaller, equal payments made over a defined period of time. BMO will be the latest Canadian issuer to launch installments with Visa since its product launch in 2021.  

The launch will expand on BMO’s post-purchase credit card-based installment plan solution, BMO PaySmart™. With BMO PaySmart™, clients can shop in-person or online, and later convert eligible purchases into installment plan payments through BMO Online Banking. Clients can then make their installment payments as part of their monthly credit card payments. As clients continue to face economic uncertainty, they can turn to BMO PaySmart™ to maintain control with smaller, predictable payments.  

This new offering will make it simple for clients to select an installment option that fits their budget at time of purchase with participating merchants. Like any BMO PaySmart™ installment plan, clients can then view and manage these plans through BMO Online Banking.  

Installments enabled by Visa provides issuers, processors, and merchants with an installment payment option for their customers. For more information on Visa Installments, visit: Visa.ca/installments

For more information on BMO PaySmart™, visit: BMO.com/paysmart. 

Leave a comment »

It Now Seems That I Am Not The Only Person That Apple Has Accused Of Running “Beta” Software

Posted in Commentary with tags on October 30, 2023 by itnerd

Almost a year ago, I had a problem adding credit cards to Apple Wallet after a repair of my 2021 MacBook Pro. After going back and forth with Apple Tech Support on this, Apple accused me of running “beta” software which was a complete lie on their part. You can read all about the repair experience, which was bad along with Apple Support lying to me here. But I want to focus in on the latter issue which is the inability to add credit cards to my MacBook Pro. First this issue seemed to get resolved when I installed macOS Sonoma. That implies that Apple fixed something in Sonoma. Thus if you have this issue, try installing Sonoma to see if that fixes thing for you as I had people email me asking for help with this issue as I wasn’t the only one that has experienced this.

That brings me to the something that I tripped over on Reddit recently. It appears that I am not the only person who has had Apple accuse them of running beta software. Take this example from the Apple Watch forum:

Now this could be considered an isolated incident. But as I like to say, something happening once is a fluke. Something happening twice is a pattern. And here’s a second example that illustrates a pattern:

This suggests to me one of two things is at play here. The first is that Apple as an organization is having a failure to communicate. That’s bad if that’s the case because not being able to disseminate information affects the customer experience which is something that Apple claims to care a lot about. That seems to be backed up by this comment:

That’s a big problem if that’s accurate.

The second thing that could be at play here is that Apple’s staff is simply using this excuse to avoid troubleshooting an issue that they have no clue how to troubleshoot. That’s worse than the above because that illustrates that Apple is okay with their employees lying to customers. I say that because Apple claims that all calls to technical support are recorded which implies that they should be reviewed for quality and corrective action taken if there are issues. But I guess that isn’t happening as if it was, I would not be here talking about this. On top of that, there doesn’t seem to be any quality control for retail staff as they are parroting the same lines. That’s very troubling as all of this shows that Apple has taken several steps back in terms of the customer experience. And this isn’t a new problem for Apple as my wife discovered when she became a victim of “battery gate” which happened years ago.

For a company that claims to care about the customer experience, Apple is really coming up short here. Which is a massive disservice to their customers, and a radical change from the days when Apple had the best technical support and the best retail staff in the business. If I were Deirdre O’Brien who is the Senior Vice President of Retail at Apple, I’d really be looking into these sorts of claims that are becoming more and more frequent in places like Reddit and figure out what needs to be done to change course here, and fast. And I would copy and paste that for whomever runs their tech support as well. Because what’s clear here is Apple is failing its customers. And at some point, their customers will not stand for this and take their dollars elsewhere.

Leave a comment »

The Toronto Public Library Appears To Have Been Pwned

Posted in Commentary with tags on October 30, 2023 by itnerd

I was alerted late yesterday to this post that was put up by the Toronto Public Library. Apparently the are currently dealing with some sort of “cybersecurity incident” which is code for the fact that they have likely been pwned by hackers. Here’s the salient information:

We are actively addressing a cybersecurity incident that came to our attention on Saturday, October 28. 

As a result of the incident, the following services are unavailable: tpl.ca, “your account”, tpl:map passes and digital collections. Public computers and printing services at our branches are also unavailable.

Branches are open as scheduled. Wifi is available in library branches, and branch telephone lines are working. Materials can be borrowed and returned in branches until further notice.

As of now, there is no evidence that the personal information of our staff or customers has been compromised.

TPL has proactively prepared for cybersecurity issues and promptly initiated measures to mitigate potential impacts. We have engaged with third-party cybersecurity experts to help us in resolving this situation. We do anticipate though that it may take several days before all systems are fully restored to normal operations.

We will update this page as more information becomes known. We appreciate your patience and understanding while we do everything we can to resolve this matter as quickly as possible.

It will be interesting to find out what happened, and more importantly how library patrons are affected by this. Because I would not be surprised if those patrons along with their staff have been affected despite what they say.

Watch this space.

2 Comments »