Security Posts

Infocon: green

Simple Anti-Sandbox Technique: Where's The Mouse?
Categories: Security Posts

A Mysterious Leak Exposed Chinese Hacking Secrets

Wired: Security - 3 hours 20 min ago
Plus: Scammers try to dupe Apple with 5,000 fake iPhones, Avast gets fined for selling browsing data, and researchers figure out how to clone fingerprints from your phone screen.
Categories: Security Posts

Conti Ransomware Gang's Russia-Based Music Album Labels and Plastika Recording Studio - An OSINT Analysis

I recently came across to another image courtesy of Conti ransomware gang's internal and publicly accessible leaked communication which I data mined with the idea to come up with a proper analysis and connect the dots which in this case appear that a member of the Conti ransomware gang who's responsible for their advertising and marketing creative is also busy doing advertising and marketing creative for other clients companies and organizations in this specific case Russia-based rap and hip artists and their album covers.Is this the case? Let's find out.

Original Russia-based Artist album cover screenshot found by data mining Conti ransomware gang's publicly accessible leaked internal communication
Original Russian Music Artist SAYTEE SAI - Nikita Zharinov – Born on10 January 2002 - hxxp://vk.com/kidsocial Album Cover Part of the PLASTIKA Russia-Based Recording Studio
Sample personal photos of Nikita Zharinov:



Artwork courtesy of: W8D8DIGITAL - hxxp://www.instagram.com/w8d8w8d8/ hxxp://vk.com/w8d8w8d8 -> hxxp://vk.com/lungo999 -> Alexey Plyushkin - Born - 11 April 1994
Related images:
Sample personal photos of the owner and the advertising and marketing creative developer for the album cover – W8D8DIGITAL:




Sample photo of Flowers a Capella recording studio also based on the same address:
Sample personal photo of Oleg Dyachenko: Sample personal photo of Oleg Khruschev:  Flowers a Capella -> Oleg Dyachenko - Born 10 February -> hxxp://vk.com/where.oreo; hxxp://vk.com/id234109753 Олег Хрущев - Born 14 February -> hxxp://vk.com/lezhatpluslezhat; hxxp://vk.com/id166833144 (Oleg Khruschev) +7 (912) 629-76-36 улица Кирова, 9, Екатеринбург hxxp://t.me/flowersacapellastudio -> hxxp://t.me/kreasttik hxxp://vk.com/whoisplutok9 hxxp://vk.com/id654906170 -> hxxp://vk.com/flowers.since2023
Categories: Security Posts

Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición actualizada con nuevos contenidos

Un informático en el lado del mal - 11 hours 19 min ago
Hoy estamos de celebración, porque hemos sacado un nuevo libro de 0xWord, que cada día cuesta más mantener viva esta pequeña editorial, pero cada nuevo título es motivo de felicidad. En este caso es una nueva, la 6ª Edición, de "Máxima Seguridad en Windows: Secretos Técnicos"del gran Sergio de los Santos, del que se han vendido más de 5.000 ejemplares. Junto a "Hacking Web3: Challenge Accepted!", "Amazon Web Services (AWS): Hardening de Infraestructuras Cloud Computing", y uno más que nos queda por publicar la semana que viene, serán novedades en la RootedCON de este año.
Figura 1: Libro "Máxima Seguridad en Windows: Secretos Técnicos.6ª Edición actualizada con nuevos contenidos" de Sergio de los Santos en 0xWord.
Con la nueva actualización Sergio de los Santos ha querido meterle una revisión profunda desde la que realizó en el año 2020 y hacer una edición muy especial con motivo de alcanzar los 5.000 ejemplares vendidos de este título, que es un "superventas" de nuestra pequeña editorial 0xWord.
Figura 2: "Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición"de Sergio de los Santos en 0xWord.
En el caso de "Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición" actualizada con nuevos contenidos, el índice ha cambiado bastante, ya que si bien las secciones han cambiado poco, los detalles han ido cambiando radicalmente en este texto actualizado a día de hoy. Aquí lo tienes.
Figura 3: Índice del libro "Máxima Seguridad en Windows: Secretos Técnicos.6ª Edición actualizada con nuevos contenidos" de Sergio de los Santos en 0xWord.
Además, si quieres consultar cualquier pregunta sobre el libro de Máxima Seguridad en Windows al autor, Sergio de los Santos, lo puedes hacer a través de su buzón público en MyPublicInbox, con lo que la lectura y el aprendizaje será mucho más efectivo. 
Figura 4: Contactar con Sergio de los Santos

Para terminar, te recuerdo que tendrás también 100 Tempos de MyPublicInbox por la compra de este libro de "Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición" y que además, puedes pagar completa o parcialmente este libro con Tempos de MyPublicInbox. Aquí te explico cómo se hace.
Usar tus Tempos de MyPublicInbox 0xWord para adquirir este libro
La idea es muy sencilla, hemos creado un Buzón Público de 0xWord en MyPublicInbox y tenemos disponible el módulo de transferencias de Tempos entre cuentas siempre que el destinatario sea un Perfil Público de la plataforma. Para que se puedan hacer estas transferencias, primero debe estar el Perfil Público destinatario de la transferencia en la Agenda.
Figura 5: Perfil de 0xWord en MyPublicInbox. Opción de "Añadir a  la Agenda".
https://MyPublicInbox.com/0xWord

Para dar de alta un Perfil Público en tu agenda, solo debes iniciar sesión en MyPublicInbox, y con la sesión iniciada ir a la web del perfil. En este caso, a la URL del perfil público de 0xWord en MyPublicInbox, - https://MyPublicInbox.com/0xWord - donde te aparecerá la opción de "Añadir a la agenda". Cuando acabe este proceso, podrás ir a la opción Agenda de tu buzón de correo en MyPublicInbox y deberías tener el Perfil Público de 0xWord allí.
Figura 6: Cuando lo agregues estará en tu agenda
Una vez que lo tengas en la agenda, ya será tan fácil como irte a tu perfil - se accede haciendo clic en la imagen redonda con tu foto en la parte superior - y entrar en la Zona de Transferencias. Desde allí seleccionas el Buzón Público de 0xWord, el número de Tempos que quieres transferir, y en el concepto debes poner que es para recibir un código descuento para usar en la tienda de 0xWord.
Figura 7: Zona de Transferencias en el Perfil de MyPublicInbox
No te preocupes por el texto concreto, porque los procesamos manualmente como los pedidos de se hacen en la tienda. 
Canjear 500 Tempos por un código descuento de 5 €
La última opción es bastante sencilla. Solo debes irte a la sección de Canjear Tempos -> Vales para Tiendas, y "Comprar" por 500 Tempos y código de 5 €. Es lo mismo que enviar la transferencia pero en un paquete de 500 Tempos y de forma totalmente automatizada, así que solo con que le des a comprar recibirás el código descuento y lo podrás utilizar en la tienda de 0xWord.com
Figura 8: Canjear Tempos por Códigos para libros de 0xWord
Así que, si quieres conseguir nuestros libros de Seguridad Informática & Hacking aprovechando los Tempos de MyPublicInbox podrás hacerlo de forma muy sencilla y mucho, mucho, mucho más barato. Y así apoyas este proyecto tan bonito que es 0xWord.com.
Ser escritor de libros de 0xWord
Además, todos lo que queráis convertiros en escritores y hacer un proyecto de libro con nosotros. Podéis también enviarnos vuestra propuesta a través del buzón de 0xWord en MyPublicInbox, y si sois Perfiles Públicos de la plataforma, podéis entrar en la sección de Mi Perfil -> Servicios para ti y solicitar más información sobre el proceso de escribir un libro en 0xWord.
Figura 9: Si eres un Perfil Público de MyPublicInboxpuede solicitar info para escribir un libro en 0xWord
Nuestro equipo se pondrá en contacto contigo y evaluará tu proyecto de publicación de libro. Ya sabes que principalmente de Seguridad Informática & Hacking, y puede ser técnico, súper-técnico, o divulgación, y si es una novela... podemos estudiarlo también.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  


Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categories: Security Posts

Avast ordered to stop selling browsing data from its browsing privacy apps

ArsTechnica: Security Content - Fri, 2024/02/23 - 22:37
Enlarge (credit: Getty Images) Avast, a name known for its security research and antivirus apps, has long offered Chrome extensions, mobile apps, and other tools aimed at increasing privacy. Avast's apps would "block annoying tracking cookies that collect data on your browsing activities," and prevent web services from "tracking your online activity." Deep in its privacy policy, Avast said information that it collected would be "anonymous and aggregate." In its fiercest rhetoric, Avast's desktop software claimed it would stop "hackers making money off your searches." All of that language was offered up while Avast was collecting users' browser information from 2014 to 2020, then selling it to more than 100 other companies through a since-shuttered entity known as Jumpshot, according to the Federal Trade Commission. Under a proposed recent FTC order (PDF), Avast must pay $16.5 million, which is "expected to be used to provide redress to consumers," according to the FTC. Avast will also be prohibited from selling future browsing data, must obtain express consent on future data gathering, notify customers about prior data sales, and implement a "comprehensive privacy program" to address prior conduct.Read 9 remaining paragraphs | Comments
Categories: Security Posts

Continuously fuzzing Python C extensions

By Matt Schwager Deserializing, decoding, and processing untrusted input are telltale signs that your project would benefit from fuzzing. Yes, even Python projects. Fuzzing helps reduce bugs in high-assurance software developed in all programming languages. Fortunately for the Python ecosystem, Google has released Atheris, a coverage-guided fuzzer for both pure Python code and Python C extensions. When it comes to Python projects, Atheris is really the only game in town if you’re looking for a mature fuzzer. Fuzzing pure Python code typically uncovers unexpected exceptions, which can ultimately lead to denial of service. Fuzzing Python C extensions may uncover memory errors, data races, undefined behavior, and other classes of bugs. Side effects include: memory corruption, remote code execution, and, more generally, all the headaches we’ve come to know and love about C. This post will focus on fuzzing Python C extensions. We’ll walk you through using Atheris to fuzz Python C extensions, adding a Python project to OSS-Fuzz, and setting up continuous fuzzing through OSS-Fuzz’s integrated CIFuzz tool. OSS-Fuzz is Google’s continuous fuzzing service for open-source projects, making it a valuable tool for open-source developers; as of August 2023, it has helped find and fix over 10,000 vulnerabilities and 36,000 bugs. We will target the cbor2 Python library in our fuzzing campaign. This library is the perfect target because it performs serialization and deserialization of a JSON-like, binary format and has an optional C extension implementation for improved performance. Additionally, Concise Binary Object Representation (CBOR) is used heavily within the blockchain community, which tends to have high assurance and security requirements. In the end, we found multiple memory corruption bugs in cbor2 that could become security vulnerabilities under the right circumstances. Fuzzing Python C extensions Under the hood, Atheris uses libFuzzer to perform its fuzzing. Since libFuzzer is built on top of LLVM and Clang, we will need a Clang installation to fuzz our target. To simplify the installation process, I wrote a Dockerfile to package up all the necessary components into a single Docker image. This creates a repeatable process for fuzzing the current target and an easily extensible artifact for fuzzing future targets. The resulting Docker image includes a Python fuzzing harness to initiate the fuzzing process. First, we’ll discuss some interesting parts of this Dockerfile, then we’ll investigate the fuzz.py fuzzing harness, and finally we’ll build and run the Docker image and find some memory corruption bugs! Fuzzing environment Dockerfiles are a great way to create a self-documenting, reproducible environment. Since fuzzing can often be more art than science, this section will also include some discussion on interesting and non-obvious bits in the Dockerfile. The following Dockerfile was used to fuzz cbor2: FROM debian:12-slim RUN apt update && apt install -y \ git \ python3-full \ python3-pip \ wget \ xz-utils \ && rm -rf /var/lib/apt/lists/* RUN python3 --version ENV APP_DIR "/app" ENV CLANG_DIR "$APP_DIR/clang" RUN mkdir $APP_DIR RUN mkdir $CLANG_DIR WORKDIR $APP_DIR ENV VIRTUAL_ENV "/opt/venv" RUN python3 -m venv $VIRTUAL_ENV ENV PATH "$VIRTUAL_ENV/bin:$PATH" ARG CLANG_URL=https://github.com/llvm/llvm-project/releases/download/llvmorg-17.0.6/clang+llvm-17.0.6-aarch64-linux-gnu.tar.xz ARG CLANG_CHECKSUM=6dd62762285326f223f40b8e4f2864b5c372de3f7de0731cb7cd55ca5287b75a ENV CLANG_FILE clang.tar.xz RUN wget -q -O $CLANG_FILE $CLANG_URL && \ echo "$CLANG_CHECKSUM $CLANG_FILE" | sha256sum -c - && \ tar xf $CLANG_FILE -C $CLANG_DIR --strip-components 1 && \ rm $CLANG_FILE # https://github.com/google/atheris#building-from-source RUN LIBFUZZER_LIB=$($CLANG_DIR/bin/clang -print-file-name=libclang_rt.fuzzer_no_main.a) \ python3 -m pip install --no-binary atheris atheris # https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#step-1-compiling-your-extension ENV CC "$CLANG_DIR/bin/clang" ENV CFLAGS "-fsanitize=address,undefined,fuzzer-no-link" ENV CXX "$CLANG_DIR/bin/clang++" ENV CXXFLAGS "-fsanitize=address,undefined,fuzzer-no-link" ENV LDSHARED "$CLANG_DIR/bin/clang -shared" ARG BRANCH=master # https://github.com/agronholm/cbor2 ENV CBOR2_BUILD_C_EXTENSION "1" RUN git clone --branch $BRANCH https://github.com/agronholm/cbor2.git RUN python3 -m pip install cbor2/ # Allow Atheris to find fuzzer sanitizer shared libs # https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#option-a-sanitizerlibfuzzer-preloads ENV LD_PRELOAD "$VIRTUAL_ENV/lib/python3.11/site-packages/asan_with_fuzzer.so" # Subject to change by upstream, but it's just a sanity check RUN nm $(python3 -c "import _cbor2; print(_cbor2.__file__)") | grep asan \ && echo "Found ASAN" \ || echo "Missing ASAN" # 1. Skip allocation failures and memory leaks for now, they are common, and low impact (DoS) # 2. https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#leak-detection # 3. Provide the symbolizer to turn virtual addresses to file/line locations ENV ASAN_OPTIONS "allocator_may_return_null=1,detect_leaks=0,external_symbolizer_path=$CLANG_DIR/bin/llvm-symbolizer" COPY fuzz.py fuzz.py ENTRYPOINT ["python3", "fuzz.py"] CMD ["-help=1"] The following bits of the Dockerfile are relevant for customizations or future projects and are worth discussing further:
  1. Installing Clang from the llvm-project repository
  2. Customizing the image at build-time using Docker build arguments (e.g., ARG)
  3. Installing the cbor2 project
  4. Sanity checking the compiled cbor2 C extension for AddressSanitizer (ASan) symbols using nm
  5. Using ASAN_OPTIONS to customize the fuzzing process
First, installing Clang from the llvm-project repository: ENV APP_DIR "/app" ENV CLANG_DIR "$APP_DIR/clang" ... RUN mkdir $CLANG_DIR ... ARG CLANG_URL=https://github.com/llvm/llvm-project/releases/download/llvmorg-17.0.6/clang+llvm-17.0.6-aarch64-linux-gnu.tar.xz ARG CLANG_CHECKSUM=6dd62762285326f223f40b8e4f2864b5c372de3f7de0731cb7cd55ca5287b75a ... ENV CLANG_FILE clang.tar.xz RUN wget -q -O $CLANG_FILE $CLANG_URL && \ echo "$CLANG_CHECKSUM $CLANG_FILE" | sha256sum -c - && \ tar xf $CLANG_FILE -C $CLANG_DIR --strip-components 1 && \ rm $CLANG_FILE This code installs the 17.0.6-aarch64-linux-gnu tarball of Clang. There is nothing particularly special about this tarball other than the fact that it is built for AArch64 and Linux. If you are running this Docker container on a different architecture, you will need to use the corresponding release tarball. You can then specify the CLANG_URL and CLANG_CHECKSUM build arguments as necessary or simply modify the Dockerfile according to your system’s requirements. The Dockerfile also provides a BRANCH build argument. This allows the builder to specify a Git branch or tag that they would like to fuzz against. For example, if you’re working on a pull request and want to fuzz its corresponding branch, you can use this build argument to do so. Next up, installing the cbor2 project: ENV CBOR2_BUILD_C_EXTENSION "1" RUN git clone --branch $BRANCH https://github.com/agronholm/cbor2.git RUN python3 -m pip install cbor2/ This installs the cbor2 package from GitHub rather than from PyPI. This is necessary because we need to compile the underlying C extension. We could install the package from the PyPI source distribution, but using Git provides us more control over which branch, tag, or commit we install. The CBOR2_BUILD_C_EXTENSION environment variable instructs setup.py to ensure the C extension is built: 30 cpython = platform.python_implementation() == "CPython" 31 windows = sys.platform.startswith("win") 32 use_c_ext = os.environ.get("CBOR2_BUILD_C_EXTENSION", None) 33 if use_c_ext == "1": 34 build_c_ext = True 35 elif use_c_ext == "0": 36 build_c_ext = False 37 else: 38 build_c_ext = cpython and (windows or check_libc()) The environment flag for building the C extension (setup.py#30–38) This is a common pattern for Python packages with C extensions. Investigating a project’s setup.py is a great way to better understand how a C extension is built. For more information, see the setuptools documentation on building extension modules. On to sanity checking the compiled C extension: RUN nm $(python3 -c "import _cbor2; print(_cbor2.__file__)") | grep asan \ && echo "Found ASAN" \ || echo "Missing ASAN" This command searches the compiled C extension symbol table for ASan symbols. If they exist, then we know the C extension was compiled correctly. It is interesting to note that the __file__ attribute also works for shared objects in Python and thus enables this check: $ python3 -c "import _cbor2; print(_cbor2.__file__)" /opt/venv/lib/python3.11/site-packages/_cbor2.cpython-311-aarch64-linux-gnu.so Finally, let’s dig into ASAN_OPTIONS: ENV ASAN_OPTIONS "allocator_may_return_null=1,detect_leaks=0,external_symbolizer_path=$CLANG_DIR/bin/llvm-symbolizer" We are specifying three options:
  1. allocator_may_return_null=1: We’re disabling this check because fuzzing runs were producing Python MemoryError exceptions. We’re only looking for C memory corruption bugs, not Python exceptions.
  2. detect_leaks=0: This option is recommended by the Atheris documentation.
  3. external_symbolizer_path=$CLANG_DIR/bin/llvm-symbolizer: This enables the LLVM symbolizer to turn virtual addresses to file/line locations in fuzzing output.
You can find the full list of ASan sanitizer flags and common sanitizer options in Google’s sanitizers repository. Fuzzing harness The fuzzing harness used for cbor2 was largely inspired by the harness used by ujson in Google’s oss-fuzz repository. There are hundreds of projects being fuzzed in this repository. Reading through their fuzzing harnesses is a great way to gather ideas for your fuzzing project. The following is the Python code used as the fuzzing harness: #!/usr/bin/python3 import sys import atheris # _cbor2 ensures the C library is imported from _cbor2 import loads def test_one_input(data: bytes): try: loads(data) except Exception: # We're searching for memory corruption, not Python exceptions pass def main(): atheris.Setup(sys.argv, test_one_input) atheris.Fuzz() if __name__ == "__main__": main() Remember, we are fuzzing only the C extension, not the Python code. Two features of the harness enable that behavior: importing _cbor2 instead of cbor2, and the try/except block around the loads call. Looking again at setup.py, we see that _cbor2 is the Python module name for the C extension: 47 if build_c_ext: 48 _cbor2 = Extension( 49 "_cbor2", 50 # math.h routines are built-in to MSVCRT 51 libraries=["m"] if not windows else [], 52 extra_compile_args=["-std=c99"] + gnu_flag, 53 sources=[ 54 "source/module.c", 55 "source/encoder.c", 56 "source/decoder.c", 57 "source/tags.c", 58 "source/halffloat.c", 59 ], 60 optional=True, 61 ) 62 kwargs = {"ext_modules": [_cbor2]} 63 else: 64 kwargs = {} The _cbor2 Python module name (setup.py#47–64) That is how we know to import _cbor2 instead of cbor2. In addition to the import, the try/except block effectively ignores crashes caused by Python exceptions. With the fuzzing environment provided by the Docker image and the fuzzing harness provided by the Python code, we are ready to do some fuzzing! Running the fuzzer First, copy the Dockerfile and Python code to files named Dockerfile and fuzz.py, respectively. You can then build the Docker image with the following command: $ docker build --build-arg BRANCH=5.5.1 -t cbor2-fuzz -f Dockerfile Note that the APT packages and Clang installation require large downloads, so the build may take a while. Since version 5.5.1 was the latest cbor2 release when these bugs were found, we are building against that Git tag to reproduce the crashes. When the build is done, you can start the fuzzing process with the following command: $ docker run -v $(pwd):/tmp/output/ cbor2-fuzz -artifact_prefix=/tmp/output/ Specifying /tmp/output as both a Docker volume and the libFuzzer artifact_prefix will cause any crash output files to persist to the host’s filesystem rather than the container’s ephemeral filesystem. See the libFuzzer options documentation for more information on flags that can be passed at runtime. Running the fuzzer should quickly produce the following crash: /usr/include/python3.11/object.h:537:15: runtime error: member access within null pointer of type 'PyObject' (aka 'struct _object') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/include/python3.11/object.h:537:15 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0xffff921a94b4 bp 0xffffe8dc8ce0 sp 0xffffe8dc8ca0 T0) ==1==The signal is caused by a READ memory access. ==1==Hint: address points to the zero page. #0 0xffff921a94b4 in Py_DECREF /usr/include/python3.11/object.h:537:9 #1 0xffff921a94b4 in decode_definite_string /app/cbor2/source/decoder.c:653:9 #2 0xffff921a94b4 in decode_string /app/cbor2/source/decoder.c:718:15 #3 0xffff921a5cc8 in decode /app/cbor2/source/decoder.c:1735:27 #4 0xffff921b1d98 in CBORDecoder_decode_stringref_ns /app/cbor2/source/decoder.c:1456:15 #5 0xffff921ab90c in decode_semantic /app/cbor2/source/decoder.c:973:31 #6 0xffff921a5d48 in decode /app/cbor2/source/decoder.c:1738:27 #7 0xffff921aac90 in decode_map /app/cbor2/source/decoder.c:909:27 #8 0xffff921a5d28 in decode /app/cbor2/source/decoder.c:1737:27 #9 0xffff921d4e28 in CBOR2_load /app/cbor2/source/module.c:318:19 #10 0xffff921d4e28 in CBOR2_loads /app/cbor2/source/module.c:367:19 ... ==1==ABORTING MS: 1 ChangeByte-; base unit: 096adbe21e6ccdcdaf3b466eae0eecc042a4ce48 0xa9,0xd9,0x1,0x0,0x67,0x0,0xfa,0xfa,0x0,0x0,0x4,0x4, \251\331\001\000g\000\372\372\000\000\004\004 artifact_prefix='/tmp/output/'; Test unit written to /tmp/output/crash-092ce4a82026ba5ca35d4ee4ef5c9ba41623d61d Base64: qdkBAGcA+voAAAQE The output gives us the full stack trace and a crash file to reproduce the issue: $ python -m cbor2.tool -p crash-092ce4a82026ba5ca35d4ee4ef5c9ba41623d61d Segmentation fault: 11 The crash happens in the Py_DECREF call in decode_definite_string: 640 PyObject *ret = NULL; 641 char *buf; 642 643 buf = PyMem_Malloc(length); 644 if (!buf) 645 return PyErr_NoMemory(); 646 647 if (fp_read(self, buf, length) == 0) 648 ret = PyUnicode_DecodeUTF8( 649 buf, length, PyBytes_AS_STRING(self->str_errors)); 650 PyMem_Free(buf); 651 652 if (string_namespace_add(self, ret, length) == -1) { 653 Py_DECREF(ret); 654 return NULL; 655 } 656 return ret; The Py_DECREF call (source/decoder.c#640–656) A NULL pointer dereference in the Python standard library produces the crash. Since the Py_DECREF documentation states that the passed object must not be NULL, the cbor2 developers fixed this bug by adding code that will detect a NULL pointer and return an error before Py_DECREF is reached. Integrating a project into OSS-Fuzz Google created OSS-Fuzz to improve the state of security for open-source projects. The service describes itself as “… a free service that runs fuzzers for open source projects and privately alerts developers to the bugs detected.” Integrating a project into OSS-Fuzz is a straightforward process. However, be aware that acceptance into OSS-Fuzz is ultimately at the discretion of the OSS-Fuzz team. There is no guarantee that a project will be accepted. OSS-Fuzz gives each new project proposal a criticality score and uses this value to determine if a project should be accepted. Integrating a project into OSS-Fuzz requires four files:
  1. project.yaml: This file contains metadata about your project like contact information, repository location, programming language, and fuzzing engine.
  2. Dockerfile: This file clones your project and copies any necessary fuzzing resources like corpora or dictionaries into a Docker image. OSS-Fuzz will then run the Docker image as part of the fuzzing process.
  3. build.sh: This file installs your project and any of its dependencies into the Docker image fuzzing environment.
  4. A fuzzing harness file: This initiates the fuzzing process against a target. For example, to fuzz a specific Python function, the harness would be a Python script that initializes the fuzzing process with the target function.
If you would like to learn more about any of these files and their respective options, see the OSS-Fuzz documentation on setting up a new project. Once your project has been accepted to OSS-Fuzz, you will be granted access to the ClusterFuzz web interface, which provides access to crashes, coverage information, and fuzzer statistics. OSS-Fuzz will then fuzz your project in the background and notify you when it produces findings. As part of our work fuzzing the cbor2 project, we integrated it into OSS-Fuzz in this pull request: google/oss-fuzz#11444. cbor2 will now be continuously fuzzed for bugs as development proceeds. To get a better idea of what this looks like in practice, see the cbor2 project in OSS-Fuzz. Continuous fuzzing with CIFuzz There’s continuous, and then there’s continuous. OSS-Fuzz fuzzes your project about once a day. If you need something more continuous than that, like, say, on every commit, then you will have to reach for another tool. Fortunately, Google and the OSS-Fuzz ecosystem have you covered with CIFuzz. CIFuzz integrates into the OSS-Fuzz ecosystem to fuzz your project on every commit. It does require a project to already be accepted and integrated in OSS-Fuzz, but non-OSS-Fuzz projects can use ClusterFuzzLite. To take our cbor2 fuzzing one step further, we added a CIFuzz job to the project’s GitHub Actions. This will fuzz the project on every commit and every pull request. Using OSS-Fuzz and CIFuzz allows for both faster fuzz feedback on proposed changes and deeper fuzz testing as part of a scheduled nightly job. The best of both worlds. Think of it like the testing pyramid: unit tests are fast and run on every commit, whereas end-to-end tests are slow and may be run only as part of a lengthier, nightly CI job. Once your project is integrated into OSS-Fuzz, adding CIFuzz is as simple as adding a GitHub Actions workflow to your project. This workflow file specifies similar metadata as the project’s project.yaml file, information like the project programming language, libFuzzer sanitizers to use, and fuzzing duration. You may be asking yourself, “how long should I be fuzzing my project for?” The answer often ends up being more art than science. CIFuzz’s default duration is 600 seconds, or 10 minutes. This is a great starting point. In this situation, bigger is not always better. Remember, you could be waiting for this job to complete on every commit. How long would you and your teammates like to wait for a CI job? A good rule of thumb is that continuous fuzzing on every commit should be run for minutes, not hours or days, and that scheduled, nightly fuzzing should be run for hours, or even days. Start with something reasonable and be prepared to tweak it as necessary. As part of our work fuzzing the cbor2 project, we added a CIFuzz workflow in this pull request: agronholm/cbor2#212. This should complement the scheduled OSS-Fuzz job nicely. Build your own trophy case with fuzzing Fuzzing is a great testing methodology for uncovering hard-to-find bugs and security vulnerabilities. It is particularly useful for projects performing decoding or deserialization functionality or taking in untrusted input. It has a proven track record, considering AFL’s extensive trophy case, rust-fuzz’s trophy case, and OSS-Fuzz’s claim of over 10,000 security vulnerabilities and 36,000 bugs found. Fuzzing is an advanced testing methodology, so it is not the first tool you should reach for when looking to improve your project’s robustness, but it is unquestionably a useful tool when you are looking to go to the next level. In this post, we walked you through setting up a fuzzing environment and harness for Python C extensions and then went over the process of integrating a project into OSS-Fuzz and adding a CIFuzz GitHub Actions workflow. In the end, we found some interesting memory corruption bugs in the cbor2 Python library and made the open-source software community a little bit more secure. If you’d like to read more about our work on fuzzing, we have used its capabilities in several ways, such as fuzzing x86_64 instruction decoders, breaking the Solidity compiler with a fuzzer, and fuzzing wolfSSL with tlspuffin. Contact us if you’re interested in custom fuzzing for your project.
Categories: Security Posts

Detecting anomalous O365 logins and evasion techniques

AlienVault Blogs - Fri, 2024/02/23 - 13:00
The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Summary Businesses across multiple industries, regardless of size, are at risk of being targeted with Microsoft 365 phishing campaigns. These campaigns trick users into visiting fake Microsoft login page where threat actors capture the user’s credentials. Even accounts with MFA can be victim to these types of attacks. There are several ways in which MFA is being bypassed with these types of campaigns. MFA Fatigue is one of the ways threat actors are bypassing MFA and this method attempts to exploit human error by repeatedly logging in with the stolen credentials causing an overwhelming number of MFA prompts in attempts to get the user to approve the login. Another MFA bypass technique is SIM Swapping. A SIM card is a small chip that your mobile carrier uses to hold identification information to tie your phone to you and your mobile carrier. Threat actors have found a weakness in this because there are scenarios where a customer may need a new SIM card (for example, they lost their phone). Carriers can transfer your identification information from your old SIM card to new one. SIM Swapping is when a threat actor abuses this feature and impersonates you to convince your mobile carrier to switch your phone number to a SIM card that is in the threat actor’s possession. This then allows the threat actor to receive MFA codes sent to your number via phone call or SMS. Man in the Middle Attacks are another notable MFA bypass technique. With this method, threat actors will wait for a user to enter credentials into a fake login page, then wait for you to allow the login with a push notification or steal the session or token after you enter in your code. After gaining access to an O365 account, the threat actor typically does some reconnaissance on the user’s inbox and then will use the access to the user’s account to try to phish other users, typically with a financial motive. We commonly see inbox rules abused to try to hide the emails, so the user is unaware of the emails coming from their account. Detection 24/7/365 Monitoring and Threat Detection such as Vertek’s Managed AlienVault Services
  • AlienVault Unified Security Management uses a User Behavior Analytics platform to detect anomalous M365 logins by tracking user behaviors and login data.
  • Enabling anomaly detection policies in Microsoft’s Defender for Cloud Apps. These alerts can be enabled in Defender, and then pulled into USM Anywhere where alerts can be investigated by Vertek’s SOC team when they occur.
  • Custom alerts to alarm on suspicious logins and inbox rules.
  • Monthly reporting to identify risky users and missing security controls.
Mitigation
  • Implementing regular user training, so users can identify phishing attempts and understand the importance of good passwords and only approving logins if they know the sign-in is legit.
  • Leveraging Microsoft tools to flag users that have been phished as risky users.
  • Disabling legacy protocols as they are favored in credential attacks because they cannot enforce MFA.
  • Utilize Microsoft Intune or other mobile device management (MDM) tools to block sign-ins from unregistered devices.
  • Using a Managed Threat Intelligence service that helps your organization identify risky users by using Dark Web monitoring tools to identify leaked credentials.  
Categories: Security Posts

9 tips to protect your family against identity theft and credit and bank fraud

Webroot - Thu, 2024/02/15 - 21:57
Did you know that more than nine million Americans have their identity stolen each year? Your data is stored across countless databases for various purposes, making it a prime target for criminals. With access to your personal information, bad actors can drain your bank account and damage your credit—or worse. But that doesn’t mean you and your family have to become victims. By taking the right steps, you and your loved ones can enjoy the peace of mind that comes from identity protection. Check out the nine tips below to discover how you can enable family protection and help prevent identity theft and credit and bank fraud. 1. Be protective of your personal information If criminals get ahold of your personal information—such as your name, address, date of birth, and social security number—they can use it to commit identity theft. This can impact your credit score, your savings, and your reputation—or even result in criminal records. Protect yourself by shredding documents with any personal information, and, when possible, avoid sharing this information over the phone or via email. 2. Use strong and unique passwords Passwords are your first line of defense to protecting your online accounts from hackers. That’s why your passwords should be strong: at least eight characters long with a combination of uppercase and lowercase letters, numbers, and symbols.

But it’s just as important you don’t use the same password for multiple accounts. If you’ve been compromised in a data breach, hackers can use your stolen email and password to try and enter thousands of other sites—and if you keep using the same credentials, they’ll be successful. Instead, use a password manager to easily generate and use strong passwords without having to recall them all. They’ll be stored in a secure vault, so you only need to remember the main password to the password manager app. 3. Monitor your accounts regularly Detect unauthorized transactions early by regularly checking your bank and credit card statements. If you notice any unauthorized transactions, immediately report them to your bank or credit card company. 4. Be wary of phishing scams Many criminals will send emails or text messages that appear to be from a legitimate source, like your bank or credit card company. Known as phishing scams, these messages will typically ask you to provide personal information or click on a malicious link. To avoid falling victim, always double-check the source of any message and never click on links or provide personal information unless you’re certain the message is legitimate. 5. Use two-factor authentication Two-factor authentication adds an extra layer of security to your online accounts. With two-factor authentication, you’ll need to provide a second form of identification—such as a code sent to your phone—in addition to your password. Even if your account information is compromised, bad actors won’t be able to access your account without this secondary identification. 6. Secure your devices and connections Without the right precautions, your computers, smartphone, and other devices can be easily hacked or compromised. To secure them, make sure your devices are up to date with antivirus software and are password-protected. Avoid using public Wi-Fi to access sensitive information—as these networks are often unsecured—or use a VPN to hide your identity and stay anonymous. 7. Keep an eye on your credit reports Did you know you’re entitled to a free credit report once a year from each of the three major credit bureaus? Check your credit report regularly to help detect any suspicious activity, such as accounts you didn’t open or loans that you didn’t apply for. You can also use a reputable credit monitoring service—which often includes SSN monitoring—for real-time alerts and protection. 8. Stay on top of the latest scams (especially with the rise of AI) Criminals are adopting new AI-powered scam tactics as the technology becomes more accessible. For example, it’s now possible to impersonate a friend or family member, even over the phone or by a video call. Keep informed of the latest scam techniques by following reputable cybersecurity experts and checking reputable news outlets. Because new tactics can pop up faster than they can be reported, be extra vigilant—be wary of unsolicited emails and messages and always verify a person’s identity before you share personal information. 9. Get your family covered with an identity protection package For the best identity protection, you should invest in a comprehensive protection plan. Webroot Premium with Allstate Identity Protection, for example, includes:
  • Protection against viruses, malware, scams, and other cyber threats.
  • Password management to keep your credentials safe.
  • Protection for 10 family members, including you and your partner, your children, and seniors aged 65+ you wish to protect.
  • Identity, credit, and financial accounts monitoring and alerts if potential fraud is detected.
  • Advanced dark web monitoring that notifies you if your personal data is found in a data breach or your credentials are compromised.
  • 24/7 US-based support with remediation experts that help you restore your stolen identity or mitigate fraud on your accounts.
  • Up to $1M reimbursement1 for:
    • Fraud expenses like out-of-pocket costs associated with identity restoration, including legal fees, lost wages, child or elderly care, replacement of identification cards, driver licenses, and passports.
    • Stolen funds in case identity fraud led to fraud on your saving accounts—including up to $150,000 for 401 (k)/HSA.
Get family protection today To protect yourself and your family against identity theft and bank fraud, you need to be vigilant and commit to good security practices. By following the nine tips, you can help reduce your likelihood of becoming a victim and safeguard your personal and financial information.

Do you want to make identity protection even easier? Discover Webroot. Not sure how to get started? Try our Help me choose quiz. 1Identity theft insurance covering expense and stolen funds reimbursement is underwritten by American Bankers Insurance Company of Florida, an Assurant company. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions, and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Product may be updated or modified. Certain features require additional activation. The aggregate limit for an individual or family plan is $1,000,000 in one year. The post 9 tips to protect your family against identity theft and credit and bank fraud appeared first on Webroot Blog.
Categories: Security Posts

Cybersecurity Concerns for Ancillary Strength Control Subsystems

BreakingPoint Labs Blog - Thu, 2023/10/19 - 19:08
Additive manufacturing (AM) engineers have been incredibly creative in developing ancillary systems that modify a printed parts mechanical properties.  These systems mostly focus on the issue of anisotropic properties of additively built components.  This blog post is a good reference if you are unfamiliar with isotropic vs anisotropic properties and how they impact 3d printing.  […] The post Cybersecurity Concerns for Ancillary Strength Control Subsystems appeared first on BreakPoint Labs - Blog.
Categories: Security Posts

Update on Naked Security

Naked Security Sophos - Tue, 2023/09/26 - 12:00
To consolidate all of our security intelligence and news in one location, we have migrated Naked Security to the Sophos News platform.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content