?

All you "security is only getting worse!!!" people: today's hot new Mandiant M-Trends report shows the global median dwell time is now (only) 10 days. It 2011 it was 416!

Global median dwell time is the amount of time an intruder spends in your organization before being noticed.

Ransomware has indeed influenced the numbers for the last several years, but factoring ransomware out still only moves the count from 10 to 13 days.

TL;DR: We are doing better detecting at responding to intruders. However, we need to get that number down to 1 day, and then 1 hour, to truly handicap the most effective intruders out there.

@harrysintonen Cool! Another link: Karger and Schell, “Multics Security Evaluation: Vulnerability Analysis,” 1974.¹ That’s the “Unknown Air Force Document” Thompson borrowed the idea from!²

__
¹ https://www.acsac.org/2002/papers/classic-multics-orig.pdf, §3.4.5
² He later updated the version on his home page with the right citation: https://web.archive.org/web/20010410053444/http://cm.bell-labs.com/who/ken/trust.html

I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU C Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:

$ cat testapp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
if (argc == 2 && !strcmp(argv[1], "secret"))
{
printf("access granted!\n");
return EXIT_SUCCESS;
}
else
{
printf("access denied!\n");
return EXIT_FAILURE;
}
}
$ gcc -Wall -O2 -o testapp.c -o testapp
$ ./testapp kensentme
access granted!
$

I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.

It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.

Some links:
- Ken Thompson's "Reflections on Trusting Trust" paper: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
- David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" https://dwheeler.com/trusting-trust/

#hacking #exploitdevelopment #kenthompson #infosec #cybersecurity @vegard

@FirehaK @da_667 I salute you!

We recently did some internal research and took a look at the JavaScript runtime Deno. We found a couple of interesting bypasses for their permission system. If you'd like to learn more, please feel free to check out our blogpost at https://secfault-security.com/blog/deno.html.

Nice writeup on Deno sandbox issues. Funny how most of it boils down to a very basic issue: they did security checks on the normalized file path, only to perform the actual operations with the original messy path (which was then interpreted differently). via @greg

https://secfault-security.com/blog/deno.html

Rapid7 confirms CrushFTP zero-day is indeed fully unauthenticated

https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

@da_667 can you share a 4k version?

I search for "techno" on YT (I have this much creativity left for today, sorry), and the first result is a video about fucking Pokemon World.

#AdTech must die. (Pokemons are cool.)

eScan AV also seems like a truly professional company:
- While they have a Vulnerability Disclosure Program, there is no listing of security advisories (ProTip: always make sure your vendor has an advisory listing)
- There is a Hall of Fame though, that just outright discloses the email addresses of reporters, but no info about the vulns
- This CVE record references a blog post, that simply bitrotted: https://nvd.nist.gov/vuln/detail/CVE-2018-18388

Learn whatever you feel compelled to learn. Nobody tells the wildebeest to eat the green grass and nobody can tell a hacker what ancient tomes of lore to read. A good hacker is a dancer of thought, you are not slogging through a curriculum like an accountant.

https://bird.makeup/@7etsuo/1781574645940117920

CVE-2024-2389: Command Injection Vulnerability In Progress Flowmon https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/

avpwn++

https://github.com/v-p-b/avpwn/commit/41b16f9adbb174f37addcbf4a89439013fcbae2b

Who does updates over HTTP and without signature enforcement in 2024? Of course it's an AV: https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

"Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers"

https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

[RSS] Hacking Exchange from the Outside In

https://www.atredis.com/blog/2024/4/22/hacking-exchange-from-the-outside-in

Hallelujah! And Congrats all around.

JPL just announced that engineering data was successfully received from the Voyager 1 spacecraft on Saturday April 20, the first time since Nov 2023.

The commands sent on Thu to relocate some code around the failed memory chip in the FDS worked as expected.

Science data is not being received yet; it will require relocation of some more code in the sparse free memory areas in the FDS.

(Engg data = spacecraft health data)
https://www.jpl.nasa.gov/news/nasas-voyager-1-resumes-sending-engineering-updates-to-earth
27/n

Found this series of videos being recommended to me by YouTube (rightfully so) and they are awesome.

They explain how the ZX81 generates video and it is mind boggling: It boils down to the CPU using NOP-slides as an exact delay while rendering pixels and during the slide the actual pixel data is being read from memory to be put into a shift register and from there on the screen. 🤯

It is complicated, but really well explained.

https://www.youtube.com/playlist?list=PLjQDRjQfW-84WG47-5UjPz1BrXxc1acvd

Devs sometimes talk about being "close to the metal" but there is no other software engineering team in the world right now that are simultaneously as close to and as far away from the metal as the people keeping Voyager working.