Author: tongwing

Categories
bug programming security

Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn’t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There’s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.

Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there’s more to the story.

Source: Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Categories
programming security

RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

log4j is a common logging library for Java applications. This vulnerability is extremely easy to exploit, and allows the attacker to run arbitrary code in the server. IOW, very bad. For now, set log4j.formatMsgNoLookups=true to mitigate the issue, until an official patch is out.

Given how ubiquitous this library is, the impact of this vulnerability is quite severe. Learn how to patch it, why it’s bad, and more in this post.

Source: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

Categories
security

Microsoft Defender scares admins with Emotet false positives

Got hit by this today. Was trying to open a Word doc from a colleague when I receive the following scary warning.

Submitting the same file to VirusTotal returns 0 threats detected. Hmmm.

Searching for the keyword Win32/PowEmotet.SB returns the following:

Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload.

Source: Microsoft Defender scares admins with Emotet false positives

If you are hit by the same issue, just update your threat definition and it should go away:

Categories
gis programming

OneMap API

Do you know that you can do this? No API key or token is required to do simple geocoding via OpenMap API.

Notice the response returns LONGTITUDE and LONGITUDE containing the same values. This is due a misspelling in the earlier API and a decision not to break the earlier API.

Find out more here: https://www.onemap.gov.sg/docs/#onemap-rest-apis

Categories
programming security

Hoax Email Blast Abused Poor Coding in FBI Website

One of the FBI website had a web form that allowed arbitrary content to be sent from a legitimate FBI domain – passing all DMARC, DKIM, SPF. This isn’t even a hack – anyone could have done it using their web browser. But it could have serious consequences had the attacker had more nefarious motives.

The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for…

Source: Hoax Email Blast Abused Poor Coding in FBI Website

Categories
programming security

The Invisible JavaScript Backdoor – Certitude Blog

Earlier, we had a group which abuse Unicode bi-directional mechanism to deceive the reader about the actual ordering of source code, leading to clever hiding of backdoor in plain sight.

Now we have yet another novel method to include a backdoor in source codes. The attack vector makes use of Unicode characters that are invisible, but which are valid characters in variables names.

The attack requires the IDE/text editor (and the used font) to correctly render the invisible characters. At least Notepad++ and VS Code render it correctly (in VS Code the invisible character is slightly wider than ASCII characters). The script behaves as described at least with Node 14.

Source: The Invisible JavaScript Backdoor – Certitude Blog

Categories
privacy security

Malware found in coa and rc, two npm packages with 23M weekly downloads

It’s a worrying trend to see more and more hijacking of popular packages to spread malware. The threat actor apparently gained access to the packager maintainers account and inserted a post install script to download malware.

The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.

Source: Malware found in coa and rc, two npm packages with 23M weekly downloads

Categories
3D

Was Google Earth Stolen?. I recently watched “The Billion Dollar… | by Avi Bar-Zeev | Oct, 2021 | Medium

The Billion Dollar Code is a new mini-series from Netflix that tells the story of ART+COM’s lawsuit against Google, purportedly for infringing their patent in the software (Keyhole) that would later become Google Earth.

One of the key person behind Keyhole wrote the following detailed post, which clearly rebutted the claims:

ART+COM’s patent was invalidated in 2017 because another group, Sarnoff Research Center (SRI) in Palo Alto had shown a similar system in 1994, showing just how obvious these ideas were by 1995. In a stunning irony, the people asserting they “invented” Google Earth were bested by a pre-existing system with essentially the same name and function as theirs.

Source: Was Google Earth Stolen?. I recently watched “The Billion Dollar… | by Avi Bar-Zeev | Oct, 2021 | Medium

Categories
security

O.MG Cable – * to USB-A

This is incredible. It’s essentially a covert computer inside a USB cable.

To get a cable like this, you used to need a million dollar budget or to find a guy named MG at DEFCON. But Hak5 teamed up with MG to allow more people access to this previously clandestine attack hardware. Every O.MG Cable is hand made and tailored to look and feel exactly like the cable your target already has in their possession. You won’t need a million dollar budget for this cable, but the power and capabilities are extensive.It is packed with a web server, 802.11 radio, and way more memory and processing power than the type of cable you would want for just doing demos. But the flexibility makes demos easy.The O.MG Cable is built for covert field-use, with features that enhance remote execution, stealth, forensics evasion, all while being able to quickly change your tooling on the

Source: O.MG Cable – * to USB-A

Categories
programming

GitHub Copilot · Your AI pair programmer

This looks super impressive and is potentially game-changing. Auto-completion has been around for ages, since the early days of Visual Assist, to Visual Studio Autocomplete. This is another level. It works like GPT-3 in that it tries to suggest whole section of code or a complete function based on comments and other signals. This will be something that companies will pay for. Based on HN comments, alpha testers gave it rave reviews. It’s currently in technical preview. Can’t wait for general availability.

GitHub Copilot works alongside you directly in your editor, suggesting whole lines or entire functions for you.

Source: GitHub Copilot · Your AI pair programmer