A brief daily summary of what is important in cybersecurity. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minutes long, summary of current network security-related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Presented without much commentary since I stopped once {ggrepel} and {graphlayouts} failed (RStudio doesn’t support it yet, either, which I knew). The following steps will get you a fully working and STUPID FAST fully native ARM64 M1/Apple Silicon R setup with {tidyverse} and {rJava}. Just remember, that if you need RStudio (or anything that links… Continue reading →
Our thanks to BSidesSF and Conference Speakers for publishing their outstanding presentations; which originally appeared at the group’s BSidesSF 2020 Conference, and on the Organization’s YouTube Channel. Additionally, the BSidesSF 2021 Conference will take place on March 6 – 9, 2021 – with no cost to participate. Enjoy!
If you’ve been following me around the internets for a while you’ve likely heard me pontificate about the need to be aware of and reduce — when possible — your personal “cyber” attack surface. One of the ways you can do that is to install as few applications as possible onto your devices and make… Continue reading →
Our thanks to BSidesSF and Conference Speakers for publishing their outstanding presentations; which originally appeared at the group’s BSidesSF 2020 Conference, and on the Organization’s YouTube Channel. Additionally, the BSidesSF 2021 Conference will take place on March 6 – 9, 2021 – with no cost to participate. Enjoy!
Late this past week, the U.S. Senate approved a $1.9 trillion budget bill to fast-track Biden’s stimulus plan, which includes more COVID-19 relief. It now appears likely that this stimulus relief will be approved by March. While the details of this American rescue plan are still not final, here’s what Biden’s plan calls for, according..
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated […] Read More
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated with ‘viewing source of web pages’, and using Microsoft Office for editing HTML documents:
HKCUSoftwareMicrosoftSharedHTMLDefault Editor
HKCUSOFTWAREMicrosoftSharedHTMLOld Default Editor
HKLMSOFTWAREMicrosoftSharedHTMLOld Default Editor
HKCUSoftwareMicrosoftInternet ExplorerDefault HTML Editor
Our thanks to BSidesSF and Conference Speakers for publishing their outstanding presentations; which originally appeared at the group’s BSidesSF 2020 Conference, and on the Organization’s YouTube Channel. Additionally, the BSidesSF 2021 Conference will take place on March 6 – 9, 2021 – with no cost to participate. Enjoy!
SSL/TLS certificates issued by trusted Certificate Authorities (CAs), either public or private, are used to authenticate a single domain in public facing websites. Organizations with a handful of public domains and subdomains would have to issue and manage an equal number of digital certificates, increasing the complexity of certificate lifecycle management. The good news is that there is a solution to bypass this burden.
If you want to talk about disinformation in America, “Jaws” is one of the best examples of how a simple story based on a false fear can do exceptional long lasting harm. It is very difficult to get sharks back to what they are, correctly seen as loving and affectionate. An example of shark reality … Continue reading The Movie “Jaws” Foreshadowed America’s Disinformation Crisis→
Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store.
Simple scanner turns evil
Many of the patrons had the app installed on their mobile devices for long periods of time (one user had it installed for several years). Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware! Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on December 4th, 2020.
Malicious intent
The majority of free apps on Google Play include some kind of in-app advertizing. They do this by including an ad SDK to the code of the app. Usually at the end of the app’s development. Paid-for versions simply do not have this SDK included.
Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It’s a win-win situation for everyone. Users get a free app, while the app developers and the ad SDK developers get paid.
But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive. Sometimes even landing the apps that use it in the Adware category. When this happens, it is not the app developers’ doing, but the SDK company. I explain this method to say that in the case of Barcode Scanner, this was not the case.
No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.
Bad behavior
The toughest part of malware analysis can be replicating what our users are experiencing. That wasn’t a problem with Barcode Scanner, it went into action within minutes of install. Watch the short video below to see its malicious behavior:
Removed from Play, but not from mobile device
Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. Thus, until they install a malware scanner like Malwarebytes for Android, or manually remove the app, it will continue to display ads.
Lying dormant
It is hard to tell just how long Barcode Scanner had been in the Google Play store as a legitimate app before it became malicious. Based on the high number of installs and user feedback, we suspect it had been there for years. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.
Working for an Australian company can make it difficult to be a die-hard NFL fan. Making matters worse is that most of my American colleagues are in Boston, a true nightmare for someone born and raised in New Jersey. The only thing I have to hold over their heads is that I can legally bet […]
Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.
CVE-2021-3156 sudo Vulnerability
Last week (26th January 2021) a new critical rated LinuxUnix vulnerability was made public under CVE-2021-3156. Specifically, the vulnerability is within the ‘sudo’ program, which is an abbreviation of ‘superuser do‘, well that’s how I remember it. Sudo is a powerful and fundamental program found within all Linux and Unix distributions, allowing users to execute programs with the security privileges of another user. A typical use of sudo is where you need to run a program with privilege level (i.e. administrator) access rights.
The sudo ‘heap overflow’ vulnerability was discovered by Qualys researchers, the exploit allows any unprivileged user to gain root level (i.e. administrative) privileges. Qualys has posted a blog and video which explains and demonstrates the exploitation technique, which as exploits go is fairly quick and easy to do. See CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog
The Security Concern
This vulnerability in sudo has been present for nearly 10 years, all sudo versions prior to sudo 1.9.5p2 are to be considered vulnerable. The issue is Linux is embedded everywhere, yet many systems are rarely, and even never updated. From IoT devices to internet-based services, the security of countless devices and web-based services’ are dependant upon a secure Linux account privilege model. While their Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, they sit there insecure and waiting to be hacked.
