A critical vulnerability in the Saltstack configuration management software that was discovered in March by the F-Secure company was recently used for widespread attacks. Among the affected hosts was one of the Certificate Transparency logs operated by DigiCert.

The attackers had access to the private key of the CT2 log. According to DigiCert, other logs operated by the company were not affected.

The Google Chrome browser requires two so-called signed certificate timestamps (SCTs) for every valid TLS certificate. These SCTs have to come from different logs. Therefore, in a case like this in which one log is compromised, there is always a second SCT that is unaffected.

Devon O’Brien explained Google’s response to this incident. Certificates can have SCTs embedded or they can be delivered via TLS extensions or OCSP. For cases in which the SCTs from the compromised CT2 log are embedded, Chrome will continue to accept the certificates with SCTs from this log if they were issued before the incident. However, certificates that deliver their SCTs via TLS extensions or OCSP need to get a new SCT from a different log if they relied on the compromised log.

Source: Feisty Duck

DigiCert acquired Symantec’s scroungy PKI business in 2017. See here for details. I still cannot believe Symantec found some dumbass to buy their shit. Un-fucking-believable!

Microsoft has blocked a Trend Micro driver from running on Windows 10 – and Trend has withdrawn downloads of its rootkit detector that uses the driver – after the code appeared to game Redmond’s QA tests.

Late last week, Trend removed downloads of its Rootkit Buster from its website. And last night it emerged the kernel-level driver at the heart of the software, tmcomm.sys, was added to Windows 10 20H1’s list of blocked drivers – preventing it from loading and Rootkit Buster from running.

Windows internals guru and CrowdStrike veep Alex Ionescu discovered the blockade, and highlighted it on Twitter, while investigating research by computer security undergrad Bill Demirkapi that revealed not only shortcomings in the driver’s code but also an effort to detect Microsoft’s QA test suite.

Demirkapi, as we reported last week, discovered tmcomm.sys altered the way it allocated memory to pass Microsoft’s Windows Hardware Quality Labs (WHQL) certification tests.

Passing these tests is highly desirable: if a driver meets the grade, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.

Source: The Register

For a recent project, I had to do research into methods rootkits are detected and the most effective measures to catch them when I asked the question, what are some existing solutions to rootkits and how do they function? My search eventually landed me on the TrendMicro RootkitBuster which describes itself as “A free tool that scans hidden files, registry entries, processes, drivers, and the master boot record (MBR) to identify and remove rootkits”.

The features it boasted certainly caught my attention. They were claiming to detect several techniques rootkits use to burrow themselves into a machine, but how does it work under the hood and can we abuse it? I decided to find out by reverse engineering core components of the application itself, leading me down a rabbit hole of code that scarred me permanently, to say the least.

Source: Bill Demirkapi

There was a time when people said, there are no or at least less exploits and stuff for Apple devices. Well, these time are over. Zerodium does no longer accept exploits for Apple devices and software due to too many being reported.

We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors. Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.

Source: Zerodium

The server installer, perhaps other installers, will log LUKS passwords used on the system via:

– installer/subiquity-curtin-install.conf

 – {volume: disk-sda, key: …

– curtin/install.log

get_path_to_storage_volume for volume dm_crypt-0({‘volume’: ‘disk-sda’, ‘key’: …
        get_path_to_storage_volume for volume dm_crypt-0({‘volume’: ‘disk-sda’, ‘key’: …

Source: Ubuntu bug-tracker

A fix has been released, so you know the drill.

The country has the highest penetration of any automated contact tracing app in the world, but one senior figure says it “wasn’t a game changer.”

But despite this early deployment and widespread use, one senior figure in the country’s covid-19 response says the real impact of Rakning C-19 has been small, compared with manual tracing techniques like phone calls.

“The technology is more or less … I wouldn’t say useless,” says Gestur Pálmason, a detective inspector with the Icelandic Police Service who is overseeing contact tracing efforts. “But it’s the integration of the two that gives you results. I would say it [Rakning] has proven useful in a few cases, but it wasn’t a game changer for us.”

Source: MIT Technology Review

On Sunday, Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he’s calling Thunderspy. On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer’s data. And while his attack in many cases requires opening a target laptop’s case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an “evil maid attack,” the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there’s no easy software fix, only disabling the Thunderbolt port altogether.

Source: Wired

See Björn Ruytenberg’s “Breaking Thunderbolt Protocol Security: Vulnerability Report 2020” for any details. Here’s a local copy in case it gets depublished for any reason.

“Black Mirror” can be called a number of things—intelligent, well-crafted, beautifully acted, and gripping, just to name several descriptors. But one thing that the bulk of “Black Mirror” can’t be called is uplifting. And that’s something that creator Charlie Brooker is painfully aware of, and it’s the driving force behind his reluctance to write more episodes of the sci-fi anthology series.

Brooker was recently interviewed with Radio Times, and as you might expect, the conversation eventually turned to “Black Mirror” and the future of the Netflix series. When asked about the possibility of a new season of “Black Mirror,” Brooker replied, “I’ve been busy, doing things. I don’t know what I can say about what I’m doing and not doing.”

“At the moment, I don’t know what stomach there would be for stories about societies falling apart, so I’m not working away on one of those,” he added. “I’m sort of keen to revisit my comic skill set, so I’ve been writing scripts aimed at making myself laugh.”

Source: The Playlist

Here’s a comment by John Fiddle about that article:

Black mirror portraits dramatized possible scenarios where modern technology and society enslaves, kills or monitors people.

Imaginable, officials don’t want such topics while they are launching an app that could track our movement, behavior and social relations on a huge, if not global scale.

So black mirror is either on hold because it has been required by a government or Netflix’ interest in their customers overall mood became bigger than their greed for money.

The world needs your hardihood of self-thinking. Sometimes asking the right questions impacts more than giving the right answers.

Anyways. This hypothesis supports the theory that the corona app’s main purpose is mass surveillance and not aid. So I’m officially denying it now, because an increase in fear could result in further holds of black mirror. The current global crisis however would fit excellent as a black mirror episode.

John Fiddle


  • About

    We never asked for this.