• chevron_right

      Un agent SSH qui exploite la backdoor XZ

      news.movim.eu / Korben · Thursday, 11 April - 08:53 · 1 minute

    Si vous me lisez assidument, vous avez surement tout capté à la fameuse backdoor XZ découverte avec fracas la semaine dernière. Et là je viens de tomber sur un truc « rigolo » qui n’est ni plus ni moins qu’une implémentation de la technique d’exploitation de cette backdoor XZ, directement à l’intérieur d’un agent SSH.

    Pour rappel, un agent SSH (comme ssh-agent) est un programme qui tourne en arrière-plan et qui garde en mémoire les clés privées déchiffrées durant votre session. Son rôle est donc de fournir ces clés aux clients SSH quand ils en ont besoin pour s’authentifier, sans que vous ayez à retaper votre phrase de passe à chaque fois.

    Cet agent démoniaque s’appelle donc JiaTansSSHAgent , en hommage au cybercriminel qui a vérolé XZ, et ça implémente certaines fonctionnalités de la fameuse backdoor sshd XZ. En clair, ça vous permet de passer par cette backdoor en utilisant votre client SSH préféré.

    Ce truc va donc d’abord générer sa propre clé privée ed448 avec OpenSSL puis, il faudra patcher la liblzma.so avec la clé publique ed448 correspondante. Là encore, rien de bien méchant, c’est juste un petit script Python et enfin, dernière étape, faudra patcher votre client SSH pour qu’il ignore la vérification du certificat.

    Et voilà !

    Une fois que vous avez fait tout ça, vous pouvez vous connecter à cœur joie avec n’importe quel mot de passe sur n’importe quel serveur qui dispose de cette faille. Bon après, faut quand même faire gaffe hein, c’est pas un truc à utiliser n’importe comment non plus. Vous devez respecter la loi , et expérimenter cela uniquement sur votre propre matériel ou avec l’autorisation de votre client si vous êtes par exemple dans le cadre d’une mission d’audit de sécurité. Tout autre utilisation vous enverra illico en prison, alors déconnez pas !

    Voilà les amis, vous savez tout sur JiaTansSSHAgent maintenant. Pour en savoir plus, rendez-vous sur le repo GitHub de JiaTanSSHAgent .

    • chevron_right

      Thousands of LG TVs exposed to the world. Here’s how to ensure yours isn’t one.

      news.movim.eu / ArsTechnica · Tuesday, 9 April - 19:12

    Thousands of LG TVs exposed to the world. Here’s how to ensure yours isn’t one.

    Enlarge (credit: Getty Images)

    As many as 91,000 LG TVs face the risk of being commandeered unless they receive a just-released security update patching four critical vulnerabilities discovered late last year.

    The vulnerabilities are found in four LG TV models that collectively comprise slightly more than 88,000 units around the world, according to results returned by the Shodan search engine for Internet-connected devices. The vast majority of those units are located in South Korea, followed by Hong Kong, the US, Sweden, and Finland. The models are:

    • LG43UM7000PLA running webOS 4.9.7 - 5.30.40
    • OLED55CXPUA running webOS 5.5.0 - 04.50.51
    • OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50
    • OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) - 03.33.85

    Starting Wednesday, updates are available through these devices’ settings menu.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      One engineer’s curiosity may have saved us from a devastating cyber-attack | John Naughton

      news.movim.eu / TheGuardian · Saturday, 6 April - 15:00 · 1 minute

    In discovering malicious code that endangered global networks in open-source software, Andres Freund exposed our reliance on insecure, volunteer-maintained tech

    On Good Friday, a Microsoft engineer named Andres Freund noticed something peculiar. He was using a software tool called SSH for securely logging into remote computers on the internet, but the interactions with the distant machines were significantly slower than usual. So he did some digging and found malicious code embedded in a software package called XZ Utils that was running on his machine. This is a critical utility for compressing (and decompressing) data running on the Linux operating system, the OS that powers the vast majority of publicly accessible internet servers across the world. Which means that every such machine is running XZ Utils.

    Freund’s digging revealed that the malicious code had arrived in his machine via two recent updates to XZ Utils, and he alerted the Open Source Security list to reveal that those updates were the result of someone intentionally planting a backdoor in the compression software. It was what is called a “supply-chain attack” (like the catastrophic SolarWinds one of 2020 ) – where malicious software is not directly injected into targeted machines, but distributed by infecting the regular software updates to which all computer users are wearily accustomed. If you want to get malware out there, infecting the supply chain is the smart way to do it.

    Continue reading...
    • chevron_right

      China will use AI to disrupt elections in the US, South Korea and India, Microsoft warns

      news.movim.eu / TheGuardian · Friday, 5 April - 04:00

    Beijing did a test run in Taiwan using AI-generated content to influence voters away from a pro-sovereignty candidate

    China will attempt to disrupt elections in the US, South Korea and India this year with artificial intelligence-generated content after making a dry run with the presidential poll in Taiwan, Microsoft has warned.

    The US tech firm said it expected Chinese state-backed cyber groups to target high-profile elections in 2024, with North Korea also involved, according to a report by the company’s threat intelligence team published on Friday.

    Continue reading...
    • chevron_right

      How to hack the Jacksonville Jaguars’ jumbotron (and end up in jail for 220 years)

      news.movim.eu / ArsTechnica · Wednesday, 3 April - 20:26

    Three examples of the video screen tampering.

    Enlarge / Three examples of the video screen tampering. (credit: US DOJ)

    Was someone messing with the Jacksonville Jaguars' giant jumbotron ?

    On September 16, 2018, the Jaguars were playing the New England Patriots when the in-stadium screen experienced, in the US government's words, "a loss in reference sync which manifested as a large horizontal green lines [sic] appearing across one whole video board."

    On November 18, during a game against the Pittsburgh Steelers, it happened again—but this time, entire video sub-boards filled with green.

    Read 25 remaining paragraphs | Comments

    • chevron_right

      US reprimands Microsoft for security failures that allowed Chinese hack

      news.movim.eu / TheGuardian · Wednesday, 3 April - 19:53

    Federal report says ‘cascade of errors’ by tech giant let Chinese operators break into senior government officials’ email accounts

    In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying “a cascade of errors” by the tech giant let state-backed Chinese cyber operators break into email accounts of senior US officials including commerce secretary, Gina Raimondo.

    The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company’s knowledge of the targeted breach, which affected multiple US agencies that deal with China.

    Continue reading...
    • chevron_right

      At least a dozen Westminster insiders targeted in Whatsapp phishing attack

      news.movim.eu / TheGuardian · Wednesday, 3 April - 17:56

    Politicians, including a minister, advisers and journalists received potentially compromising messages over six-month period

    More than a dozen politicians, advisers and journalists have been targeted in a phishing attack, in what cybersecurity experts believe is an attempt to compromise them.

    Twelve men working in Westminster, including a serving government minister, told Politico they had received unsolicited WhatsApp messages from two suspicious mobile numbers in the past six months.

    Continue reading...
    • chevron_right

      Missouri county declares state of emergency amid suspected ransomware attack

      news.movim.eu / ArsTechnica · Tuesday, 2 April - 23:59

    Downtown Kansas City, Missouri, which is part of Jackson County.

    Enlarge / Downtown Kansas City, Missouri, which is part of Jackson County. (credit: Eric Rogers )

    Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable.

    "Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials wrote Tuesday . "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal."

    The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice.

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Western governments struggle to coordinate response to Chinese hacking

      news.movim.eu / TheGuardian · Friday, 29 March - 04:30

    Experts say UK-imposed sanctions will make no difference when hacking is part of ecosystem of dealing with Beijing

    With the announcement that the UK government would be imposing sanctions on two individuals and one entity accused of targeting – without success – UK parliamentarians in cyber-attacks in 2021 , the phrase “tip of the iceberg” comes to mind. But that would underestimate the iceberg.

    James Cleverly, the home secretary, said the sanctions were a sign that “targeting our elected representatives and electoral processes will never go unchallenged”.

    Continue reading...