Security: Updates, Congressional Campaigns, Malicious JavaScript and New FUD

Thursday 30th of May 2019 04:07:36 PM
Security
  • Security updates for Thursday
  • What I Learned Trying To Secure Congressional Campaigns

    This soul-crushing telethon is the principal activity of a Congressional campaign. Getting in its way is like getting between a mama bear and her cub. You are just going to find yourself clawed to death by a frantic finance director. Whatever you do to secure a campaign must not be an obstacle to fundraising.

  • Malicious JavaScript injected into WordPress sites using the latest plugin vulnerability

    A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019, and has been fixed for version 8.0.27 and higher.

    iThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites).

  • [Attackers] actively exploit WordPress plugin flaw to send visitors to bad sites [iophk: "JavaScript, again. Ars Technica should not downplay JavaScript's role in making sites vulnerable."]

    The vulnerability was fixed two weeks ago in WP Live Chat Support, a plugin for the WordPress content management system that has 50,000 active installations. The persistent cross-site scripting vulnerability allows attackers to inject malicious JavaScript into sites that use the plugin, which provides an interface for visitors to have live chats with site representatives.

    Researchers from security firm Zscaler's ThreatLabZ say attackers are exploiting the vulnerability to cause sites using unpatched versions of WP Live Chat Support to redirect to malicious sites or to display unwanted popups. While the attacks aren't widespread, there have been enough of them to raise concern.

  • Stephen Michael Kellat: The Coming Cyber War

    Facebook is a company based in the United States of America and that detail of location is key to this plot. Since the Internet has a global reach legislators from countries beyond the United States of America have wanted to question Mr. Zuckerberg himself. After ducking their calls, initially members of a committee from the UK House of Commons came across the ocean to grill Zuckerberg in Washington. Members of the Digital, Culture, Media, Sport Committee were investigating Russian interference in elections at the time. That testimony took place in February 2018. We can then fast forward to Zuckerberg facing multiple hearings before committees of the US House of Representatives and US Senate in April 2018. Again, members of those committees were asking questions concerning Russian interference. Similar questions were put to Zuckerberg in May 2018 by EU officials.

    After that point, pressures begin to build in our chronology. An "international grand committee" met in London in November 2018. According to reports by Canadian television network Global, there were representatives from nine nations at this meeting. The report indicated that Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France, Latvia, and the United Kingdom all had legislators represented to question the head of Facebook. He did not personally attend but was represented by Richard Allan, a company vice president. The report also shows one of the first indications of discussing an international accord to regulate Facebook. That idea was put forward at the meeting by Canadian federal legislator Charlie Angus of the NDP, Canada's socialist party.

  • Linux Fix Pending For Borked Hibernation After Disabling Hyper Threading

    If you have begun disabling Intel Hyper Threading on your systems over security concerns in light of MDS/Zombieload and other vulnerabilities making HT look increasingly unsafe, you may have noticed your system doesn't resume properly after hibernation. Fortunately, a fix is on the way.

    More operating systems have been adding options or even on the BSD front considering a default around disabling Hyper Threading out of security concerns. On the Linux front HT/SMT is enabled by default but there is now the new convenient mitigations= option (granted also other ways to disable HT/SMT previously, now just bundled under the "mitigations" umbrella) and even with the case of openSUSE has added mitigations/HT options to their installer. If you've decided to disable Hyper Threading, it turns out resuming after hibernation would run into problems and likely just reboot the system rather than successfully resume.

  • New HiddenWasp malware found targeting Linux systems [Ed: CBS ZDNet says "New HiddenWasp malware found targeting Linux systems," but this isn't a Linux issue, it targets already-compromised systems. It's like blaming Adobe flaws on Windows.]
  • HiddenWasp: New Malware Targets Linux Machines To Control Them Remotely [Ed: This is not a "Linux" problem; it exploits things that merely run on GNU/Linux, like iTunes running on Windows.]

    nlike the Windows cybersecurity ecosystem, the threats concerning the Linux systems aren’t often discussed in much detail. The attacks either go undetected by the security mechanisms laid out by enterprises or they aren’t too severe to be reported widely by the security researchers.

Android Leftovers

Programming: GCC, PHP, Python, Java and More

  • A short primer on assemblers, compilers, and interpreters
    In the early days of computing, hardware was expensive and programmers were cheap. In fact, programmers were so cheap they weren't even called "programmers" and were in fact usually mathematicians or electrical engineers. Early computers were used to solve complex mathematical problems quickly, so mathematicians were a natural fit for the job of "programming."
  • Creating a Source-to-Image build pipeline in OKD
  • PHP7 - Fix incompatibility errors like: Parse error: syntax error, unexpected new (T_NEW) in file.php on line...
  • Open-Source Compiler Support Starts Riding Down For Intel's Sapphire Rapids
    Intel's Sapphire Rapids is the Icelake successor not looking to be released until 2021 but thankfully the open-source compiler support is already seeing initial work on enabling the new instruction set extensions. This week the first new instruction set additions have landed into both the GCC and LLVM compilers for bits being introduced with Sapphire Rapids. The main addition is ENQCMD, an instruction disclosed by this month's architecture instruction set extensions programming reference guide.
  • 2018 in review!
    The Python Ambassador program helps further the PSF's mission with the help of local Pythonistas. The goal is to perform local outreach and introduce Python to areas where it may not exist yet. In March 2018, the board approved expanding our Python Ambassador program to include East Africa. Kato Joshua and the Afrodjango Initiative have been doing great outreach in universities in Uganda, Rwanda, and Kenya. In a general overview, $324,000 was paid in grants last year to recipients in 51 different countries. We awarded $59,804 more in grants in 2018 than 2017. That's a 22.6% increase for global community support.
  • Community-driven open source and funded development
    If you talk to someone about supporting an open source project, in particular a well-known one that they rely on (e.g. NumPy, Jupyter, Pandas), they're often willing to listen and help. What you quickly learn though is that they want to know in some detail what will be done with the funds provided. This is true not only for companies, but also for individuals. In addition, companies will likely want a written agreement and some form of reporting about the progress of the work. To meet this need we came up with community work orders (CWOs) - agreements that outline what work will be done on a project (implementing new features, release management, improving documentation, etc.) and outlining a reporting mechanism. What makes a CWO different from a consulting contract? [...] A few years ago the number of projects in the PyData ecosystem that had a roadmap was at or very close to zero. That's slowly starting to change. At last years' NumFOCUS Summit, Brian Granger and I led a session on roadmaps, to share experiences and best practices in writing roadmaps. In preparation for that session I surveyed the roadmaps of all NumFOCUS projects. About half the projects had a roadmap, and of those roadmap again about half was outdated or very incomplete. So eight months ago only 25% of projects had a good roadmap, today it's probably a little higher. That's not a lot if we want to find roadmap items as conversation starters for all projects we're interested in. Luckily we can talk to project maintainers and get a few big ticket items from them (in most cases) that we can use instead. Here's the idea: we look at a project roadmap, take a couple of ideas that we think are most likely to be of interest to a company, put those on a brochure, and let our sales team take it from there to use (to support a conversation, generate some initial interest, provide an overview of the breadth of our interests and capabilities at Quansight Labs, etc.). Here's what that currently looks like:
  • Oracle Is Aiming To Contribute An eBPF Backend To The GCC 10 Compiler
    While Oracle has control of DTrace following their acquisition of Sun Microsystems, it turns out Oracle developers are quite interested in adding eBPF support to the GNU toolchain with GCC support as an alternative to the LLVM-focused path currently relied upon for targeting this in-kernel Linux virtual machine. Last week I wrote about GNU Binutils seeing eBPF support for this modern and increasingly popular VM solution within the Linux kernel. That's not all Oracle is looking to contribute on the eBPF front but is also working on a GCC compiler back-end.
  • Pivotal adds OpenJDK support to Spring in response to 'concerns' around Oracle's Java
    Pivotal, developer of the open-source Spring Framework for Java, has confirmed official support for OpenJDK to address "questions in the community" about changes to the way Oracle Java SE is distributed and supported. "Many companies and enterprises are scrambling trying to understand their options around support of their application investments," said Ryan Morgan, Pivotal's veep of enineering for the Application Platform group. The Spring Framework, originally developed in 2002 by Rod Johnson as a lightweight alternative to Enterprise JavaBeans (server-side Java components), remains popular for business applications, more than 15 years after its 1.0 release in March 2004. Johnson's company SpringSource was acquired by VMware in 2009 and the business moved to Pivotal Software when the outfit was formed by VMware and EMC in 2012.
  • No2Pads, a simple Notepad clone
  • First steps with Qt Creator
  • Test and Code: 76: TDD: Don’t be afraid of Test-Driven Development - Chris May
  • Powering up python as a data analysis platform
  • Angular 8 Tutorial: Learn Angular 8 from Scratch
  • Speeding up Python code using multithreading
  • Falsehoods Programmers Believe About Search

    Search is a deceptively complex field, where competence is hard-won through training, practice, and experience. The list stands at a total of 105 falsehoods. I couldn’t mash up the ole 99-problems meme with this to cull 6 unworthy items, because they are all worthy. I will leave you with that brief introduction and, of course, the list: [...]

  • Accessing UNIX sockets remotely from .NET

5 best Gnome-based Linux distributions to check out

Gnome (AKA Gnome 3 or Gnome Shell) is the third iteration of the Gnome desktop environment. Its user-interface is split into a panel at the top, and a favorites dock on the left. Gnome is currently the most popular Linux desktop environment, and most major Linux distributions ship with it as the primary user-interface. In the Linux world, many people are using Gnome as it is modern, and often the default choice. Even though it remains the most popular desktop on Linux, some Linux OSes do Gnome better than others. So, here are the 5 best Gnome-based Linux OSes to check out! Read more

