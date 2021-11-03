Language Selection

Security Leftovers

2021-11-03
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).

  • Finding and Fixing DOM-based XSS with Static Analysis – Attack & Defense

    Despite all the efforts of fixing Cross-Site Scripting (XSS) on the web, it continuously ranks as one of the most dangerous security issues in software.

    In particular, DOM-based XSS is gaining increasing relevance: DOM-based XSS is a form of XSS where the vulnerability resides completely in the client-side code (e.g., in JavaScript). Indeed, more and more web applications implement all of their UI code using fronted web technologies: Single Page Applications (SPAs) are more prone to this vulnerability, mainly because they are more JavaScript-heavy than other web applications. An XSS in Electron applications, however, has the potential to cause even more danger due to the system-level APIs available in the Electron framework (e.g., reading local files and executing programs).

    The following article will take a deeper look into Mozilla’s eslint-based tooling to detect and prevent DOM-based XSS and how it might be useful for your existing web applications. The eslint plugin was developed as part of our mitigations against injection attacks in the Firefox browser, for which the user interface is also written in HTML, JavaScript and CSS.

  • 'Trojan Source' a Threat to All Source Code, Languages | eSecurityPlanet

    Researchers have outlined a method that could be used by bad actors to push vulnerabilities into source code that are invisible to human code reviewers.

    In a paper released this week, two researchers at the University of Cambridge in the UK wrote that the method – which they dub “Trojan Source” – essentially can be leveraged against almost every programming language in use today and could be effective in supply-chain attacks similar to the one launched against SolarWinds last year.

  • Victory! U.S. blacklists NSO Group and Candiru - Access Now

    Today, the U.S. Government added NSO Group, Candiru, and two other foreign companies to the Entity List for engaging in activities contrary to the national security or foreign policy interests of the United States.

    While long overdue, Access Now applauds this announcement, and urges the European Union and other governments to implement similar restrictions on surveillance tech companies who facilitate human rights violations.

    “This is a huge win,” said Natalia Krapiva, Tech-Legal Counsel at Access Now. “NSO and Candiru like to brag that their spyware technologies are all about protecting public safety and national security. But here, we have the United States, a major power, coming out and saying these companies are violating not only human rights, but also U.S. national security.”

  • FBI Releases PIN on Attacks Using Significant Financial Events for Extortion

    The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) on ransomware actors using significant financial events, such as mergers and acquisitions, to target and leverage victim companies.

    CISA encourages users and administrators to review Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims and apply the recommended mitigations.

  • DCOM abuse and lateral movement with Cobalt Strike | Pen Test Partners

    It is possible to bypass certain AVs by encoding executables containing payloads with tools such as Msfvenom. Alternatively, using tools such as Shellter or Veil to create custom Portable Executables (PE) capable of bypassing common anti-virus solutions. These tools also allow you to inject payloads into legitimate software to even better mask your malicious code from the AV.

    These tools can be successful at performing their task, however if one used the same binary several times there is a good chance it would be added to existing AV/EDR signature databases. Using websites like VirusTotal to test the detection rate of your executables will also likely speed up the process of your malware getting added to a AV signature database. In general, uploading binaries onto a target currently is a bit of an unnecessary risk, therefore I wanted to look into ways of performing lateral movement with malware that does not need to be transferred to the disk of the target.

    The great thing about Cobalt Strike is the option to execute .NET binaries in memory of the target (execute-assembly), without needing to transfer it. Following the same idea, I wanted to be able to transfer malware to the target, that would execute in memory and avoid the unnecessary triggering of AV by the fact that it is present on the disk. I came across a technique called reflective DLL injection and thought it was genius.

    Reflective DLL injection involved loading a .NET Dynamic Link Library (DLL) into the memory of the target. Common tooling such as powershell can be used to load the DLL and allows the execution of your choice of methods available within the DLL. This results in diskless malware execution. I liked the concept however, performing the preparation for such a task was slightly lengthy, therefore my programmer instincts kicked in and I thought why not create some automation.

Devices: ESP8266, Pis, Arduinos, and More

  • Liberating The ESP8266 From Its Development Board | Hackaday

    While the ESP32 is clearly a superior piece of hardware, we think you’ll agree that the ESP8266 is just too useful not to have a dozen or so kicking around the parts bin at any given time. Cheap, easy to use, and just enough capabilities to bring your projects into the wonderful world of IoT. But if you really want to get the most out of it, you’ll eventually have to skip the development board and start working with the bare module itself. It can be a scary transition, but luckily, [Ray] has collected some notes that should prove helpful for anyone looking use modules like the ESP-12F in their own custom PCBs. From different tips on making sure the power-hungry modules get enough juice, to cost cutting measures that help reduce the ancillary parts needed in your circuit design, it’s a worthwhile read for new and experienced ESP8266 wranglers alike.

  • Conexio Stratus - An nRF9160 board with solar energy harvesting capability (Crowdfunding) - CNX Software

    Conexio Stratus board is equipped with Nordic Semi nRF9160 System in Package (SiP) with LTE-M (eMTC) & NB-IoT cellular IoT connectivity as well as GPS support through a pair of u.FL connectors for antennas, together with 500MB of mobile data valid for ten years.

  • Meet Grumpy Hedgehog, an adorable gesture-sensing companion | Arduino Blog

    Detecting shapes and gestures has traditionally been performed by camera systems due to their large arrays of pixels. However, Jean Peradel has come up with a method that uses cheap time-of-flight (ToF) sensors to sense both objects and movement over time. Better yet, his entire project is housed within a 3D-printed “Grumpy Hedgehog” that contains not only the sensors, but a highly-interactive 1.44” LCD screen as well. Peradel’s smart home companion is capable of picking up several different kinds of movements and patterns to perform a wide variety of actions such as sending keystrokes to a PC, controlling a light, or actuating a servo motor. This is accomplished by taking VL53L1X ToF modules, which have a 16×16 scanning array and communicate over the I2C bus. Once the attached Arduino MKR WiFi 1010 has read this data, it can determine if the object (which appears closer on the grid) has moved up, down, left, or right.

  • The CrowPi is a combination Linux laptop and Raspberry Pi explorer's kit

    The CrowPi2 looks like an ordinary laptop with an 11.6-inch screen with 1080p resolution, but it's also a nifty Raspberry Pi experimentation and learning platform. You can remove the wireless keyboard from the case to reveal a development board with bunch of different onboard sensors and modules, and components such as an LCD display and a solderless breadboard.

  • Aaeon reveals Elkhart Lake Pico-ITX and ships Tiger Lake 3.5-inch SBCs

    Yesterday, when we were reporting on Canonical’s release of Ubuntu images optimized for Intel’s Elkhart Lake and Tiger Lake processors, we saw several patch notices referring to the EHL. Aaeon then confirmed that the patches referred to its PICO-EHL4 SBC, which was revealed with no image and very few details a year ago after Elkhart Lake was announced. Aaeon has since posted specs, apparently in late September when it announced the board, on Aaeon’s newsletter. We also cover Aaeon’s Tiger Lake-U based GENE-TGU6 3.5-inch SBC, which we detailed in May based on a preliminary product page and which Aaeon has now formally launched with some minor changes.

Programming Leftovers

  • Bash For Loop 1 to 10

    We all know that many of the basic concepts of programming contain many data structures, variables, statements, and loops. Loops are very well-known among all of them when running a series of instructions or doing some tasks under certain conditions. The most famous and most used loop is the “for” loop. So, today we will be looking at the syntax and working of the “for” loop for a series of numbers, i.e., 1 to 10. Let’s start by opening a terminal shell with the help of a “Ctrl+Alt+T” command on the Ubuntu 20.04 desktop system.

  • Convert Array to Hash Ruby

    Both arrays and dictionaries share a common trait in all major programming languages: they are both flexible and scalable data structures that help organize and refactor code. In certain instances, the need to convert an array to a hash and vice versa comes up. In this guide, we shall discuss how you can convert an array to a hash in Ruby.

  • Array Filter in Ruby

    We can think of arrays as databases or, more specifically, a table within a database. The main use of arrays is to store related items in a single entity, allowing you to manage them efficiently. This tutorial will illustrate how to filter the results from an array using the select, find and reject methods.

  • C++ Cout Format

    Within the C++ language, there are some objects specified in libraries to do some specific tasks. Just like this, the iostream library has been used to input and output the data to an input and output device while using C++. The “cout” object is the main object used to display the data to a device screen while including the “iostream” header file in the code. Let’s have some examples to see the format of the C++ cout statement in Ubuntu 20.04.

Proprietary Failure and Linux Foundation Openwash

GStreamer 1.19.3 unstable development release

GStreamer 1.19.3 unstable development release The GStreamer team is pleased to announce the third development release in the unstable 1.19 release series. The unstable 1.19 release series adds new features on top of the current stable 1.18 series and is part of the API and ABI-stable 1.x release series of the GStreamer multimedia framework. The unstable 1.19 release series is for testing and development purposes in the lead-up to the stable 1.20 series which is scheduled for release in a few weeks time. Any newly-added API can still change until that point, although it is rare for that to happen. Read more

