Interplanetary Peers | Techsnap 384

Others that have gone off that they’ve gone after but from the looks of things a lot of this stuff is quite a well-engineered set of attacks they are standing.

Up legitimate looking domain names they are injecting JavaScript and passing the traffic from.

The the legitimate looking websites towards another legitimate looking website you know so in this case they had certificates acquired by major car issue from by Comodo who are well-known an SSL certificate vendor these are not the sorts of actions of a malware group that are just doing hit and runs on whatever they can target these are quite clearly very well-crafted attacks against all sorts of firms is quite quite scary to be quite honest with you yeah it is I mean there’s just they’re having.

So much success and this is exactly the sort of the sort of breach that turns people who already don’t really trust interactions.

Over the Internet you know it really drives them crazy because of course you’re scared that all of your personal details will be will be leaked that your credit card information could be stolen because that’s what keeps happening and you’re right like.

In this particular case the major group registered a domain name called new egg.

Stats calm and well if you didn’t know that wasn’t a new egg domain it certainly looks like one especially when they haven’t a verified certificate for it.

Yeah so from the looks of things that javascript is actually being loaded into the payment pages and is scraping the contents of things like the long credit card number and things like that so they.

Are actually getting as I think you mentioned in the previous show they’re getting the full long number on the front they’re getting the expiry date they’re getting the CVV on the back and these are things that if they were actually attacking the databases in the back end they wouldn’t be getting that information so the benefit to in quotes the benefits of them is that you know they’re not having.

To go after protected databases because they wouldn’t get the CVV number if they had that you’re exactly right yeah you wouldn’t you shouldn’t be storing those things.

So you shouldn’t have those and probably on the backend ideally maybe you’ve spent a little more time on your security posture you have more checks mounts as you are making sure that you’ve scrubbed.

Sensitive data where you don’t need it but on the front end side you know those could be completely separate teams they may not audit it and I mean this this JavaScript here in this case was 15 lines so if you’re not carefully watching you know your check sums or.

Who has access auditory how gets changed maybe it’s really easy to change it on the production servers and you just you know yeah you append so that one javascript file and suddenly everything your customer types into your payment page well that’s theirs now I do wonder if there are any you know.

Simple steps people might take I don’t know if you have thoughts on this that if you are running something that handles these sorts of transactions how can you make this simpler or how can you have better guarantees that this sort of attack couldn’t take place on your site so you’re looking at it from two sides of things aren’t you you’re looking at it from from the server side and.

You’re also looking at it from the browser side from the browser side I think even if you were running something like.

Or adblock plus he probably would have been affected by this anyway because it is it’s not it’s not a known malicious site the fact that it was scraping data is not hugely controversial I would say if you were.

Say for example using say for example JavaScript.

Web analytics having a piece of JavaScript that.

Is looking at what height text is being typed into a box that’s very similar to you know the sorts of things that your analytics side of things do so.

From a browser I think generally you’ve got problems anyway there’s not much you can do right unless you’re one of those.

People who who runs no script or really limits sites but you may not even be.

Able to make a successful payment if you’re if you’re so limited very much so very much so from the other side of things though from us from a server side obviously I don’t know how their infrastructures architected but having a clear continuous integration process having code reviews before coding started up you don’t know whether this is down to a malicious actor taking control of say.

For example one engineers machine or taking control of part of the pipeline so you really should try if you can to check things like if you’re using systems like github or something like that to.

Have your code repository make sure everything like two factor authentication switched on try and do PGP sign signatures for your code commits make sure stuff’s going through a CI CD system and if you are making a pull.

Request against something that’s not part of that that library so maybe potentially have a look at how your code flows go through your CI CD systems and make sure that perhaps if.

You’re touching lots of different files at once that perhaps it requires.

Greater level of inspection but again I don’t know what they where the systems look like so I could be I could be talking.

Rubbish on that one I’m afraid right unfortunately you know especially with today’s complex systems there’s a lot of places where this could slip.

In and if you haven’t done that hard work of establishing good chains of trust.

From trusted work stations with keys as you’re talking about and then knowing you know having ways to verify that all right if we can trust source control how do we know that that’s actually what’s running on our production machines if you don’t do any of that well it makes it pretty easy for these sorts of attacks really it all just goes to show that you know you gotta take security seriously hopefully there can be one I mean firstly I guess I should say.

If you are a new a customer this attack went on for almost a full month so if you’ve bought anything in the last month definitely go make sure you’re checking your.

Credit card statements you should be doing that anyway of course but especially right now the other thing I hope that one upside of these horrible incidents will be that.

Companies start taking this seriously because this is not great PR it’s easy to have happen and there’s no other fix than to you.

Know really think about security holistically and make it part of your development process now that’s one way you might lose your information out on the worldwide.

Web this next story hits a little closer to home I don’t know about you John but I think got a lot of our listeners well there’s local Nan’s set up that’s something that matters right that’s where you keep your data that’s where you might do local backups as one part of your backup system and oftentimes you’ve set up you know it’s running other.

Services it’s a gateway to your network in some cases and it can be a huge vulnerability today’s story well if you’re using Western Digital as my Cloud.

Devices watch out Remco vermeulen is the security researcher that looks into this found the privilege escalation bug in the in the my cloud device where.

Actually the dashboard of the device didn’t check the user credential properly before giving an access to the tools that in theory would require high-level access and with that access you got a complete bypass of the admin password on the drive you got full access to the users date data this isn’t the first one of.

These sorts of attacks but it is the most recent one now apparently it wasn’t only this research that found the.

Information it was independently found by another security team who also released exploit code for Merlin also posted a proof-of-concept video on Twitter which is an unusual way of doing it I suppose it does make.

His point pretty well that this is easy.

To exploit absolutely the surpassed the reason I think why he released this proof of concept video was because he actually reported the bug over a year ago and the company stopped responding to him one of the things that project zero has done is is.

Make this 90 day turnaround on responding to things so now classed as the.

Industry accepted accepted responsible disclosure guidelines is 90 days which is for a large company.

A potentially quite a short period of time to have to deal with it yes I mean I think many companies would like it would like a little bit longer timeline but the.

Pressures on them yeah and and if a good color has found something you can more or less assume that he’s not looking at it because he’s just gone and figured he’d he’d fuzz some some checks against a credential screen most.

Of the research into these sorts of things tends to be kind of because something else has prompted it so if the good guys are looking at it because something’s prompted them you can you can.

Absolutely guess that the bad guys are looking at exactly the same set of evidence that’s prompted you in this direction I’m more or less you’re gonna you’re going to realize at that point that maybe it’s worth looking at the same thing and and as I said found independently by another security team who’s to say there weren’t some bad goers looking at the same thing at the same time it really is troublesome.

Posted in Linux<a href="https://baby2471.com/tag/alpine-linux" rel="tag">Alpine Linux</a> <a href="https://baby2471.com/tag/cloudflare" rel="tag">Cloudflare</a> <a href="https://baby2471.com/tag/content-addressable-storage" rel="tag">Content-addressable storage</a> <a href="https://baby2471.com/tag/data-breach" rel="tag">Data Breach</a> <a href="https://baby2471.com/tag/decentralization" rel="tag">Decentralization</a> <a href="https://baby2471.com/tag/decentralized-storage" rel="tag">Decentralized Storage</a> <a href="https://baby2471.com/tag/devops" rel="tag">DevOps</a> <a href="https://baby2471.com/tag/dnslink" rel="tag">DNSLink</a> <a href="https://baby2471.com/tag/docker" rel="tag">Docker</a> <a href="https://baby2471.com/tag/filecoin" rel="tag">Filecoin</a> <a href="https://baby2471.com/tag/filesystems" rel="tag">Filesystems</a> <a href="https://baby2471.com/tag/government-payment-service" rel="tag">Government Payment Service</a> <a href="https://baby2471.com/tag/govpaynow" rel="tag">GovPayNow</a> <a href="https://baby2471.com/tag/interplanetary-filesystem" rel="tag">Interplanetary Filesystem</a> <a href="https://baby2471.com/tag/ipfs" rel="tag">IPFS</a> <a href="https://baby2471.com/tag/ipns" rel="tag">IPNS</a> <a href="https://baby2471.com/tag/javascript" rel="tag">Javascript</a> <a href="https://baby2471.com/tag/magecart" rel="tag">Magecart</a> <a href="https://baby2471.com/tag/newegg" rel="tag">Newegg</a> <a href="https://baby2471.com/tag/orbitdb" rel="tag">OrbitDB</a> <a href="https://baby2471.com/tag/payment-systems" rel="tag">Payment Systems</a> <a href="https://baby2471.com/tag/peer-to-peer" rel="tag">Peer-to-Peer</a> <a href="https://baby2471.com/tag/podcast" rel="tag">Podcast</a> <a href="https://baby2471.com/tag/sysadmin" rel="tag">Sysadmin</a> <a href="https://baby2471.com/tag/wd-my-cloud" rel="tag">WD My Cloud</a> <a href="https://baby2471.com/tag/western-digital" rel="tag">Western Digital</a>