Tag Archives: GitHub

Security News for the Week Ending May 10, 2019

Hackers Wiping Github and Other Repos

Hackers are attacking repositories of users on Github, Gitlab and Bitbucket, leaving a ransom note that says pay up if you want your software back.

The ransom isn’t much – around $500, – which may cause people to pay up rather than trying to recover the data, which I assume is their strategy.

One possibility is that users have the password embedded in other repositories in clear text and the hackers were able to find those passwords.

Key point here is to make sure that you have backups OF ALL OF YOUR CLOUD BASED DATA.  Today it is Github;  tomorrow it is something else.  If you care about your data, make sure that it is securely backed up.  Offline backups are best because it is hard to wipe something that is not connected.  Source: Bleeping Computer.

 

Remember Shadow Brokers – China Already Had the Tools That Were Released

Remember all the fury a few years ago when Shadow Brokers released a whole bunch of NSA hacking tools?  Symantec now says that China already had those tool a year earlier and was using them against others.  Was NSA hacked?  Apparently not – China captured the NSA tools that were being used on them and repurposed them.

It is hard to keep these tools under check.  If you use them people will likely discover that fact and if they are motivated, they may use them against you.   In this case, China used them hacking targets in at least 5 countries including one telecom carrier where they got access to hundreds of thousands or millions of private communications.

After Shadow Brokers released the tools, China felt even bolder to use them because now they weren’t secret any more and would soon be patched.

Keeping these secrets under wraps is basically impossible.  Source:  The NY Times.

Israel Blows Up Palestinian Hackers

In an unusual move, Israel blew up a building that it said was used by Hamas for cyber attacks – in direct response to current or future Hamas cyber attacks, according to a press release from the IDF.

Neither side is saying much beyond that Israel did blow up the building.  No one is saying if there were casualties.

Apparently this facility was known to the Israelis.  This points to the likely escalation of cyber war into kinetic war as large countries fear what small countries can do in cyberspace.  This likely causes an escalation into cyber warriors operating out of spaces which would cause collateral damage if bombed, such as schools, hospitals and shopping malls.  Source: Gizmodo.

 

A Few More Details On Cyber Attack Against Western US Power Utility

We are hearing a few more details about the cyber attack on a so-far unnamed western US power utility.

The attackers, it is now being anonymously reported disabled the utility’s Cisco ASAs.  This is particularly scary since Cisco is pretty much the 800 pound gorilla in that space and their Adaptive Security Appliance is used by hundreds of thousands (or more) of businesses.  It is certainly possible that the ASAs were configured insecurely or missing patches (security patches are typically not available to owners unless they have a paid up maintenance plan, which I HOPE an electric utility would have).

Given how critical the electrical grid is in the US and how fragile it is, this is a bit of a wake up call for those utilities (water, power, gas, phone, Internet, etc.) that have not yet drunk the security Kool-Aid.  Source: EENews.

 

Navy May Be Getting Serious About Cybersecurity

Last year the Navy decided that having a CIO was superfluous and eliminated the position as unnecessary (See article).   They decided that the Undersecretary of the Navy could manage all those pesky IT and security details in his spare time.

In March the Navy released a SCATHING report on how bad their cybersecurity really was.  Now they are working on asking Congress to approve adding a position at the Assistant Secretary level, responsible for IT and security.

They also are looking at training (too basic) and discipline (can cyber-mistakes get you fired).

There is a report due June 1 outlining the roles, responsibilities and staffing for a Assistant secretary for cyber with a plan to role it out in July.  March.  June.  July.  This is amazingly fast for an organization as large as the Navy.

WHAT ARE THE OTHER SERVICES DOING?  Source: Defense Systems.

 

Facebooktwitterredditlinkedinmailby feather

Why The GitHub DDoS Attack Should Concern Everyone

UPDATE:  (Note: this is a bit geeky) Again according to Steve Gibson, the way this malware that attacked Github and GreatFire worked is that it modified the local hosts file using vulnerabilities that were fixed but that users had not yet patched and changed the local hosts file.  It created entries for connect.facebook.net and google-analytics.com and pointed them to the attackers server so that when your browser asked Google or Facebook for the code it needed, it got malicious code.  Another reason to keep your patches up to date!  For systems that were up to date on their patches, this attack would not work.

Steve Gibson in his Security Now podcast talked about the details of the attack against GreatFire and GitHub.

In both of these attacks, presumed to be orchestrated by China, hackers flooded these web sites with millions of requests per hour, overwhelming the servers and denying legitimate users access.  There are two other far scarier things about the attack to concern you.

While that is a problem,  bigger problem number one is this.  GreatFire runs on the Amazon cloud.  As such, they pay as they go for compute resources.  Millions of businesses do that.  The problem is that when they are seeing a customer load of 2500 times their normal load and Amazon scales up to support that, GreatFire gets the bill.

In GreatFire’s case, that bill is $30,000 A DAY.  Probably more than they would normally spend in a year.  What this means is that if you are an attacker, one attack method would be, if your target is renting their infrastructure from a pay as you go cloud service provider, to slowly ramp up their traffic – not enough to shut them down, but enough, over time, to affect them in the pocketbook.  Likely if they are not shut down but their Amazon bill goes up by a factor of 10, you deliver an interesting financial hit.  Even at $3,000 a day, never mind $30,000 a day, that is a $1 mil a year compute bill.  Pick a number between $3,000 and $30,000 a day, depending on the size of your target.  You have just caused your target to spend a lot more money to deliver his service.

Bigger problem number two is a security problem vs. a financial problem.  Apparently, the way this attack worked is that someone, presumed to be the Chinese government or one of their agents, slipped in the middle of unencrypted traffic between Chinese web hosting service Baidu (think Chinese, Google-like web services – map, cloud, news, search, etc.) and sometimes, but not always, when a client went to a Baidu hosted service, instead of getting the javascript they were supposed to get, they got a malicious script which just banged on GreatFire and later GitHub.  The user’s machine was not technically infected because when they closed the browser the script went away and Baidu was not infected – in fact, they never saw that request for the script.

Be evil and logically extend this.  You could compromise any non-SSL site and either have it serve up occasional malicious code that could do anything, or create a man in the middle attack that returns malicious code before the web site can.  They could attack any web site and when the browser closes, the evidence is gone (minor detail, it might be in a local cache but you can tell the browser not to do that or wipe it before you leave).  The user’s anti virus software won’t detect the malware because either it doesn’t persist or the software does not check scripts in browser cache.

You may have to tune the attack, but still, pretty interesting.

Facebooktwitterredditlinkedinmailby feather

Uber Is Uber Bad

Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem.  Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub.  GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.

Only one tinsy, weensy problem.

This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.

Oops!

Now Uber is trying to get GitHub to tell them every single person who accessed that code.  I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.

This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted.  Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.

Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).

A similar search for WordPress came up with 2,000,000 matches.

While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords.  For obvious legal reasons, ars did not try to log in to any of those servers.

Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.

20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.

This search was hardly exhaustive and GitHub is only one such public repository.

THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.

Mitch

Facebooktwitterredditlinkedinmailby feather