Home / Blockchain / Blockchain: This Week in Security: Backdoors in Cisco Switches, PGP Spoofing in Emails, Git Ransomware

Blockchain: This Week in Security: Backdoors in Cisco Switches, PGP Spoofing in Emails, Git Ransomware

Blockchain:

Some switches in Cisco’s 9000 series are susceptible to a remote vulnerability, numbered CVE-2019-1804 . It’s a bit odd to call it a vulnerability, actually, because the software is operating as intended. Cisco shipped out these switches with the same private key hardcoded in software for all root SSH logins. Anyone with the key can log in as root on any of these switches.

Cisco makes a strange claim in their advisory, that this is only exploitable over IPv6. This seems very odd, as there is nothing about SSH or the key authentication process that is IPv6 specific. This suggests that there is possibly another blunder, that they accidentally left the SSH port open to the world on IPv6. Another possibility is that they are assuming that all these switches are safely behind NAT routers, and therefore inaccessible through IPv4. One of the advantages/disadvantages of IPv6 is that there is no NAT, and all the network devices are accessible from the outside network. (Accessible in the sense that a route exists. Firewalling is still possible, of course.)

It’s staggering how many devices, even high end commercial devices, are shipped with unintentional yet effective backdoors, just like this one.

Git Repository Ransomware

In a first, ransomware has been targeted at Git repositories. Hundreds of repositories across GitHub, Gitlab, and other services have been replaced with a ransom note, demanding 0.1 bitcoin for recovery. Interestingly, the ransom note threatens to make the code public. This is a problem that open source definitely solves.

How did someone break into so many accounts at once? Badpackets.net, a security research company, has the lowdown.

Dang, I thought all those “/.git/config” scans we detected were harmless. Guess we know what the goal was now.

— Bad Packets Report (@bad_packets) May 3, 2019

Dang, I thought all those “/.git/config” scans we detected were harmless. Guess we know what the goal was now.

Yes, it seems that the compromised accounts leaked their credentials by accidentally hosting their .git folders online. Someone realized this was a commonplace mistake, and scraped credentials from these folders across the internet. After collecting what credentials were available, the attack was launched. A look at the specified bitcoin address seems to indicate that no-one has paid the ransom, and several of the affected have discovered that the overwritten code is still accessible, given the right git-fu.

In a Reddit thread, a user claiming to be the attacker links to a 2015 write-up detailing exactly how the .git folder leak can happen.

PGP Signature Spoofing

PGP Signatures are a useful way to absolutely know that a message is genuine, right? According to a recent paper, not always. You may remember how Efail allowed an attacker to take advantage of a weakness in email clients, and send the decrypted message to the attacker. A new set of attacks takes advantage of client weaknesses to break message verification. Imagine what happens when someone forwards a correctly signed message from someone you trust, but adds their own note at the top of the forwarded email. The mail client shows the unsigned note, and then also shows the signed block. The paper points out that the unsigned portion of the email could include HTML and CSS code that hides the remainder of the message. The email would show a valid trusted signature, and without inspection of the raw message text, is a rather convincing forgery.

The paper outlined several other techniques of a similar nature. Similar to the Efail attack, these researchers didn’t find vulnerabilities in the PGP signature itself, but in how signed messages are processed and presented to the end user. Thus not every e-mail client is affected, but many of the big names were on the list.

Blockchain!

It seems not a day goes by that something related to blockchain doesn’t cross my radar. Ethercom

Read More

About admin

Check Also

Blockchain: Report: financial firms led by UBS invest $60M+ to form a company to develop blockchain-based tech for settling cross-border trades using a “bitcoin-like” token (Mix/The Next Web)

Blockchain: Report: financial firms led by UBS invest $60M+ to form a company to develop blockchain-based tech for settling cross-border trades using a “bitcoin-like” token (Mix/The Next Web)

Ashley Carman / The Verge: Apple breaks up iTunes, creates separate Podcasts, TV, and Music apps for macOS  —  Three dedicated apps  —  The iTunes era is over.  During its annual developers conference today, Apple announced that it's breaking iTunes up into three separate macOS apps: Podcasts, TV, and Music. More: Wired, The Verge, New…

Leave a Reply

Your email address will not be published. Required fields are marked *