Information Technology

A cross-site scripting (XSS) vulnerability has been patched in the popular Directus engine. Directus is an open source, modular content management system (CMS) promoted as a “flexible powerhouse for engineers.” The platform can be used to wrap SQL databases with GraphQL and REST APIs. Directus has achieved 14.9k stars on GitHub and there are approximately 1,700 forks. Discovered by Synopsys Cybersecurity Research Center (CyRC) researcher David Johansson, the vulnerability is tracked as CVE-2022-24814 and can lead to account compromise.  Impacting Directus v9.6.0 and earlier, CVE-2022-24814 was found in the file upload functionality of the CMS.  “Unauthorized JavaScript can be executed by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag,” Directus explained. “This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS.” According to Synopsys, authenticated users can create a stored XSS attack that triggers when other users try to view “certain” collections or files on the platform.  A similar issue, tracked under CVEs CVE-2022-22116 and CVE-2022-22117, was previously disclosed in the Directus App. However, the mitigation improvements did not go far enough and so could be bypassed, the researchers added. 

Synopsys disclosed its findings to Directus on January 28. The platform’s team triaged the vulnerability and released v3.7.0 on March 18 to resolve the security issue. In addition, Directus improved a “very permissive’ default value for CORS configuration which could lead to unauthorized access when configurations had not been changed.  The latest build is v3.9.0.  “Synopsys would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely manner,” the company said.  In related news, VMware published a security advisory on April 6 urging customers to patch software including VMware Workspace ONE Access, Identity Manager (vIDM), and vRealize Automation (vRA) to patch bugs leading to remote code execution (RCE), among other issues.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security researchers have observed attackers exploiting the Spring4Shell Java-related flaw to install malware on target systems.   Researchers at security firms Trend Micro and Qihoo 360 watched the attacks emerge almost as soon as the bug become public. 

ZDNet Recommends

While Spring4Shell isn’t quite as dire as Log4Shell, most security firms, the US Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft are urging developers to patch it if they’re using Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.SEE: Windows 11 security: How to protect your home and small business PCs”After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability,” Qihoo 360 researchers noted.Trend Micro researchers have also seen something similar. “We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” said Trend Micro’s researchers.  “We also found the malware file server with other variants for different CPU architectures,” they warned.The Mirai sample is downloaded to the “/tmp” folder.Trend says most of the vulnerable setups were configured with the following features:Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higherApache TomcatSpring-webmvc or spring-webflux dependencyUsing Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)Deployable, packaged as a web application archive (WAR)Writable file system, such as web apps or ROOTResearchers at Palo Alto Networks’ Unit 42 team believe that Spring4Shell will almost certainly be weaponized because it was straightforward to exploit and all the details how to do it were public on March 31. “Since exploitation is straightforward and all the relevant technical details have already gone viral on the internet, it’s possible that SpringShell will become fully weaponized and abused on a larger scale,” it said. The chief vulnerabilities related to Spring4Shell are CVE-2022-22965, which is a bypass for the 2010 patch CVE-2010-1622, and CVE-2022-22963. Mirai and its many variants remain one of the biggest threats on the internet. They are used for distributed denial-of-service attacks, attacks on passwords, and the deployment of ransomware and cryptocurrency miners.  More

Vendors offering two categories of cybersecurity services in Singapore now must apply for a licence to continue providing such services. They have up to six months to do so or will have to cease the provision of such services, if they do not wish to face the possibility of a jail term or fine.Specifically, companies that provide penetration testing as well as managed security operations centre (SOC) monitoring services will need a licence to offer these services in Singapore. These include companies and individuals directly engaged in such services, third-party vendors that support these companies, and resellers of the licensable cybersecurity services, according to Cyber Security Authority (CSA) Singapore. The industry regulator said the licensing framework, effective from April 11, was parked under the country’s Cybersecurity Act and aimed to better protect consumers’ interests. It also served to improve service providers’ standards and standing over time.

CSA added that the two service categories were prioritised to kickstart the licensing regime because providers of these services had significant access into their customers’ ICT systems and sensitive data. Should such access be abused, the client’s operations could be disrupted, the regulator noted. It added that because these services were widely available and adopted, they also had the potential to cause significant impact on the wider cybersecurity landscape. Existing vendors currently engaged in the provision of either or both service categories had up to October 11, 2022, to apply for a licence. Those that failed to do so on time would have to stop providing the service until a licence was obtained. Services providers that submitted their application for a licence within six months would be permitted to continue delivering the licensable service until a decision on the application was made. Any person who provided the licensable services without a licence after October 11, 2022, would face a fine not exceeding SG$50,000 ($36,673) or a jail term of up to two years, or both. Individuals would have to pay SG$500 for their licence, while businesses would have to fork out SG$1,000. Each licence would be valid for two years. CSA said there would be a one-time 50% fee waiver for applications submitted within the first year, before April 11, 2023. A Cybersecurity Services Regulation Office had been set up to administer the licensing framework and facilitate communications between the industry and wider public on all licensing-related issues. Its responsibilities include enforcing and managing licensing processes and sharing resources on licensable cybersecurity services with the public, such as providing the list of licensees.Commenting on other cybersecurity services that might be licensable in future, CSA said it would “continue to monitor international and industry trends” as well as engage the industry, where necessary, to assess if new service categories should be included.The launch of the licensing framework comes after a four-week consultation period that ended last October. CSA said it received 29 responses from both local and international market players as well as industry associations and members of the public. One such feedback pertained to information required, upon request, to facilitate the regulator’s investigations into matters such as breaches by licensees or related to the licensee’s continued eligibility. There were suggestions that the language of the proposed licence conditions be tightened, so requests were not overly generic, and for there to be more clarity on the types of information that might be requested.CSA said it had revised the language of the licence conditions to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation. RELATED COVERAGE More

Post-quantum cryptography has arrived by default with the release of OpenSSH 9 and the adoption of the hybrid Streamlined NTRU Prime + x25519 key exchange method. “The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo,” the release notes said. “We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent ‘capture now, decrypt later’ attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.” As work on quantum computers inches forward, protecting against future attacks has similarly increased. Thanks to the massive parallelism expected from workable quantum computers, it is believed traditional cryptography will be trivial to crack once such a machine is built. Last month, the NATO Cyber Security Centre did a test run of its quantum-proof network. “Securing NATO’s communications for the quantum era is paramount to our ability to operate effectively without fear of interception,” principal scientist Konrad Wrona said at the time. “The trial started in March 2021. The trial was completed in early 2022. Quantum computing is becoming more and more affordable, scalable and practical. The threat of ‘harvest now, decrypt later’ is one all organizations, including NATO, are preparing to respond to.” Elsewhere in the OpenSSH release that was mostly focused on bug fixes, the SCP command has been moved from its default legacy protocol to using SFTP even though it brings with it several incompatibilities, such as not supporting wildcards with remote filenames or expanding a ~user path, although the latter is supported through an extension. Related Coverage More

Image: Vizio
In my particular lounge room sits a relic of a time long gone, a 15-year-old plasma TV that is dumb as a box of hammers, and thankfully so. As the years go by, I am increasingly grateful that this piece of technology continues to kick on.Of course at some stage, I will need to trudge into the increasingly awful world of smart TVs, but the longer that takes the better.

ZDNet Recommends

The best TVs

Brands like Samsung, LG, and TCL have models at different price points to meet your entertainment needs.

Read More

In recent weeks, TV makers have upped the annoyance and intrusion factor in their so-called smart devices.Vizio announced it had started a beta with Fox in the US to insert ads during the credits of a show in an effort to push users onto the broadcaster’s streaming service.”Jump ads give participating programmers and brands the ability to present an interactive overlay at the conclusion of linear TV programs, directing viewers into a supporting app on Vizio’s operating system to continue their viewing experience,” Vizio said.”The Jump Ads will prompt viewers to continue watching additional episodes of the program or catch up on past episodes on the Fox Now App … this allows viewers to seamlessly extend their viewing experience with a single click of a button, enhancing the smart TV experience for both viewers and content providers alike.”Vizio said ad buyers can control at what point the ads appear, how often they do, and which app the ad points to — and as we’ve learnt after some years at the nexus of advertising and technology, there is no way this seemingly helpful pointer to users will be extended to promote anything, at any time, anywhere in a broadcast. I’d suggest asking, “Why stop at one ad?”, but I really don’t want to give marketers any ideas.Not to have the likes of Vizio offering equal functionality, fellow TV ads inserter Samsung has taken a step into the world of blockchains and TV.The Korean behemoth said last week it has partnered with crypto exchange Gemini and its Nifty Gateway to integrate NFTs on its smart TV platform, allowing users to buy, sell, and view the assets on its 2022 premium TV lines including QLED and Neo QLED.Get a new one anyway: Best OLED TVMost pleasingly from Samsung is this helpful guide to stop your smart TV from being hacked or running malicious code — it involves turning on “smart security”, and call me a cynic but it probably doesn’t do what it says on the tin.The problem with TVs, as my venerable Panasonic display shows, is the lifespan of such devices. No one is going to support a non-desktop consumer device’s operating system and make sure it is secure for almost 15 years after it was made. To give an idea of the longevity of this TV, when it arrived, Android 1.0 was being released. Imagine how long it would take to pop this device if it was able to browse the internet.Samsung needs to be on top of its security to ensure its TVs remain safe, because wherever you find crypto assets, you bet there’s someone who has worked out a way to steal it, and is maybe even using it on OpenSea.Beyond this pair of TV makers, it is not as though the industry has any saints, LG was doing ads years ago, and Sony says in a support article that users cannot turn ads off and points the finger at Google.Besides, there is no reason for manufacturers to make anything but smart TVs for consumers, especially when the answer to those who have issues about smart features is to retort with a line about not connecting it to the internet in the first place.That could work — unless you live near a radio telescope and cannot have a device spamming out Wi-Fi and Bluetooth signals as long as it is connected into a power socket, and the suggested answer is to open the TV and cut its antenna off — but it doesn’t solve the issue of potentially paying thousands of dollars for a device that upgrades itself and pushes increasing amounts of advertising at you. That sort of user experience is best left in the hands of Microsoft to pioneer on its own.After living with smart Wi-Fi for a number of years where setting options are being increasingly pared back by Google, I was recently blasted back into a world where the user can overwrite the so-called artificial intelligence. It didn’t fix everything, but it was delightful to have options again.The TV landscape is far beyond that point, search for dumb options and you’ll end up thinking about buying commercial signage devices or looking to use a big computer monitor as a TV — neither of which are proper fits.It’s a shame TVs have become purchases that cost possibly in the thousands of dollars and for their coin, new owners end up with yet another ad-serving device that will have firmware updates end in a couple of years, if they are lucky. Because as a base concept, TVs exist purely to show someone what they want to see. It shouldn’t be this hard.But if you want to see a low-res pixel art NFT upscaled to glorious 8K resolution, you know which Korean tech giant you need to buy from.ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 11:00PM in London.PREVIOUSLY ON MONDAY MORNING OPENER :  More

A Ukrainian national has been sentenced as a member of the FIN7 hacking group.

On Thursday, the US Department of Justice (DoJ) announced the sentencing of Denys Iarmak to five years in prison for working as a FIN7 penetration tester.FIN7, also known as Carbanak, is a prolific cybercriminal group that focuses on financial theft. Active since at least 2015, FIN7 has tended to target the retail and banking sector through Business Email Compromise (BEC) scams, attacks against point-of-sale (PoS) systems, and supply chain compromise. The group is constantly evolving its tactics and improving its toolkit. The malware used by the group includes backdoors, information stealers, Trojans, RDP access modules, and even malicious USB drives that are physically mailed to unsuspecting businesses. Blueliv researchers say that FIN7 is one of the top threats to today’s financial sector. The DoJ estimates that at least $1 billion in damages has been done to US organizations and consumers. Prosecutors say that Iarmak worked as a pentester for the group. In cybersecurity, pen testers may be tasked with testing software and security, but in this case, the 32-year-old was responsible for managing network intrusions. Among his tasks was creating intrusion ‘projects’ in JIRA to track cyberattacks, including the initial access, surveillance progress, and data theft. Group members could comment on each project and offer each other advice. “As one example, Iarmak created a JIRA issue, to which he and other members of the cybergroup had access, for a specific victim company, and, on or about March 3, 2017, Iarmak updated that JIRA and uploaded data he had stolen from that company,” the DoJ says. While prosecutors didn’t say how much Iarmak earned, they noted his paycheck “far exceeded comparable legitimate employment in Ukraine.” Iarmak was apprehended and arrested in Bangkok, Thailand, in 2019. The hacker fought extradition but was sent to the US in 2020. He was charged and pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. The DoJ began arresting FIN7 members in 2018. To date, three have been sentenced in the United States. Iarmak joins Fedir Hladyr, who was sentenced to 10 years behind bars, and Andrii Kolpakov, who will serve a seven-year prison term. “Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” commented US Attorney Nicholas Brown of the Western District of Washington. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Raspberry Pi has made a change to its operating system Raspberry Pi OS that removes the default username and password. Until now, the default username and password for the tiny computers has been respectively “pi” and “raspberry”, which made setting up a new Pi device simple but also potentially made the popular internet-connected devices easier for remote attackers to hack them through techniques like password spraying. “Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” explains Simon Long, a senior engineer for Raspberry Pi Trading.   “But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”The UK for example plans to introduce new regulation that stop makers of Internet of Things (IoT) devices from shipping them to consumers with default usernames and passwords.  The UK’s National Cyber Security Centre (NCSC) endorsed the Product Security and Telecommunications Infrastructure (PSTI) Bill because the pandemic increased people’s reliance on internet-connected devices.   Long says the latest release of Raspberry Pi OS removes the default “pi” username and a new wizard forces the user to create a username on the first boot of a newly-flashed Raspberry Pi OS image. But he also notes that not all existing documentation will align with the new process. “This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” he notes. It could nonetheless means a few changes for users when they’re setting up a new Raspberry Pi device because the wizard process is compulsory for a desktop setup.  “Working through the wizard is no longer optional, as this is how a user account is created; until you create a user account, you cannot log in to the desktop. So instead of running as an application in the desktop itself as before, the wizard now runs in a dedicated environment at first boot.”The main difference is that previously users were prompted for a new password. Now users are prompted for a user name and a password. Raspberry Pi still lets users set the username to “pi” and the password to “raspberry” but it will issue a warning that choosing the defaults is unwise. “Some software might require the “pi” user, so we aren’t being completely authoritarian about this. But we really would recommend choosing something else,” says Long. Raspberry Pi sales spiked at the beginning of the pandemic as consumers sought cheap home computing devices. But Raspberry Pi now faces supply constraints because of the global chip shortage. This week, Raspberry Pi chief Even Upton admitted resellers were out of stock. “Demand for Raspberry Pi products increased sharply from the start of 2021 onwards, and supply constraints have prevented us from flexing up to meet this demand, with the result that we now have significant order backlogs for almost all products. In turn, our many resellers have their own backlogs, which they fulfil when they receive stock from us,” said Upton.  More

slyellow — Shutterstock
Google is releasing a new tool to help users configure their privacy settings in the Google Chrome browser in the form of a guided tour.The new Google Chrome Privacy Guide walks users through their privacy settings and was developed by engineers in the Google Safety Engineering Center (GSEC), the company’s global hub for privacy and security engineering.”Soon, you’ll see a new card for Privacy Guide in the “Privacy and security” tab in your Chrome settings, which you can find by clicking the three dots on the top-right corner of your browser,” Google said.The guide includes explanations for cookies, history sync, Safe Browsing, and Make Searches and Browsing Better. Google says it may add more settings to the guide based on user feedback.   Chrome now has over 2.5 billion users and is by far the most widely used desktop browser. The privacy guide has been designed to keep this substantial user base safe online by offering more information on each of Chrome’s security settings and how they affect the browser.”When you navigate through Privacy Guide, you’ll learn about the ‘Why’ behind each setting, and how it impacts your browsing experience, so you can easily understand what happens,” explains Audrey An, a product manager for GSEC Munich. The Privacy Guide will be available in the coming weeks for users of Chrome version 100 on the desktop. Users should see a card for it in the “Privacy and security” tab of Chrome settings. Changes to settings made through the guide process will be saved.  Until that time arrives, users can perform a security check by typing in the URL chrome://settings/safetyCheck in the address bar, which displays what security updates are available, weak and breached passwords, protection against malicious extensions, and whether Google’s Safe Browsing service is on. More