Information Technology

The whistleblower whose disclosures became a catalyst for a Senate inquiry into Facebook’s operations has declared the company as “morally bankrupt,” casting “the choices being made inside of Facebook” as “disastrous for our children, our privacy, and our democracy.”

On Tuesday, US Senator Richard Blumenthal chaired a hearing of the Subcommittee on Consumer Protection, Product Safety, and Data Security, with Facebook whistleblower Frances Haugen as a witness.  Blumenthal thanked the whistleblower for her “strength and courage in coming here today.” Haugen, who used to work as the lead product manager for Facebook’s civic misinformation team, told the Senate that Facebook “intentionally hides vital information from the public, the US government, and governments around the world.” The whistleblower also told the Senate members that Facebook “is choosing to grow at all costs” — which means that profits are being “bought with our safety.” This, in turn, is encouraging “more division, more harm, more lies, more threats, [and] more combat” online.”No one truly understands the destructive choices made by Facebook, except for Facebook,” Haugen said.Antigone Davis, Facebook Director and Global Head of Safety, appeared at a hearing last week in which the Senate chastised the social media company for failing to do enough to protect younger users, and also accused Facebook of putting profit before safety by hiding the knowledge that the Instagram app causes mental harm.

The allegations stem from The Facebook Files, a series of investigations posted by The Wall Street Journal. The articles are based on internal files, draft presentations, research, and internal staff communication leaked by the whistleblower. While the reports explore a variety of topics including Facebook algorithms that made users “angrier” and how the company allegedly does not apply the same terms of service rules to some high-profile users as the general public, the main thrust of the reports — branded a “bombshell” by Blumenthal — revolved around the ‘toxic’ nature of Facebook’s platform to teenagers, especially young girls.  The research in question explores areas including social comparisons, loneliness, anxiety, sadness, and eating issues. The WSJ reports suggest that some teenagers suffering from suicidal thoughts were able to trace them back to Instagram.The WSJ published six of the internal documents which were the basis of its investigation. Facebook then published two of them, complete with annotations last week.  Facebook has accused the publication of deliberate mischaracterizations. Davis said, “We strongly disagree with how this reporting characterized our work, so we want to be clear about what that research shows, and what it does not show.” Davis insisted that the internal research did not create “causal relationships between Instagram and real-world issues,” and while Instagram was indicated as a source that could make girls suffering from body image issues feel worse, this was one of the numerous topics included in the research — and many teenagers suffering from various problems have a positive experience on Instagram. The latest hearing, titled “Protecting Kids Online: Testimony from a Facebook Whistleblower,” allowed the whistleblower’s testimony to be heard and for her experiences working at Facebook to be explored. When queried about its use of algorithms and engagement-based rankings to promote specific types of content that could be harmful, Haugen said that “Facebook knows that its amplification algorithms can lead children from innocuous topics — such as healthy food recipes — to anorexia-promoting content over a short period of time.” The whistleblower claims that Facebook has re-created experiments to test out amplification algorithms that could cause this transition from safe to dangerous topics — and so the company “knows” this happens. Haugen added that Facebook CEO Mark Zuckerberg “has built an organization that is very metrics-driven — the metrics make the decision,” and, therefore, “the buck stops with him.”Facebook has paused a plan to develop a version of Instagram for kids, citing the need for more time to work more closely with “parents, experts, policymakers and regulators.” Haugen suggested that we could see the platform rolled out in a year, commenting:”Facebook understands that if they want to continue to grow, they have to find new users. The way they’ll do that is to ensure kids establish habits before self-regulation.”When asked if this is what she meant by “hooking kids?,” the whistleblower agreed. The chair of the committee remained critical of Facebook, saying in today’s hearing that “their profit was more important than the pain that they caused.” Blumenthal also urged Zuckerberg to appear before the Senate. Haugen called for the Senate to act, commenting:”A company with such frightening influence over people […] needs real oversight. However, its closed design means there is no oversight.””Facebook can change but clearly will not do so on its own,” the whistleblower added. “Congress can change the rules Facebook plays by and can stop the harm Facebook is causing. […] We still have time to act, but we must act now.”Davis said last week that Facebook would not “retaliate for them [the whistleblower] coming to the Senate,” however, this does not mean there will not be legal repercussions for sharing corporate documents with the WSJ. Blumenthal acknowledged that the whistleblower came forward at “great personal risk” and said the Senate will do “everything and anything we can to stop retaliation.”On September 30, Senators Blumenthal and Edward Markey reintroduced a bill designed to bolster the privacy and security of minors inline. The Kids Internet Design and Safety (KIDS) Act, if accepted, is legislation that aims to prevent manipulative marketing, push alerts, ‘like’ and follower functionality, and features that reward those under 16 for spending more time on their devices.  In other Facebook news, the social media giant experienced a six-hour outage on Monday that also disrupted service for billions of users across Instagram and WhatsApp. Facebook believes the issue was caused by configuration changes that went awry. “We want to make clear at this time we believe the root cause of this outage was a faulty configuration change,” the firm said. “We also have no evidence that user data was compromised as a result of this downtime.” Update 18.57 BST: Facebook’s Lena Pietsch, director of policy communications, has issued the following statement:”Today, a Senate Commerce subcommittee held a hearing with a former product manager at Facebook who worked for the company for less than two years, had no direct reports, never attended a decision-point meeting with C-level executives — and testified more than six times to not working on the subject matter in question. We don’t agree with her characterization of the many issues she testified about. Despite all this, we agree on one thing; it’s time to begin to create standard rules for the internet. It’s been 25 years since the rules for the internet have been updated, and instead of expecting the industry to make societal decisions that belong to legislators, it is time for Congress to act.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Shutterstock
There are VPN users who use VPNs just so they can safely surf the internet from a coffee shop, hotel, or airport. Before the COVID-19 pandemic, I mostly fell into that category. There are VPN users who, as mentioned, mostly use VPNs to spoof their location so they can watch blacked-out sports events or get Star Trek Discovery via Netflix instead of Paramount+.

And then there are the people I’m writing this article for: the folks for whom VPN usage is a life-or-death thing. These people are citizens in nations with oppressive regimes trying to communicate with the outside world, people who are researching health or sexuality information that could cause them to be discriminated against (or worse), people who are trying to hide their location from abusive partners or stalkers, people who are dissidents (which is not a pejorative, but a word used to describe people who are fighting totalitarian regimes and oppressive government policies), and so on. Also: How to find and remove spyware from your phone It’s for these people, who I’ll call the life-and-deathers, for whom this article is being written. And if you fit into this category, listen up. What I’m about to say could save your life. VPNs (or virtual private networks) generally do a few key things. They encrypt your internet traffic between your computer and a destination on the internet. If you’re using a corporate VPN, it creates a secure tunnel between your machine and your company’s network. VPN services, with familiar names like ExpressVPN, Surfshark, and NordVPN, create secure tunnels between your machine and their servers — but the connection from their servers to whatever destination server you’re accessing is secured by whatever base protocol you’re using to communicate to that final server. VPN services also purport to hide your IP address from the internet and allow you to spoof your geographical location. This is a service absolutely necessary to those concerned about their safety. Unfortunately, it is a service primarily marketed as a way for users to bypass geographic entertainment restrictions.

There are ethical and unethical reasons people use VPNs. I’m writing this to help protect ethical users, not to encourage or facilitate unethical use. Follow the money You may have noticed that VPN reviews are hugely prevalent all over the internet.  This is because: (A) There’s a lot of interest in VPNs, especially now that people are working from home more often. (B) Because VPN vendors pay so-called objective media outlets to promote them. This is worthy of some detailed discussion. For most of modern history, when a company wanted to promote a product in the media, they’d use one of two mechanisms. They’d either buy ads, or they’d hire a PR firm. The benefit of advertising is that the advertiser has complete control over the message. As long as they can afford to pay for placement, they can say (within reason) whatever they want. Ads are delineated on the page, so consumers can easily tell the difference between them and legitimate reporting. PR is the practice of trying to convince a writer (like me) to write about a product. The benefit (to the vendor) is that PR is generally free. If I choose to write about a product because I think it’s worthy in some way, the vendor isn’t paying for that coverage. But… the vendor also has absolutely no control over what I might say, nor whether or not the product ever gets coverage.

There is some gray area here. While writers often purchase the items they review, many reviewers often receive the things they review for free. Companies want the attention of reviewers and their audiences. Companies can also withhold access, favoring those they know will speak positively or give their products glowing reviews. For example, I never get early access to Apple products because I’ve been critical of the company. Done right, at least historically, marketing has been a mix of good advertising and good PR. But the internet has changed that. It’s now possible to track what people read, what they click on, and what they buy. That technological capability gave rise to a new form of marketing: affiliate marketing. With affiliate marketing, when you click on a link that leads you to buy a product, the seller can see your entire track of interaction. This means the seller can know where you were when you clicked that link. If you click a link on ZDNet and then buy a product on Amazon, Amazon knows that the sale came from an article on ZDNet. If you click on a link on ZDNet (or just about any other website) that has an affiliate code and then buy from Amazon, Amazon also pays a percentage of the sale back to the originating site. The idea is that the affiliate payment encourages sites to cover products. And it works — very, very well. Sites get a lot of revenue (sometimes more than from advertising) from affiliate links. Many sites have full-time affiliate relationship managers who do deals with vendors for a percentage of the sales price — and then encourage editors to write about those products. Done right; there’s no harm in this practice. But what does “done right” mean? Done right means that editorial decisions drive coverage, not business decisions. For example, here at ZDNet, I choose what I want to cover. I get to say what I want to say about a product based on my professional experience. The commerce teams don’t have any input into my objective editorial opinion. If I write a more negative review because readers deserve to be aware of product limitations, no one tells me to hide those limitations. In our case, once I write an article, the affiliate team reads those articles and will sometimes add affiliate links. I have no insight into what deals they have or how much they make. And here’s how that applies to VPNs. I cover a lot of VPN services. I know, generally, that many of the VPN services have affiliate relationships with our commerce team. But I have zero visibility into those deals. As such, I choose the VPNs to cover and what I say entirely based on my editorial judgement. There’s no bias due to business relationships. ZDNet does financially benefit from the fact that I cover VPNs, but not from any specific VPN. But that’s not the case for all online sources of VPN reviews. VPN companies who own VPN review sites Last week, I discussed ExpressVPN’s week of rough news. One detail: ExpressVPN was bought by Kape Technologies for nearly a billion dollars. That sale price, alone, should show you how much these VPN service companies are raking in. See also: Trust, but verify: An in-depth analysis of ExpressVPN’s terrible, horrible, no good, very bad week. But it’s worse. A year earlier, Kape (which also owns VPN vendors Private Internet Access, CyberGhost, and ZenMate) bought a company called Webselenese. This company owns the VPN review site VPNMentor. So which VPNs does VPNMentor recommend as its best of 2021? It’s own: ExpressVPN in first place, CyberGhost in second, and Private Internet Access in third. That’s not suspicious at all (he says sarcastically):
Source: VPNMentor.com
How valuable are reviews to VPN companies? Consider how much Kape spent on Webselenese. That amount: $149 million. If you’re going to spend $149 million to control the review conversation, there’s got to be a lot of money at play. But Kape isn’t the only VPN company that owns its own reviews sites. Let’s spend a moment exploring J2 Global. J2 Global launched in 1995 as the provider of the JFax faxing service. The internet was barely a thing back then, and faxing was big. Over the next decade and a half or so, J2 stayed pretty much in its lane, offering fax services under a variety of brands. Then, in 2012, it started a media acquisitions spree. In 2012, it bought publisher Ziff-Davis. For the record, the ZD in ZDNet harkens back to the Ziff-Davis brand, but ZDNet was spun out as a separate company and hasn’t been affiliated with Ziff-Davis for more than 20 years. In some ways, in fact, we’re now direct competitors. The J2 acquisition of Ziff-Davis bought the company a bunch of very familiar tech publications, including PCMag, Spiceworks, ExtremeTech, IGN, and Mashable. Then, in 2019, J2 scooped up VPN vendors SaferVPN, IPVanish, and StrongVPN. Where VPNMentor is clearly biased in its coverage, I have to give it to PCMag.com. Of the ten best VPN services it lists on its “best of 2021” page, its parent company does not own one.
Source: PCMag.com
Even so, we’ve now identified that many of the top VPNs are owned by the same companies that own the top VPN review sites. Conclusion: If you’re putting your life on the line, you might not want to trust these sites for unbiased reviews. What should you do? Even unbiased reviews like those I produce aren’t enough to rely upon if you’re a VPN life-and-deather. I put in about a week of testing per VPN, and I test from here in central Oregon. I can’t travel all around the world and test how safe and secure a given VPN service is when used, for example, in the UAE instead of Oregon. For those who haven’t been following along through all my VPN guides, VPN usage in the United Arab Emirates is illegal and could get you sent to jail or fined up to the UAE equivalent of $500,000. While a professional reviewer might be able to provide a relatively comprehensive review of one VPN he or she lives with over the course of a few years, no reviewer is going to be able to spend months of time testing each and every one of an entire set of VPNs. It’s just not practical or possible. So no matter which reviews you read, the test results are going to be limited to what could be practically tested by the reviewer in question. If your life is at stake, these tests are too limited. Period. I’d recommend you dive much deeper into this tool you’re going to be depending on. First, read this excellent guide just recently put out by the NSA and CISA. A lot of it is designed for corporate networks, but the protocol discussion is first-rate. Second, seek out others in your life-and-deather community. Folks who have dealt with the same kind of security challenges and risks will have a better experience than some other reviewer who only theoretically walks in your shoes. Read forums. Read user reviews. Read a lot. And, third, get to know how VPNs work on a technical level. Here’s a Digital Ocean article that gets you started running your own VPN server. But don’t stop with just one article. If your life is dependent on this technology, learn. Take courses on computer security. Learn everything you can on how data moves on the internet. Coursera, for example, offers free in-depth university-level classes. The only time you have to pay is if you want the credential. But if you’re more concerned about your personal security than your resume, you can learn a tremendous amount and not spend anything. My bottom line for all of this is simple: There are ways you can learn enough to create a safer situation for yourself. Just quickly scanning product reviews tells you very little about the best way to stay alive and safe. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

A new strain of Python-based malware has been used in a “sniper” campaign to achieve encryption on a corporate system in less than three hours.

The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who “precision-targeted the ESXi platform” in order to encrypt the virtual machines of the victim. On Tuesday, Sophos said the malware, a new variant written in Python, was deployed ten minutes after threat actors managed to break into a TeamViewer account belonging to the victim organization.  TeamViewer is a control and access platform that can be used by the general public and businesses alike to manage and control PCs and mobile devices remotely.  As the software was installed on a machine used by an individual who also owned domain administrator access credentials, it took only ten minutes — from 12.30 am to 12.40 am on a Sunday — for attackers to find a vulnerable ESXi server suitable for the next stage of the assault.  VMware ESXi is an enterprise-grade, bare-metal hypervisor used by vSphere, a system designed to manage both containers and virtual machines (VMs).  The researchers say the ESXi server was likely vulnerable to exploit due to an active shell, and this led to the installation of Bitvise, SSH software used — at least, legitimately — for Windows server administration tasks. 

In this case, the threat actors utilized Bitvise to tap into ESXi and the virtual disk files used by active VMs.  “ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but is normally disabled by default,” Sophos says. “This organization’s IT staff was accustomed to using the ESXi Shell to manage the server, and had enabled and disabled the shell multiple times in the month prior to the attack. However, the last time they enabled the shell, they failed to disable it afterwards.” Three hours in, and the cyberattackers were able to deploy their Python ransomware and encrypt the virtual hard drives.  The script used to hijack the company’s VM setup was only 6kb in length but contained variables including different sets of encryption keys, email addresses, and options for customizing the suffix used to encrypt files in a ransomware-based attack.  The malware created a map of the drive, inventoried the VM names, and then powered each virtual machine off. Once they were all disabled, full database encryption began. OpenSSL was then weaponized to encrypt them all quickly by issuing a command to a log of each VM’s name on the hypervisor.  Once encryption is complete, the reconnaissance files were overwritten with the word f*ck and were then deleted.   Big game ransomware groups including DarkSide — responsible for the Colonial Pipeline attack — and REvil are known to use this technique. Sophos says the sheer speed of this case, however, should remind IT administrators that security standards need to be maintained on VM platforms as well as standard corporate networks.  “Python is a coding language not commonly used for ransomware,” commented Andrew Brandt, principal researcher at Sophos. “However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netgear BR200 small-business router

The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More

[embedded content]

Today sees YubiKey security keys become even better with Yubico’s launch of the YubiKey Bio — biometric authentication built right into a security key, allowing for quick, simple, and streamlined passwordless authentication for desktop-based FIDO-supported services and applications. The YubiKey Bio uses a three-chip architecture that stores the biometric fingerprint in a separate secure element, offering protection from physical attacks. This, according to Yubico, allows the YubiKey Bio to “act as a single, trusted hardware-backed root of trust which allows the user to authenticate with the same key across multiple desktop devices, operating systems, and applications.” For when biometrics are not supported, users can enter a PIN entered during the initial setup.
By having everything built into the key, it means that authentication mechanisms are protected from tampering even if the host systems are compromised. The keys can be managed using the Yubico Authenticator for Desktop, an app that is available for Windows, macOS, and Linux. This is used to enroll new fingerprints and add or delete fingerprints when native platform and browser capabilities are limited.

[embedded content]

Customers should choose the YubiKey Bio if they are: Securing an account with a service that supports only FIDO U2F or FIDO2/WebAuthn protocolsAuthenticating using a desktop deviceIn cloud-first environmentsUsing shared workstations and are in mobile-restricted environments

However, there are situations where users will be better off using the
YubiKey Series 5 keys

: They require broader form factors and NFC supportThe users need to work across desktop and mobile devicesUsers need to support applications and services using a range of protocols such as OTP, FIDO U2F and FIDO2/WebAuthn, and Smart card/PIVThey are securing legacy and modern environments offering a bridge to passwordless, utilizing non-FIDO protocols

I’ve had my hands on the YubiKey Bio for the past few days, and I have to say that they are an impressive bit of technology. The biometric reader is fast and super reliable, and the whole robust package is everything I’ve come to expect from Yubico.The YubiKey Bio enables biometric login on desktop with all applications and services that support FIDO protocols, as well as offering out-of-the-box support for Citrix Workspace, Duo, GitHub, IBM Security Verify, Microsoft Azure Active Directory and Microsoft 365, Okta, and Ping Identity.The YubiKey Bio Series is available in USB-A and USB-C form factors, and keys are priced at $80 and $85, respectively. They are available for purchase from Yubico. More

Another new form of Android malware is being spread via text messages with the aim of luring victims into clicking a malicious link, and inadvertently allowing cyber criminals to gain full control of the device to steal personal information and bank details.  Dubbed TangleBot, the malware first appeared in September and once installed gains access to many different permissions required for eavesdropping on communications and stealing sensitive data, including the ability to monitor all user activity, use the camera, listen to audio, monitor the location of the device, and more. Currently, it’s targeting users in the US and Canada. 

ZDNet Recommends

The campaign has been detailed by cybersecurity researchers at Proofpoint who note that while the initial lures came in the form of SMS messages masquerading as information about Covid-19 vaccination appointments and regulations, more recent efforts have falsely claimed local power outages are about to occur.  SEE: A winning strategy for cybersecurity (ZDNet special report) In each case, the potential victim is encouraged to follow a link referencing the subject of the lure for more information. If they do, they’re told that in order to view the content on the website they’re looking for, Adobe Flash Player needs to be updated. Adobe stopped supporting Flash in December 2020 and it hasn’t been supported on mobile devices since 2012, but many users probably won’t know this.  Clicking the link leads victims through a series of nine dialogue boxes requesting acceptance of the permissions and installation from unknown sources that, if accepted, provide cyber attackers with the ability to setup and configure the malware.  TangleBot provides the attackers with full control over the infected Android device, allowing them to monitor and record all user activity, including knowing websites visited, stealing usernames and passwords using a keylogger, while also allowing the attackers to record audio and video using the microphone and camera.  

The malware can also monitor data on the phone including messages and stored files, as well as monitoring the GPS location, allowing what researchers describe as a “full range of surveillance and collection capabilities”.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesSMS messages have become a common vector for spreading malware with FluBot malware being particularly prominent in recent months. FluBot often spreads via text messages claiming the victim has missed a delivery and, like TangleBot, tricks users into downloading malware that allows cyber criminals to steal sensitive information. The two forms of malware are unlikely to come from the same cyber-criminal group, but the success and potency of both demonstrates how SMS has become an attractive means of spreading campaigns.  “If the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever social engineering, outright fraud, and malicious software all designed to deceive and steal mobile users’ money and other sensitive information,” said Proofpoint researchers in a blog post.  “These schemes can appear quite convincing and may play on fears or emotions that cause users to let down their guard,” they added.  MORE ON CYBERSECURITY  More

A new ransomware operator is targeting Confluence servers by using a recently-disclosed vulnerability to obtain initial access to vulnerable systems. 

According to Sophos cybersecurity researchers Sean Gallagher and Vikas Singh, the new threat actors, dubbed Atom Silo, are taking advantage of the flaw in the hopes that Confluence server owners are yet to apply the required security updates to resolve the bug.  Atlassian Confluence is a web-based virtual workplace for the enterprise, allowing teams to communicate and collaborate on projects.  Sophos described a recent attack conducted by Atom Silo over a period of two days. The vulnerability used in the attack, tracked as CVE-2021-08-25, allowed the cybercriminals to obtain initial access to the victim’s corporate environment.   The Confluence vulnerability is being actively exploited in the wild. While fixed in August, the vendor warned that Confluence Server and Confluence Data Center are at risk and should be patched immediately.  If exploited, unauthenticated threat actors are able to perform an OGNL injection attack and execute arbitrary code. CVE-2021-08-25 was used to compromise the Jenkins project in September. US Cybercom said in the same month that attacks were “ongoing and expected to accelerate.”

In the case examined by Sophos, Atom Silo utilized the vulnerability on September 13 and was able to use the code injection bug to create a backdoor, leading to the download and execution of a second, stealthy backdoor.  To stay under the radar, this payload dropped a legitimate and signed piece of software vulnerable to an unsigned DLL sideload attack. A malicious .DLL was then used to decrypt and load the backdoor from a separate file containing code similar to a Cobalt Strike beacon, creating a tunnel for remotely executing Windows Shell commands through WMI.  “The intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software,” the researchers say. Within a matter of hours, Atom Silo began moving laterally across its victims’ network, compromising multiple servers in the process and executing the same backdoor binaries on each while also conducting additional reconnaissance.  11 days after its initial intrusion, ransomware and a malicious Kernel Driver utility payload, designed to disrupt endpoint protection, were then deployed. Separately, another threat actor noticed the same system was vulnerable to CVE-2021-08-25 and quietly implanted cryptocurrency mining software.  The ransomware is “virtually identical” to LockFile. Files were encrypted using the .ATOMSILO extension and a ransomware note demanding $200,000 was then dropped on the victim’s system. “Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof of concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them,” Sophos says. “To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apache Airflow instances that have not been properly secured are exposing everything from Slack to AWS credentials online. 

On Monday, Intezer malware analyst Nicole Fishbein and cybersecurity researcher Ryan Robinson said the instances, vulnerable to data theft, belong to industries including IT, cybersecurity, health, energy, finance, and manufacturing, among other sectors.   Apache Airflow, available on GitHub, is an open source platform designed for scheduling, managing, and monitoring workflows. The modular software is also used to process data in real-time, with work pipelines configured as code.  Apache Airflow version 2.0.0 was released in December 2020 and implemented a number of security enhancements including a new REST API that enforced operational authentication, as well as a shift to explicit value settings, rather than default options. While examining active, older versions of the workflow software, the cybersecurity firm found a number of unprotected instances that exposed credentials for business and financial services including Slack, PayPal, AWS, Stripe, Binance, MySQL, Facebook, and Klarna.  “They [instances] are typically hosted on the cloud to provide increased accessibility and scalability,” Intezer noted. “On the flip side, misconfigured instances that allow internet-wide access make these platforms ideal candidates for exploitation by attackers.” The most common security issue causing these leaks was the use of hardcoded passwords within instances that were embedded in Python DAG code.
Intezer

In addition, the researchers discovered that the Airflow “variables” feature was a credential leak source. Variable values can be set across all DAG scripts within an instance, but if it is not configured properly, this can lead to exposed passwords. The team also found misconfigurations in the “Connections” feature of Airflow which provides the link between the software and a user’s environment. However, not all credentials may be input properly and they could end up in the “extra” field, the team says, rather than the secure and encrypted portion of Connections. As a result, credentials can be exposed in plaintext.  “Many Airflow instances contain sensitive information,” the researchers explained. “When these instances are exposed to the internet the information becomes accessible to everyone since the authentication is disabled. In versions prior to v1.10 of Airflow, there is a feature that lets users run Ad Hoc database queries and get results from the database. While this feature can be handy, it is also very dangerous because on top of there being no authentication, anyone with access to the server can get information from the database.” Intezer has notified the owners of the vulnerable instances through responsible disclosure.  It is recommended that Apache Airflow users upgrade their builds to the latest version and check user privilege settings to make sure no unauthorized users can obtain access to their instances.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More