Information Technology

An information disclosure vulnerability in the Linux kernel can be exploited to leak data and act as a springboard for further compromise. 

Disclosed by Cisco Talos researchers on Tuesday, the bug is described as an information disclosure vulnerability “that could allow an attacker to view Kernel stack memory.”The kernel is a key component of the open source Linux operating system. The vulnerability, tracked as CVE-2020-28588, was found in the proc/pid/syscall functionality of 32-bit ARM devices running the OS. According to Cisco, the issue was first found in a device running on Azure Sphere. Attackers seeking to exploit the security flaw could read the /syscall OS file via Proc, a system used for interfacing between kernel data structures.  The /syscall procfs entry could be abused if attackers launch commands to output 24 bytes in uninitialized stack memory, leading to a bypass of Kernel Address Space Layout Randomization (KASLR).  The researchers say this attack is “impossible to detect on a network remotely” as it is a legitimate Linux operating system file being read.  “If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities,” Cisco added. 

Linux kernel versions 5.10-rc4, 5.4.66, and 5.9.8 are impacted and a patch was merged on December 3 to tackle the bug. Users are urged to update their builds to later versions.  In related news this month, the Linux Foundation has banned University of Minnesota (UMN) developers from submitting work to the Linux kernel after a pair of graduate students were caught deliberately submitting buggy patches to the project.  Submitted for the purposes of a research paper, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” the incident did result in a swift apology from UMN — but forgiveness for the act, considered as made in ‘bad faith,’ is far from assured.  The paper was due to be presented at the 42nd IEEE Symposium on Security and Privacy but has since been withdrawn.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft is reportedly considering revisions to a threat and vulnerability sharing program suspected of being a key factor in widespread attacks against Exchange servers. 

The Microsoft Active Protections Program (MAPP) is a program for security software providers and partners which gives participants early access to vulnerability and threat intelligence. MAPP, which includes 81 organizations, was intended to give other companies the chance to develop strategies and to deploy necessary protections before vulnerabilities are made public.  “MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases,” the company says. “This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or tools to further illuminate the issue and help with additional protection enhancement.”However, MAPP has recently come under scrutiny as the potential source of a leak of exploit code — either accidentally or deliberately — later weaponized during the Microsoft Exchange Server incident.  Microsoft issued emergency patches for the now-infamous four critical zero-day bugs (“ProxyLogon”) in Exchange on March 2.See also: Everything you need to know about the Microsoft Exchange Server hack

According to six people close to the matter, as reported by Bloomberg, Microsoft is considering revisions to the program that could alter how and when information concerning vulnerabilities in the vendor’s products are shared.   The publication says that Microsoft fears participants may have “tipped off” threat actors after critical Exchange Server vulnerabilities were shared with partners privately in February. At least two Chinese companies are involved in the probe.  At the time, reports suggested that Proof-of-Concept (PoC) code shared with MAPP participants contained “similarities” to exploit code later used in attacks. MAPP sets out different tiers for participants which determines what information is shared, and when — ranging from weeks ahead of disclosure to days. Potential revisions to the program could include shuffling participants and their level of entry, a reassessment of what Microsoft will share in the future, or potentially the inclusion of code-based ‘watermarks’ that could be used to trace data distribution — and any subsequent leaks.  The company attributed the first wave of attacks against Exchange servers to Hafnium, a Chinese state-sponsored threat group — later joined by at least 10 other advanced persistent threat (APT) groups including LuckyMouse, Tick, and Winnti Group.  It wasn’t long before an estimated 60,000 organizations were compromised, and as of March 12, roughly 82,000 internet-facing servers remained unpatched.  Post-exploit activities include the installation of backdoors, web shells, ransomware deployment, and cryptocurrency miners.  Microsoft declined to comment.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the weekend at a Christian convention, Australian Prime Minister Scott Morrison declared social media could be used as a weapon by the “evil one” against young people.Answering questions following his address to the National Press Club (NPC) on Wednesday, former Opposition Leader Bill Shorten took the opportunity to expand on where he thinks Morrison should take such a remark.”I was interested to the reference to the ‘evil one’ in social media. What I’d like to do is take that fairly unspecified reference and — something I’ve been thinking about for a while, is that there are some evil things on the internet,” he said. “Children have too easy access to pornography in this country online … I think a lot of parents are oblivious.”According to Shorten, the average age that “little Australian boys” are exposed to porn online is 13. He said simply saying to parents, “Watch what your kid’s eyeballs are on the whole time” is a “tad unrealistic as we’ve created the iPad babysitter”.”I think that if Mr Morrison wants to perhaps materialise that general reference to evil, let’s make it harder for our Aussie kids to access pornography online — I’m not making a reflection about adults and pornography, I’m not a censor, I’m not going down that path at all, but children shouldn’t be getting their sex education from hardcore pornography — and it’s something that I know I’m going to take up and I’m sure others will,” the Shadow Minister for Government Services said.”This could be something that Mr Morrison could turn from Sunday service into seven days a week campaign.”Shorten pointed to work underway by the eSafety Commissioner Julie Inman Grant as helping thwart this “evil”.

The House of Representatives Standing Committee on Social Policy and Legal Affairs closed its inquiry into age verification for online wagering and online pornography last year, tabling a report [PDF] in February 2020.Making a total of six recommendations, the committee asked the Digital Transformation Agency (DTA), in consultation with the Australian Cyber Security Centre, to develop standards for online age verification for age-restricted products and services. It said these standards should specify minimum requirements for privacy, safety, security, data handling, usability, accessibility, and auditing of age-verification providers.It further asked the DTA extend its Digital Identity program to include an age-verification exchange for the purpose of third-party online age verification. This was despite eSafety saying on many occasions there are no “out of the box technology solutions” that will solve this issue and it is her opinion that age verification should not be seen as a panacea.The government is yet to provide a response to the report.RELATED COVERAGE More

The Commonwealth Ombudsman has confirmed that of the 1,713 individual accesses to location-based services (LBS) by ACT Policing between 13 October 2015 and 3 January 2020, only nine were fully compliant with the Telecommunications (Interception and Access) Act 1979 (TIA Act).In January 2020, the Australian Federal Police (AFP) identified compliance issues involving record-keeping, authorisation processes, and reporting of telecommunication requests relating to location-based services under Section 180(2) of the TIA Act, dated as back as far as 2007.Ombudsman Michael Manthorpe was engaged the following March.In particular, the Ombudsman’s investigation focussed on access to, and use of, one type of telecommunications data — LBS or “pings”.”While initial advice provided by the AFP to my Office was that the LBS obtained by ACT Policing was only used to locate someone to arrest them, we were unable to rule out the possibility that unlawfully obtained evidence, the LBS, may have been used for prosecutorial purposes,” the report [PDF] said. “Secondly, the privacy of individuals may have been breached.”Common compliance issues the Ombudsman identified in its assessment of the 1,713 instances include: Location accessed on an incorrect number, LBS accessed after an authorisation expired, additional LBS accessed that was not authorised, no time specified on an authorisation, and authorisations that were not signed.

Providing examples of where ACT Policing operated incorrectly, the report said there were instances where the LBS was unsuccessful, such as when a phone was switched off or was not subscribed to the relevant provider, and thus was determined as not requiring an authorisation. “We cannot be confident that the AFP’s available records of authorisations made reflect all accesses to LBS,” the report said.The Ombudsman said he could not be satisfied that the scope of the breaches has been fully identified by the AFP nor the potential consequences, and considers it possible that breaches have occurred in parts of the AFP other than ACT Policing. “The AFP and ACT Policing missed a number of opportunities to identify and address that ACT Policing was accessing LBS outside the AFP’s approved process earlier,” the report declared. “The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report.”ACT Policing in July 2019 confessed it found 3,249 extra times it accessed metadata without proper authorisation during 2015, on top of the 116 requests it disclosed earlier that year.The Ombudsman is concerned this means: The access was not reported to the Minister for Home Affairs and the records were not provided to the Ombudsman’s office to be considered for inspection; and that the risk of non-compliance with legislative requirements under the TIA Act was higher as the access occurred outside established processes approved by the AFP.”I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily,” Chief police officer for the ACT Neil Gaughan said on Wednesday.He also said all location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area.The Ombudsman made a total of eight recommendations, all agreed to by ACT Policing.The first asks the AFP to ascertain whether other areas of the force have accessed LBS and determine the actual number of requests made for LBS, covering the period from 13 October 2015 to 31 January 2020. Manthorpe also asks the AFP to develop consistent processes and ensure training is thoroughly conducted, in particular that privacy intrusion is justified and proportionate.Another recommendation suggests the AFP seek legal advice on any implications arising from accessing prospective telecommunications data that has not been properly authorised.HERE’S MORE More

The coronavirus pandemic and working from home (WFH) requirements are causing a “significant” spike in attacks against financial entities, new research suggests. 

On Wednesday, BAE Systems Applied Intelligence released the COVID Crime Index 2021 report, which examined how the remote working model is impacting the banking and insurance industries. As the pandemic continues to have a widespread impact, the rapid transition to WFH models — in some areas — is being loosened, but many organizations are choosing to either continue allowing staff to work remotely or are adopting hybrid working practices.  HSBC and JP Morgan, for example, will allow thousands of their employees to stay home for the foreseeable future.  There are ramifications to WFH trends when it comes to staff satisfaction and productivity. A recent study found that 31% of employees believe they work better from home, but distractions, home life, and existing commitments were cited as issues when it comes to working effectively.  Security, too, has proven to be a challenge. According to BAE Systems’s report, 74% of banks and insurers have experienced a rise in cyberattacks since the start of the pandemic, and “criminal activity” detected by financial entities has risen by close to a third (29%).  The research is based on two surveys conducted with 902 organizations in financial services and fieldwork in both the US and UK markets, taking place over March 2021. 

The increased threats detected by IT teams are as follows:  Increase in botnet attacks: 35% Increase in ransomware: 35% Increase in phishing attacks: 35% Mobile malware: 32% COVID-related malware: 30% Insider threats: 29%The report also reveals that 42% of banks and insurers believe the working from home model has made their organizations “less secure” and 44% say remote models have led to visibility problems across existing networks.  The pandemic has prompted many companies to cut costs whenever they can, and when it comes to cybersecurity, average risk, anti-fraud, and cybersecurity budgets have been slashed by 26% — leading to 37% of organizations believing their customers are now at a greater risk of cybercrime and fraud. Financial losses, perhaps unsurprisingly, are increasing. According to the report, 56% of UK and US banks have experienced such losses, with an average cost of online criminal activity alone reaching $720,000 over the course of the pandemic. In a secondary study, BAE Systems focused on the pandemic’s cybersecurity ramifications for consumers. In the past year, 28% said they had been sent at least one covid-19-themed phishing email, 22% received scams over SMS, and overall, at least a fifth of consumers have been targeted over 2020 – 2021.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Stuart Robert during Question Time in the House of Representatives at Parliament House in March 2021
Image: Getty Images
The federal government might be finally letting go of its “every agency for itself when it comes to cybersecurity” mantra, signalling on Wednesday its intention to have Canberra’s bigger agencies provide support to others.”We know that certain agencies cannot compete for skills and resources in the marketplace and we must develop alternative ways for meeting their needs,” Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.The former Minister for Government Services revealed the government is looking to establish three “Cyber Hub” pilots that will see departments such as Defence, Home Affairs, and Services Australia provide cyber services for “those agencies that cannot match their breadth and depth of skills”.”We can see a future where such hub models may be established for other types of scalable services, not just cybersecurity,” he said. “This may include broader ICT functions — such as secure email, or corporate services — such as finance or HR.”The decisions will be informed by the Whole of Government Architecture and the Digital Review, which are both projects underway by the Digital Transformation Agency (DTA).The DTA, now back under the Department of Prime Minister and Cabinet and with the revised mandate to be responsible for “Whole of Government ICT governance, strategy, policy, architecture, processes, and procedures”, is going to provide Robert with a “complete picture of what we have, what we need, what we must invest in and by when” as part of the creation of the Whole of Government Architecture.”I have tasked the DTA with developing a Whole of Government Architecture that will map out all the strategic capabilities that we require as a government, including existing assets and any gaps we need to address,” he said.

“The Architecture will also account for the age and complexity of existing systems and allow us to start managing the lifecycle of projects.”Must read: There are 84 high-cost IT projects underway by the Australian governmentSimilarly, the DTA is conducting a Digital Review, which Robert touted as giving the government a clear picture of the capabilities of agencies, such as what levels of skill exist, at what levels of maturity, and how different agencies are currently performing in the delivery of their roles.”Once completed in the period ahead, we will have the ability to bring together the system view of the Whole of Government Architecture and the agency capacity view of the Digital Review, to understand how we start planning the future at enterprise scale across whole of government or whole of nation,” Robert believes.Meanwhile, the “Integrated Investment Approach”, he said, will enable the government to make the right investment decisions.”Right now, digital and ICT investment can be a bit like the hunger games, where government often finds itself with investment proposals that are presented as urgent or critical, but with limited opportunity to consider the broader strategic context of those proposals,” he said.Robert also took the opportunity to highlight his vision for myGov, the federal government’s online portal for accessing government services. “Our long-term vision for myGov is to ensure it evolves to become a world leading single national digital platform that delivers simple, helpful, respectful, and transparent services that meet the needs and expectations of all Australians,” he said, paying homage to the pipedream he delivered to the National Press Club in July.”We will progressively provide new functionality, delivering personalised information and services as we strive for an ever more integrated and improved customer experience.”We’re building the future front door for government — openly and transparently.”In March last year, myGov crashed when many Australians tried to determine if they qualified for support from the country’s Centrelink scheme.Robert was quick to claim the portal suffered a distributed denial of service (DDoS) attack while simultaneously blaming the outage on legitimate traffic that pushed past the 55,000 concurrent users limit set by government.The tech-savvy minister also took the opportunity to highlight his “big, hairy, audacious goals” — or “B-HAGs” as his speech writers declared.”Government, especially the federal government, delivers an enormous amount for Australians, but a lot of it is under the hood and a lot of it is tech based,” Robert said.”And it is not at all ‘sexy’.”Me and my colleagues’ job is to not make government ‘sexy’, but to make government services simple, helpful, respectful, and transparent.”Robert touched of the Digital Transformation Strategy, which has the goal of making all government services available digitally by 2025. He said that “significant progress both in delivery, as well as our capability and maturity” has been made as the halfway mark approaches.LATEST FROM CANBERRA More

Cloud cyber-security pioneer FireEye this afternoon reported Q1 revenue and profit that topped analysts’ expectations, and an outlook for this quarter, and the full year, higher as well. The company’s annualized recurring revenue rose 9%, year over year, to $643 million.The report sent FireEye shares up 2% in late trading. CEO and Kevin Mandia noted that growth in the quarter was “led by our Platform, Cloud Subscription and Managed Services category, which increased 26% year over year, and our Professional Services category, which increased 25% year over year.”Mandiant’s ARR from its Platform, cloud and subscriptions, combined, rose 22%, year over year, to $352 million, it said. CEO Mandia noted that the comany added new modules to its suite, to take advantage of “expertise and intelligence”: “Mandiant Automated Defense, which adds a powerful, multi-vendor XDR capability, and Mandiant Security Validation, which enables customers to manage, measure, and report on cyber security risk within their organization.”Revenue in the three months ended in March rose 10%, year over year, to $246 million, yielding a net profift of 8 cents a share, excluding some costs.

Analysts had been modeling $237 million and 6 cents per share.For the current quarter, the company sees revenue of $246 million to $250 million, and EPS in a range of 8 cents to 9 cents, excluding some costs. That compares to consensus for $244 million and an 8-cent profit per share.For the full year, the company sees revenue in a range of $1.01 billion to $1.03 billion, and EPS of 39 cents to 41 cents. That compares to consensus of $1 billion and a 36-cent profit per share.

Tech Earnings More

If you’re just catching up on this story, here’s the quick recap: University of Minnesota researchers deliberately submitted patches that would have put the Use-After-Free (UAF) vulnerability into the Linux kernel. When it appeared they were trying once more to put garbage patches into the kernel, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, banned UMN developers from submitting to the kernel and pulled existing suspicious UMN patches. The Linux Foundation followed up with a list of requests for the UMN to comply with if they wanted to work with the Linux kernel again. Now, ZDNet has obtained a copy of UMN’s response to the Linux community. 

Open Source

According to Mats Heimdahl, UMN Professor and Department Head of the Department of Computer Science and Engineering, the school appreciates the Linux Foundation’s requests and they look forward to reaching “a mutually satisfactory resolution” and that re-engaging with each other “is the way to go.” Specifically, Heimdahl continued:  We currently are considering your requests, and are moving as quickly as we can to produce a substantive response that addresses them. In particular, the research group is preparing a letter to the Linux community and we are currently attempting to secure consent to release all information about the code submissions from the group. Once we have had an opportunity to look into the remaining issues, we would appreciate the opportunity to meet with you to discuss and move forward.This is in response to Mike Dolan, the Linux Foundation’s senior VP and general manager of projects, top request:Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments.Finding the questionable code and associated documentation is difficult. The UMN researchers did a poor job of tracking their own research. As senior Linux kernel developer, Al Viro, commented: “The lack of data is a part of what’s blowing the whole thing out of proportion — if they bothered to attach the list (or link to such) of SHA1 of commits that had come out of their experiment, or, better yet, maintained and provided the list of message-ids of all submissions, successful and not, this mess with blanket revert requests, etc. would’ve been far smaller (if happened at all).”Dolan also asked on behalf of the Linux developer community that the paper coming from this research, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” be withdrawn because the researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department, experimented on Linux kernel maintainers without their permission. Therefore, the paper should be withdrawn “from formal publication and formal presentation all research work based on this or similar research where people appear to have been experimented on without their prior consent. Leaving archival information posted on the Internet is fine, as they are mostly already public, but there should be no research credit for such works.” While Heimdahl didn’t address this point, the paper has been withdrawn. In a public note, Wu and Lu, but not Pakki, wrote: “We wish to withdraw our paper “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” from publication in the 42nd IEEE Symposium on Security and Privacy.” The paper had already been accepted by this high-level conference.

They’re withdrawing it for two reasons: First, we made a mistake by not engaging in collaboration with the Linux kernel community before conducting our study. We now understand that it was inappropriate and hurtful to the community to make it a subject of our research and to waste its effort reviewing these patches without its knowledge or permission. Instead, we now realize that the appropriate way to do this sort of work is to engage with community leaders beforehand so that they are aware of the work, approve its goals and methods, and can support the methods and results once the work is completed and published. Therefore, we are withdrawing the paper so that we do not benefit from an improperly conducted study.  Second, given the flaws in our methods, we do not want this paper to stand as a model for how research can be done in this community. On the contrary, we hope this episode will be a learning moment for our community, and that the resulting discussion and recommendations can serve as a guide for proper research in the future. Therefore, we are withdrawing the paper to prevent our misguided research method from being seen as a model for how to conduct studies in the future. We sincerely apologize for any harm our research group did to the Linux kernel community, to the reputation of the IEEE Symposium on Security and Privacy, our Department and University, and our community as a whole.Between Heimdahl’s note and this public letter, it appears that the UMN has acceded to the Linux Foundation’s main requests. There are still fine details to be worked out, but it now appears that the UMN, the Linux Foundation, and the Linux kernel developer community should be able to quickly come to peace with each other. That done, the UMN can get back to doing research and the maintainers can return to doing their real work of improving the kernel rather than chasing down potentially bogus patches.Related Stories: More