Information Technology

The Internet Systems Consortium (ISC) has released an advisory outlining a trio of vulnerabilities that could impact the safety of DNS systems. 

This week, the organization said the vulnerabilities impact ISC Berkeley Internet Name Domain (BIND) 9, widely used as a DNS system and maintained as an open source project.The first vulnerability is tracked as CVE-2021-25216 and has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit). Threat actors can remotely trigger the flaw by performing a buffer overflow attack against BIND’s GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol, potentially leading to wider exploits including crashes and remote code execution. However, under configurations using default BIND settings, vulnerable code paths are not exposed — unless a server’s values (tkey-gssapi-keytab/tkey-gssapi-credential) are set otherwise.  “Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” the advisory reads. “For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built.” The second security flaw, CVE-2021-25215, has earned a CVSS score of 7.5. CVE-2021-25215 is a remotely-exploitable flaw found in the way DNAME records are processed and may cause process crashes due to failed assertions.  The least dangerous bug, tracked as CVE-2021-25214, has been issued a CVSS score of 6.5. This issue was found in incremental zone transfers (IXFR) and if a named server receives a malformed IXFR, this causes the named process to crash due to a failed assertion.

The ISC is not aware of any active exploits for any of the bugs.   Vulnerabilities in BIND are treated seriously as it can take just one bug, successfully exploited, to cause widespread disruption to services. “Most of the vulnerabilities discovered in BIND 9 are ways to trigger INSIST or ASSERT failures, which cause BIND to exit,” the ISC says. “When an external user can reliably cause the BIND process to exit, that is a very effective denial of service (DoS) attack. Nanny scripts can restart BIND 9, but in some cases, it may take hours to reload, and the server is vulnerable to being shut down again.” Subscribers are notified of security flaws ahead of public disclosure, and if patches have not been applied for the latest trio of vulnerabilities, fixes should be issued as quickly as possible.  BIND 9.11.31, 9.16.15, and 9.17.12 all contain patches and the appropriate update should be applied.  CISA has also issued an alert on the security issues.  In other security news this week, Microsoft has disclosed bad memory allocation operations in code used in Internet of Things (IoT) and industrial technologies, with a range of vulnerabilities classified under the name “BadAlloc”. Microsoft is working with the US Department of Homeland Security (DHS) to alert impacted vendors.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s eSafety Commissioner is set to receive sweeping new powers like the ability to order the removal of material that seriously harms adults, with the looming passage of the Online Safety Act. Tech firms, as well as experts and civil liberties groups, have taken issue with the Act, such as with its rushed nature, the harm it can cause to the adult industry, and the overbearing powers it affords to eSafety, as some examples. Current eSafety Commissioner Julie Inman Grant has even previously admitted that details of how the measures legislated in the Online Safety Bill 2021 would be overseen are still being worked out.The Bill contains six priority areas, including an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; Basic Online Safety Expectations (BOSE) for the eSafety Commissioner to hold services accountable; and an online content scheme for the removal of “harmful” material through take-down powers.Appearing before the Parliamentary Joint Committee on Intelligence and Security as part of its inquiry into extremist movements and radicalism in Australia, Inman Grant said while the threshold is quite high in the new powers around take-down requests, it will give her agency a fair amount of leeway to look at intersectional factors, such as the intent behind the post. “I think that the language is deliberately — it’s constrained in a way to give us some latitude … we have to look at the messenger, we have to look at the message, and we have to look at the target,” she said on Thursday.The Act also will not apply to groups of people, rather simply individuals. The commissioner guessed this was due to striking a balance on freedom of expression.”To give us a broader set of powers to target a group or target in mass, I think would probably raise a lot more questions about human rights,” she said.

She said it’s a case of “writing the playbook” as it unfolds, given there’s no similar law internationally to help guide the Act. Inman Grant said she has tried to set expectations that she isn’t about to conduct “large scale rapid fire”.”Because every single removal notice or remedial action that we take is going to have to stand up in a court of law, it’s going to have to withstand scrutiny from the AAT, from the Ombudsman, and others,” she said. “So the threshold is high, it’s really probably going to target the worst of the worst in terms of targeted online abuse.”Of concern to the commissioner is that social media platforms have vast access to all sorts of signals that are happening on their platforms, yet they often step in when it’s too late.”I think what we saw with the Capitol Hill siege is it wasn’t really until the 11th hour that they consistently enforced their own policies,” she said. “So I think we’ve seen a real selective application of enforcement of some of these policies and we need to see more consistency.”AVOIDING WHACK-A-MOLEShe believes the BOSE will go some way to fixing that. Without setting these expectations, Inman Grant said she would be trying to energise her team to “play a big game of whack-a-mole”.On finding the same perpetrators using the same modus operandi to target others, Inman Grant said it’s a prime example of where safety by design is so important. “You’re building the digital roads, where are your guard rails, where are your embedded seatbelts, and what are you doing to pick up the signals?,” she said. “I don’t care what it is, whether you’re using natural language processing to look at common language that might be used or IP addresses, there are a range of signals that they can — they should be treating this like an arms race, they should be playing the game of whack-a-mole, rather than victims and the regulators.”The safety by design initiative kicked off in 2018 with the major platforms. Currently, eSafety is engaged with about 180 different technology companies and activists through the initiative.Inman Grant called it a “cultural change issue”, that is, tweaking the industry-wide ethos that moving fast and breaking things gets results.”How do we stop breaking us all?,” she questioned. “Because you’re so quick to get out the next feature, the next product, that you’re not assessing risk upfront and building safety protections at the front end. “I mean, how many times do we have to see a tech wreck moment when companies — even a startup company — should know better.”The solution, she said, isn’t the government prescribing technology fixes, rather a duty of care should be reinforced when companies aren’t doing the right thing, such as through initiatives like safety by design. Inman Grant said the BOSE will, to a certain degree, force a level of transparency.”We’re holding them to account for abuse that’s happening on their platforms, we’re serving as a safety net, when things fall through the cracks, and we’re telling them to take it down,” she said. “Platforms are the intermediaries … the platforms [are] allowing this to happen, but we are fundamentally talking about human behaviour, human malfeasance, criminal acts online targeting people.”Inman Grant said eSafety is currently working with the venture capital and investor community, “because they’re often the adults in the room” on developing an interactive safety by design assessment tool, one for startups and one for medium-sized and large companies, that should be made public within the next three weeks.LIKE THE REAL WORLD, JUST DIGITAL”It’s only been 50 years since seatbelts have been required in cars and there was a lot of pushback for that. It’s now guided by international standards. We’re talking about standard product liability — you’re not allowed to produce goods that injure people, with food safety standards you’re not allowed to poison people or make them sick — these should not be standards or requirements that technology companies should be shunning,” the commissioner said.”The internet has become an essential utility … they need to live under these rules as well. And if they’re not going to do it voluntarily, then they’re going to have a patchwork of laws and regulations because governments are going to regulate them in varying ways.”Inman Grant said eSafety is engaging with the social media platforms every day, and has garnered an 85% success rate in the removal of non-consensually shared intimate images and videos.”It tends to be what we would call the ‘rogue porn sites’ that are resistant to take down,” Inman Grant said. “And of course, we see a lot of similarities in terms of the hosting services and the kinds of sites that host paedophile networks or pro terrorist or gore content.”She said eSafety saw a spike in terms of all forms of online abuse over the COVID period, but it wasn’t due to the reason many would think.”We often talk about seeing a lot of child sexual abuse on the dark web, but we saw a lot more on the open web and out in the open on places like Twitter, Instagram, and Facebook —  up to 650% in some cases from the from the year prior,” she said.”It wasn’t just that simplistic explanation that more kids were online unsupervised [and there were more] predators targeting them, that certainly did happen, but really what was happening is a lot of the companies have outsourced their content moderation services to third parties, and many of these are in the Philippines and Romania, in developing countries where these workers were sent home and couldn’t look at the content.”She said with the content moderation workforce unable to view the content and the preponderance of more people online, created a “perfect storm”. “You saw some of the companies using more AI and analytic tools, but they’re still really very imperfect. And almost all of the platforms that do use AI tools always use a portion of human moderation because it’s just not up to par.”RELATED COVERAGE More

Image: Getty Images
The Australian Federal Police (AFP) on Thursday revealed executing a search warrant at a premises in Wollongong, New South Wales, regarding an alleged fraudulent technical support business.The AFP said the search warrant was executed following an investigation under Operation Rayko, which was focused on an Australian business that purports to offer genuine Microsoft technology support to Australian customers.It alleged the business instead linked Australian victims to offshore scammers who would request remote access to their computers.”Once the scammers had access to the computer, they would convince their victims to purchase new software to fix genuine computer issues,” AFP said. “That software was outdated and sold at an inflated price.”AFP said while remotely accessing a victim’s computer, the scammers deactivated antivirus software and other protection programs, and conducted further unauthorised remote access.The company in question, AFP said, has a professional website, an Australian 1800 business number, and uses Microsoft logos to give its operations an air of legitimacy.The AFP said it worked closely with Microsoft to gather information about the products being sold and offshore entities linked to the Australian business.

During the search, AFP investigators seized documents and electronic devices, which will be subject to analysis by AFP Cybercrime Operations. The investigation is ongoing and the AFP is not ruling out charges as a result of the search warrant activity, it said.”Police are assessing evidence seized and will continue to work with Microsoft and IDCARE to determine how many Australian customers may have been affected by these types of scams,” the AFP said.AFP Commander Goldsmid took the opportunity to caution people to only download software from the Microsoft store or official Microsoft partner websites. He said the public needs to be aware of the risks associated with unlicensed businesses and carefully vet who they allow to access their computers.”Be wary of downloading software from third-party sites, as some of them might be outdated or may have been modified to include malware and other threats,” he said.”In this instance the offending involved charging victims for products they didn’t need, and products the business was not authorised to sell. However, the consequences can be much worse — allowing scammers access to your computer may put you at risk of malware, computer viruses, or even the theft of your identification details and sensitive personal information via remote access that can occur without your knowledge.”Goldsmid said it’s an important reminder of how scams have evolved.”They’re not as obvious as an email from a Nigerian prince anymore,” he added. “Modern-day scammers are very technologically savvy and they will exploit victims’ trust in respected institutions to gain a profit.”MORE FROM THE AFP More

Singapore and Thailand have inked a bilateral agreement that enables users in both nations to transfer funds using the recipient’s mobile number. The pact taps the respective country’s peer-to-peer payment systems and is part of a regional payment initiative to ease cross-border payments. The new partnership helped establish connectivity between Singapore’s PayNow and Thailand’s PromptPay platforms, to enable fund transfers of up to SG$1,000 ($753.4) or THB25,000 ($793.96) using mobile numbers. Touted as the first of its kind globally, the deal was the result of “years of extensive collaboration” between the two countries’ central banks, according to a joint statement released by the Monetary Authority of Singapore (MAS) and Bank of Thailand (BOT).

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Customers of participating banks in both countries would not be required to provide information such as the recipient’s full name or bank account, needing only a mobile number to facilitate the cross-border payment. The service would work in the same way PayNow and PromptPay transfers were carried out, with senders tapping their mobile banking or payment apps to make peer-to-peer fund transfers. Such transactions typically are completed within minutes, rather than an average of one to two working days for the usual cross-border remittance services. Banks participating on both platforms had pledged to set their fees against market rates, according to MAS and BOT. “The fees will be affordably priced and transparently displayed to senders prior to confirming their transfers,” they said. “Senders will also be able to view the applicable foreign exchange charges prior to sending their funds, with these rates benchmarked closely to prevailing market rates.”The connectivity between PayNow and PromptPay was part of efforts initiated under Asean Payment Connectivity, which was set up in 2019 to drive faster, cheaper, and more transparent cross-border payment pacts. The new Singapore-Thailand digital payment deal would continue to expand to include more participants and offer bigger transfer limits to facilitate business transactions, both countries said.

BOT’s governor Sethaput Suthiwartnarueput noted that PromptPay also supported QR-enabled cross-border payments with Japan, Lao PDR, Cambodia, and Vietnam. “Today’s PayNow-PromptPay linkage…will effectively address customers’ long-standing pain points in the area of cross-border transfers and remittances, including long transaction times and high costs,” Suthiwartnarueput said.MAS’ managing director Ravi Menon added: “[The partnership] shows that existing payments infrastructure and the banking system have the potential to provide seamless cross-border payment options to retail customers.”MAS’ shared objective with BOT is to work with our Asean counterparts to expand this bilateral linkage into a network of linked retail payment systems across Asean. With the rise of the digital economy, we want to empower individuals and businesses in the region with simple, swift, and secure cross-border payments through just a few clicks on their mobile phones,” Menon said.RELATED COVERAGE More

The security research group for Azure Defender for IoT, dubbed Section 52, has found a batch of bad memory allocation operations in code used in Internet of Things and operational technology (OT) such as industrial control systems that could lead to malicious code execution. Given the trendy vulnerability name of BadAlloc, the vulnerabilities are related to not properly validating input, which leads to heap overflows, and can eventually end at code execution. “All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more,” the research team wrote in a blog post. The use of these functions gets problematic when passed external input that can cause an integer overflow or wraparound as values to the functions. “The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer,” the team said. “While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow. This heap overflow enables an attacker to execute malicious code on the target device.” Microsoft said it worked with the US Department of Homeland Security to alert the impacted vendors and patch the vulnerabilities.

The list of affected products in the advisory includes devices from Google Cloud, Arm, Amazon, Red Hat, Texas Instruments, and Samsung Tizen. CVSS v3 scores range from 3.2 in the case of Tizen to 9.8 for Red Hat newlib prior to version 4. As with most vulnerabilities, Microsoft’s primary piece of advice is to patch the affected products, but with the possibility of industrial equipment being hard to update, Redmond suggests disconnecting devices from the internet if possible or putting them behind a VPN with 2FA authentication, have a form of network security and monitoring to detect behavioural indicators of compromise, and use network segmentation to protect critical assets. “Network segmentation is important for zero trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion,” the team wrote. “In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.” Related Coverage More

The Department of Home Affairs has a dedicated team to find content on social media sites that promotes hate, incites violence, or points to terrorist propaganda. The team then works with social media platforms to have that content removed.In the 12 months to 31 March 2021, 1,559 pieces of terrorist and violent extremist content were referred. 95% of that, or 1,486 items, were in the religiously motivated violent extremism space. 3%, or 51 pieces of content, were defined as being ideologically motivated violent extremist material. The remaining 2% was not defined. The team has a budget of around AU$3 million.Appearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its inquiry into extremist movements and radicalism in Australia, Dr Richard Johnson, first assistant secretary of Home Affairs’ Social Cohesion team, said this isn’t necessarily reflective of the amount of content that’s out there, as the platforms themselves engage in their own takedown procedures.But there are some platforms that don’t have a referral function, which Johnson said points usually to the nature of those particular sites. While the Home Affairs team deals with the more mainstream platforms — such as Facebook and Instagram and Twitter — it also engages the likes of Telegram and 4chan.”We have referred material before, whether we’re successful very much depends on the nature of the platform, how they’re operating in a particular jurisdiction, and also the ethos of the particular platform,” he clarified.

Senators were concerned the 1,559 figure was at odds with other statistics they have seen.See also: Facebook tightens screws on QAnon and US militia groups”Firstly, platforms themselves do a lot of work in the first instance, to remove such materials. Not all platforms do. Secondly, we work in the open source … space. So we’re not seeing everything that’s on the internet — we’re not working in encrypted chat rooms, etc,” he said. “Thirdly … some of the material falls short of the thresholds in the first instance. Some of the platforms that host some of the material just don’t have a referral function. So part of their raison d’etre, so to speak, is to host such content.”Johnson said violent extremist material in particular is what the team is looking for, but it also tracks down the likes of manifestos or content that advocates or instructs on how to commit a terrorist offence.”The online team is principally about understanding the narrative focal points … it’s certainly not tracking individuals in that sense,” Johnson said, responding to questioning on whether an individual displaying symbolism, such as a radical flag, on their own personal Facebook page.That work, he said, falls more in the hands of the teams that work with community leaders, as one example, in prevention activities and material that is counter to extreme ideological perspectives individuals might be exposed to.One such program run on behalf of the Department of Home Affairs by Icon Agency is Rapt!. Rapt!, its website says, celebrates the many ways Muslim Australians contribute to society and its culture, by sharing stories and reflecting on different beliefs and opinions. With a presence already on Facebook and Instagram, as well as the web, Johnson said a YouTube channel will launch soon.Johnson was asked by Shadow Minister for Home Affairs Kristina Keneally in her capacity as a PJCIS member how the department is helping people understand, for example, what “shitposting” is.”We’ve run a couple of digi-engage forums for young people to specifically take them through what they’re seeing on the internet, what some of the tropes are … there’s ironic nodes that some of these groups use, for example, how to see it, to recognise it, and even to engage with it in an attempt to challenge it, if that’s appropriate,” Johnson said. “So we’ve got a capability set of work that we do precisely for that on the online environment.”With Department of Foreign Affairs and Trade counter terrorism ambassador Roger Noble pointing to the “dark web” as making violent and extremist material more accessible in his testimony earlier in the day, Home Affairs was asked what legislation would help law enforcement activities in the space.Must read: Intelligence review recommends new electronic surveillance Act for AustraliaChris Teal, Home Affairs deputy secretary of social cohesion and citizenship and also the counter-terrorism and counter foreign interference coordinator, told Senators the Counter-Terrorism Legislation Amendment (High Risk Terrorist Offenders) Bill 2020 is of need, as is the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 and the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.”One of the flow-ons from Dr Johnson’s evidence is that a lot of this is occurring out of sight, on the dark web … one of the reasons I would contend that the numbers are as they are in relation to takedowns is because we’re on what I think is known as the surface web and apparently there’s a bad thing underneath it,” he said. “I think that the numbers that we’ve been talking about is not demonstrative of what’s out there. It’s demonstrative of what we can see.””The International Production Orders legislation currently before the Parliamentary Joint Committee will create a step change in the way in which Australia can request information directly from US companies and the evidence that Dr Johnson outlined about some of the companies that we work with … this will short circuit what is a very long process in mutual recognition and mutual exchange of information processes,” explained first assistant secretary of Home Affairs’ Cyber, Digital and Technology Policy team, Hamish Hansford.”The committee will consider that our marching orders on that legislation,” PJCIS chair Senator James Paterson declared.Appearing earlier in the day before the PCJIS, Australian Security Intelligence Organisation (ASIO) Director-General of Security Mike Burgess said the security legislation before Parliament would certainly help law enforcement, but said ASIO was content with the powers it is awarded under the Telecommunications and other Legislation Amendment (Assistance & Access) Act 2018 (TOLA Act).”With TOLA, our investments in our capability to deal with this evolving — I’m satisfied at this point in time, we have the right legal mechanisms in place for my agency, noting my federal police colleagues have other needs that they’re prosecuting the case for now,” Burgess said.RELATED COVERAGE More

A popular online resource for paleo recipes and tips was the source of a data leak impacting roughly 70,000 users. 

On Thursday, researchers from vpnMentor revealed a misconfigured Amazon AWS S3 bucket as the central point of the data breach, in which the account was used to store the private data and records of users. Los Angeles-based Paleohacks runs a website containing recipes, meal plans, and articles on the paleolithic lifestyle, including downloadable guides, a forum, and an e-commerce store.  The team, led by Noam Rotem, said that there was a failure to implement “basic data security protocols” on the S3 bucket, and such misconfiguration means that there were no access limits to the public.  The bucket contained roughly 6,000 files containing the records of approximately 69,000 users. According to the researchers, the content spanned from 2015 and 2020 and included personally identifiable information (PII) including full names, email addresses, IP addresses, login timestamps, locations, dates of birth, bios, and profile pictures.  While passwords were hashed, vpnMentor said that some entries also contained password reset tokens for subscription and membership services. These tokens were protected via the BCRYPT hashing algorithm but it could still be possible to abuse the tokens to hijack user accounts.  The unsecured bucket was discovered on February 4. VpnMentor attempted to contact the vendor on February 7, 9, and March 17; however, there was no response. As a result, the team reached out to Amazon as a last resort and the AWS S3 bucket was then secured. 

It is not known if any unauthorized individuals accessed the bucket before it was secured against intrusion.  “Our team was able to access Paleohacks’ S3 bucket because it was completely unsecured and unencrypted,” the company says. “If you’re a customer of Paleohacks and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.” Paleohacks has not responded to requests for comment at the time of publication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018.

Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file. At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded — two in 2018, one in 2020, and another in 2021.    Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication.  At present, the team says that they do not know the malware’s “true purpose” beyond a focus on compromising Linux systems. There are 12 functions in total including exfiltrating and stealing data, file and plugin management — including query/download/delete — and reporting device information. 

However, the team cites a “lack of visibility” into the plugins that is preventing a more thorough examination of the malware’s overall capabilities.  Netlab described the backdoor’s functions and encryption, as below: “At the coding level, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis. At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES & ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2.” In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.  For example, when running under a root account, a new process may be created to automatically respawn configuration files, whereas in a non-root scenario, two separate processes are created to monitor and, if necessary, restore each other.  Netlab has also suggested links to the Torii botnet due to some coding similarities in commands and traffic management.  At the time of writing, six out of 61 VT engines now detect the backdoor’s files as malicious. Further analysis can be found at Intezer.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More