Category Archives: Security

Security

Apple’s OSX 12.4 Full of 73 Important Hidden Security Fixes

Leave a comment

Already I’m seeing social media channels fill up with Apple users whining about the 2GB or larger download required for OSX 12.4.

Why should I download this if there are no major changes?

Deployment model plans aside — proprietary lightning connectors are nearly dinosaur speed versus modern USB-C so Apple arguably put themselves in this corner — let’s talk about what Apple doesn’t seem to highlight in its official release notes: data safety (CRITICALITY OF FIXES).

  1. CVE-2022-26772 memory corruption to execute arbitrary code with kernel privileges
  2. CVE-2022-26741 buffer overflow to execute arbitrary code with kernel privileges
  3. CVE-2022-26742 buffer overflow to execute arbitrary code with kernel privileges
  4. CVE-2022-26749 buffer overflow to execute arbitrary code with kernel privileges
  5. CVE-2022-26750 buffer overflow to execute arbitrary code with kernel privileges
  6. CVE-2022-26752 buffer overflow to execute arbitrary code with kernel privileges
  7. CVE-2022-26753 buffer overflow to execute arbitrary code with kernel privileges
  8. CVE-2022-26754 buffer overflow to execute arbitrary code with kernel privileges
  9. CVE-2021-44224 “multiple issues”
  10. CVE-2021-44790 “multiple issues”
  11. CVE-2021-44719 “multiple issues”
  12. CVE-2022-22720 “multiple issues”
  13. CVE-2022-22721 “multiple issues”
  14. CVE-2022-26697 out-of-bounds read for unexpected application termination or disclosure of process memory
  15. CVE-2022-26698 out-of-bounds read for unexpected application termination or disclosure of process memory
  16. CVE-2022-26736 out-of-bounds write to execute arbitrary code with kernel privileges
  17. CVE-2022-26737 out-of-bounds write to execute arbitrary code with kernel privileges
  18. CVE-2022-26738 out-of-bounds write to execute arbitrary code with kernel privileges
  19. CVE-2022-26739 out-of-bounds write to execute arbitrary code with kernel privileges
  20. CVE-2022-26740 out-of-bounds write to execute arbitrary code with kernel privileges
  21. CVE-2022-26694 inherit app permissions and access user data
  22. CVE-2022-26721 memory initialization to gain root privileges
  23. CVE-2022-26722 memory initialization to gain root privileges
  24. CVE-2022-26763 out-of-bounds access to execute arbitrary code with system privileges
  25. CVE-2022-26711 integer overflow to cause unexpected application termination or arbitrary code execution
  26. CVE-2022-26725 location information may persist after it is removed
  27. CVE-2022-26720 out-of-bounds write to execute arbitrary code with kernel privileges
  28. CVE-2022-26769 memory corruption to execute arbitrary code with kernel privileges
  29. CVE-2022-26770 out-of-bounds read to execute arbitrary code with kernel privileges
  30. CVE-2022-26748 out-of-bounds write for arbitrary code execution
  31. CVE-2022-26756 out-of-bounds to execute arbitrary code with kernel privileges
  32. CVE-2022-26701 race condition to execute arbitrary code with kernel privileges
  33. CVE-2022-26768 memory corruption to execute arbitrary code with kernel privileges
  34. CVE-2022-26743 out-of-bounds write to escalate to kernel privileges
  35. CVE-2022-26714 memory corruption to execute arbitrary code with kernel privileges
  36. CVE-2022-26757 use after free to execute arbitrary code with kernel privileges
  37. CVE-2022-26764 memory corruption to bypass kernel memory mitigations
  38. CVE-2022-26765 race condition to bypass Pointer Authentication
  39. CVE-2022-26706 access issue to circumvent sandbox restrictions
  40. CVE-2022-26767 to bypass Privacy preferences
  41. CVE-2022-26776 cause unexpected application termination or arbitrary code execution
  42. CVE-2022-26708 for unexpected application termination or arbitrary code execution
  43. CVE-2022-26775 integer overflow to cause unexpected application termination or arbitrary code execution
  44. CVE-2022-0778 invalid cert for denial of service
  45. CVE-2022-23308 use after free to cause unexpected application termination or arbitrary code execution
  46. CVE-2022-0778 invalid cert for denial of service
  47. CVE-2022-26712 vulnerable code to modify protected parts of the file system
  48. CVE-2022-26727 bypass entitlements to modify protected parts of the file system
  49. CVE-2022-26693 bypass checks to inherit application permissions and access user data
  50. CVE-2022-26746 vulnerable code to bypass Privacy preferences
  51. CVE-2022-26731 state management logic weakness to track users in Safari private browsing mode
  52. CVE-2022-26766 certificate parsing issue to bypass signature validation
  53. CVE-2022-26715 out-of-bounds write to gain elevated privileges
  54. CVE-2022-26718 out-of-bounds read to gain elevated privileges
  55. CVE-2022-26723 memory corruption for arbitrary code execution
  56. CVE-2022-26728 bypass entitlements to access restricted files
  57. CVE-2022-26704 validation issue to gain elevated privileges
  58. CVE-2022-26726 bypass checks to capture a user’s screen
  59. CVE-2022-26755 lack of sanitization to break out of a sandbox
  60. CVE-2022-26700 memory corruption for code execution
  61. CVE-2022-26709 use after free for arbitrary code execution
  62. CVE-2022-26710 use after free for arbitrary code execution
  63. CVE-2022-26717 use after free for arbitrary code execution
  64. CVE-2022-26716 memory corruption for arbitrary code execution
  65. CVE-2022-26719 memory corruption for arbitrary code execution
  66. CVE-2022-22677 logic issue so call may be interrupted
  67. CVE-2022-26745 memory corruption to disclose restricted memory
  68. CVE-2022-26761 memory corruption to execute arbitrary code with kernel privileges
  69. CVE-2022-26762 memory corruption to execute arbitrary code with system privileges
  70. CVE-2022-0530 bypass file state for denial of service
  71. CVE-2018-25032 memory corruption for unexpected application termination or arbitrary code execution
  72. CVE-2021-45444 arbitrary code execution

Whew! Even with sparse details and placeholder CVE records that’s still 24 mentions of kernel privileges and 2 root level. Can you figure out the one missing from this list?

Security

Did Yahoo’s CISO Wreck Facebook?

Leave a comment

There’s a buried lede in Newsweek analysis of the Meta problem with big data security.

“People are talking about Facebook as if it’s about to become the next MySpace or Yahoo,” says Daniel Salmon, an analyst who follows Meta for BMO Capital Markets…

It really begs the question what Facebook was thinking when it hired the inexperienced and unqualified CISO from Yahoo, as I’ve mentioned here many times before.

Yahoo soon after his departure was accused of “egregious misconduct” in record-setting privacy breaches that he had failed to disclose.

And then under his tenure Facebook had even larger record-setting privacy breaches, losing more trust faster than any other technology brand.

Security

“The way it should be everywhere”: Catasauqua Ride-share Anti-racism

Leave a comment

Anti-racism is a very real thing. It’s an important aspect of living a healthy life, like exercising regularly and eating healthy. Perhaps most interesting today is whether “driverless” cars (artificial intelligence) will be anti-racist.

Here’s a perfect example reported in The Morning Call, when a ride-share driver asks people to stop treating him like a hero for just doing the right thing.

“I appreciate it, truly,” he wrote. “But this is the way it should be everywhere, every time. I shouldn’t be “the guy” who did it or said it… we should all be that person. Speak up if you’re uncomfortable with [racism] because it makes [racists] uncomfortable, as they should be.”

The ride-share driver was called a “f—- n-lover” and threatened with physical violence after he objected to blatant racism from two passengers trying to hire him in Catasauqua, Pennsylvania, as the Philly Voice recalls.

“Oh, you’re like, a white guy,” the woman said.

“What’s that?” Bode said.

“Are you … are you … a white guy?” the woman replied.

“Excuse me?” Bode answered, shocked by the question.

“You’re like, a normal guy — like, you speak English?” the woman said, then apologized and patted Bode on the shoulder.

“No, you can get out of the car,” Bode said. “I’m going to cancel the ride. That’s inappropriate. It’s completely inappropriate. If somebody was not white sitting in this seat, what would be the difference?”

“Are you serious?” the woman asked.

At that point in the video, Bode began explaining to another man, just outside the car, what had happened and why he was canceling the ride. Bode informed the man and woman that the conversation was being captured on video.

“You’re a f***ing asshole. You’re a piece of s***,” the man said. “I should punch you in the f***ing face.”

“You’re going to threaten me? Assault?” Bode said. “You guys are racist f***s.”

“And you’re a f***ing asshole,” the man said. “F***ing N***** lover.”

Source: Philly Voice

The small town of Catasauqua (north of Allentown, population 6,509 and 90% white) has confirmed the woman in the video is Jackie Harford — owner of Fossil’s Last Stand at 429 Race St — and her companion is her boyfriend.

Source: Google Maps

The town’s sad history is that takes its name from the Lenape Native Americans who were then forcibly removed under the genocidal policies of President Andrew Jackson, so the land could be exploited in massive wealth generation schemes.

…by the early 1900s, Catasauqua had the highest concentration of millionaires per capita of any community in the nation.

The history of naming “Race St” is unclear but after this event perhaps it should be renamed Anti-Racism Street? Driverless cars need to be instructed clearly to continue this one man’s noble stand against local traditions of racism.

International condemnation has included the business page on Yelp being inundated with attempts at anti-racist imagery and commentary.

Are masks required or do customers need to bring their own white hood?

Source: Yelp

.

History, Poetry, Security

Is “hacking from home” the new air force dropping bombs?

Leave a comment

A group called the Disposable Heroes of Hiphoprisy wrote in their 1992 song The Winter Of The Long Hot Summer a rather scathing rhyme about how an air force plays into industrial “proxy” war:

The pilots said their bombs lit Baghdad
Like a Christmas tree
It was the Christian thing to do you see
They didn’t mention any casualties
No distinction between the real
And the proxy
Only football analogies
We saw the bomb hole
We watched the Super Bowl

If bombing from the sky was the proxy violence of the industrial revolution, shouldn’t we look at hacking from home as the logical next evolution of conflict for the information age? Sure beats trying to engineer smart bombs to make the difficult leap into intelligence.

The Washington Post has profiled one such group calling itself partisans. It was formed in late 2020 and has grown to 30 civilians allegedly in Belarus.

…Cyber Partisans are more akin to a digital resistance movement than a “cyber proxy” like the Ukrainian government-backed “IT Army.” The group does not appear to be acting as an intermediary for another government’s interests, and has a history of independent operations against the government of Belarus. With an extensive online presence, the Cyber Partisans also differ from other nongovernmental hacking efforts supporting the Ukrainian resistance during the war, such as Anonymous or Squad303. Though many Cyber Partisan claims remain unverifiable, the available evidence suggests that this is a small group of closely linked individuals with a strong connection to Belarus. […] “Thousands of Russian troops didn’t receive food, didn’t receive fuel, and didn’t receive equipment on time,” noted Franak Viacorka, spokesman for Belarus’ opposition leader.

Denial of service, which led to denial of service, seems a lot like bombing infrastructure like fields to stop production and distribution even though it’s far less destructive.

Speaking of government-backed action, there’s an interesting note about Russian “militarism” in another article.

…the third month of war finds Russia, not the United States, struggling under an unprecedented hacking wave that entwines government activity, political voluntarism and criminal action. Digital assailants have plundered the country’s personal financial data, defaced websites and handed decades of government emails to anti-secrecy activists abroad. One recent survey showed more passwords and other sensitive data from Russia were dumped onto the open Web in March than information from any other country. The published documents include a cache from a regional office of media regulator Roskomnadzor that revealed the topics its analysts were most concerned about on social media — including antimilitarism…

To be fair the United States is not officially at war, so it makes for an illogical target unless being brazenly drawn in (e.g. Pearl Harbor, which technically would be a destructive kinetic attack not cyber). Russia, however, made itself into such an ugly militant aggressor it’s obvious why it became such a very large target of hacking.

The fact that Russia centers its social media strategy on stopping antimilitarism says a lot. Their incompetence at militarism is impossible to ignore, attracting all forms of resistance. They clearly are losing on every front but most notably hackers around the world easily slice and dice their way through a creaky old and corrupt dictatorship.

All that being said, the NSA says it doesn’t like competition.

“I will tell you that the idea of the civil vigilantes joining in a nation-state attack is unwise, right? I really think it is,” the NSA’s Rob Joyce said May 4 at a Vanderbilt University security summit. “As you pointed out, it’s illegal. But it’s also unhelpful, because one of the things we talked about is we’re trying to get Russia to take account for the ransomware attacks and hacks that come out of Russia and emanate.”

Here we go.

First, just being illegal isn’t the high bar some people want it to be. Laws change because sometimes they’re bad laws. In fact, the act of doing something and showing the logic of it can be the impetus to make it legal.

Second, whataboutism is a logical fallacy even in reverse. The world can still get Russia to account for hacks even if the rest of the world engaged in hacks. It’s also a nuanced question of power balance and authorization, such as saying the police can drive a speeding car to arrest someone for driving a speeding car.

Let me just go even further on this point and say Joyce is the NSA, and NOT the State Department, yet for some reason he tries to jump ship.

“This certainly isn’t going to make the State Department discussions with Russia of ‘you need to hold your people accountable’ any easier,” Joyce said Wednesday.

Thank you for your concern, yet it may be entirely misplaced. Joyce may as well be arguing “we shouldn’t advance nuclear weapons because it isn’t going to make discussions with Russia about nuclear weapons any easier.”

Nonsense.

And it only gets worse in that article when a certain CEO adds his voice to Joyce’s.

Kevin Mandia, CEO of American cybersecurity firm Mandiant, at the same summit said random individuals swaying relationships between countries and dictating foreign policy could be dangerous. “You can’t have the private sector influencing the doctrine between nations,” he said. “You don’t have us fighting on air, land and sea without being deputized or part of a force and with an agenda and a mission plan.”

That seems quite the opposite of a narrative he tried to spin back in October 2021.

The CEO of US cybersecurity firm Mandiant said today that he believes the next big advancement in cybersecurity will be the ability of governments and private companies to work together in a “coordinated national and global response” to incidents — not unlike how he said his firm worked with the government in response to the SolarWinds hack. […] Speaking at the Mandiant 2021 Cyber Defense Summit, the executive disclosed for the first time that he called the NSA right before Thanksgiving last year…

To put it together, Mandia is warning you can’t have the private sector influencing doctrine between nations, right after he boasted about jumping on the phone with the government to tell them he’s already engaged in a fight with another nation… as a civilian.

If Mandia is not an example of a random individual swaying relationships and influencing policy doctrine I don’t know what is. His company was founded on the idea that a government could use a proxy in the private sector to do security work of government, right?

I will never forget officials in the U.S. government telling me how legislation was written very specifically to release millions of dollars to Kevin Mandia, who hired former government staff if you see what I’m saying about why he/they don’t want “random” people competing with them in the market.

Mandia and the NSA sound like they’re heavily invested in what Eisenhower warned us to avoid — a Military-Industrial-Congressional Complex — if we’re interested in achieving cyber peace.

Perhaps the most telling aspect of the debate of who should hack and from where is this anecdote:

The IT army is reminiscent of volunteers who physically traveled to Ukraine and took up arms, despite enormous risks and warnings from officials. But hacking from home — or at least not from the bombarded and besieged locales of Ukraine — offers a sense of safety the frontlines do not.

Sniper rifles offer sense of safety. Airplanes offers sense of safety. Artillery (e.g. the longbow) offers sense of safety. Drones offer a sense of safety… the list of low risk high impact conflict models goes on and on. The question shouldn’t be how unsafe is the hacker at home, but how different is it from any other celebrated advance in battlefield technology.

One gets the sense that the NSA and Mandia as a proxy see themselves as vaulted innovators that somehow are distinct and unique, without really understanding that they’re focused on the wrong metrics.

Invention is easily overrated, and implementation is often underrated.

Hacking from home seems as logical for an implementation as shooting arrows from the woods was in the 1400s (before defensive hardened steel was deployed), let alone planes dropping bombs.

In any case I’d like to see far more feel-good reporting about hackers at home. I mean it seems only fair considering how other civilian volunteers are being depicted.

For about a month now, U.S. Marine veteran Sean Schofield has been sending dispatches back to Cullman, Alabama, from a place few would volunteer to go.

Since late March, he’s been one of more than 6,000 foreign volunteers from the U.S., Australia, the UK and other western countries who’ve left their civilian lives behind and traveled to Ukraine, aiding military personnel and civilian supporters in mounting a sovereign defense against Russian invasion.

It’s like if you can run a fast 100 meter dash through a hail of bullets you’re some kind of hometown hero, but if you can type a few commands on a keyboard to stop those bullets you’re an anti-social vigilante.