Miscellaneous Tech News
-
@Obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Obsolesce said in Miscellaneous Tech News:
Uber Breach 2022
The critical vulnerability that granted the attacker such high levels of access was hardcoded credentials in a PowerShell script
Argh, why the heck is there Windows development on a platform like Uber? And who approved THAT GIT checkin?
No idea. Android and ios only AFAIK. No need for Windows. But I have a feeling that one who bakes credentials into scripts would do it in any scripting language. You'd also think a vulnerability like that would have been found during scanning. They must not have any devsecops or code scanning tools in place.
Clearly no one is scanning or checking anything. That's the problem. And that's why Windows development is an issue, it starts a "trend" of looking the other way for obvious non-best practices. Once something so fundamental as making business software or production server software on a platform that is costly, risky and less performant (presumably to allow hiring less than capable developers - that's why that ecosystem exists there) then where do you start adding best practices when clearly, it's not even on the radar? you don't, it just doesn't make sense to. So you get here.
-
@scottalanmiller said in Miscellaneous Tech News:
@Obsolesce said in Miscellaneous Tech News:
Uber Breach 2022
The critical vulnerability that granted the attacker such high levels of access was hardcoded credentials in a PowerShell script
Argh, why the heck is there Windows development on a platform like Uber? And who approved THAT GIT checkin?
I'm sure their desktop environment is Windows for their non techies. And there's probably little to no separation between the Uber app platform and their staff.
-
@Dashrender said in Miscellaneous Tech News:
I'm sure their desktop environment is Windows for their non techies.
That's weird as that is a power user platform. You'd never put that in to make things harder jsut for the less capable staff if you don't for the good staff. But that's not really relevant, why would their applications be getting built on Windows regardless of that? And even if they were BUILT on Windows, why would the app deployment happen to Windows? What is used by some non-dev staff has zero to do with what is talking to their system.s
-
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
I'm sure their desktop environment is Windows for their non techies.
That's weird as that is a power user platform. You'd never put that in to make things harder jsut for the less capable staff if you don't for the good staff. But that's not really relevant, why would their applications be getting built on Windows regardless of that? And even if they were BUILT on Windows, why would the app deployment happen to Windows? What is used by some non-dev staff has zero to do with what is talking to their system.s
You're asking people to do things your way - we all know that's not the typical way.
-
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
I'm sure their desktop environment is Windows for their non techies.
That's weird as that is a power user platform. You'd never put that in to make things harder jsut for the less capable staff if you don't for the good staff. But that's not really relevant, why would their applications be getting built on Windows regardless of that? And even if they were BUILT on Windows, why would the app deployment happen to Windows? What is used by some non-dev staff has zero to do with what is talking to their system.s
You're asking people to do things your way - we all know that's not the typical way.
No, I'm asking people to do their jobs and do them well. Nothing more. Basic competence.
-
Optus (second largest telco in Australia) has been compromised and customer data loss has been confirmed
https://www.itnews.com.au/news/optus-attack-exposes-customer-information-585567
-
How Citrix dropped the ball on Xen ... according to Citrix
-
@Danp said in Miscellaneous Tech News:
How Citrix dropped the ball on Xen ... according to Citrix
Jaja, yay I got sort of referenced (as the one who proposed XCP-NG. They also screwed themselves royally by mixing the names all over the place. They left that out, the utter market confusion that they created by calling everything Xen.
They did more than crush trust in Xen. They caused many people to simply distrust Citrix.
-
@scottalanmiller said in Miscellaneous Tech News:
Jaja, yay I got sort of referenced
The
"weird systems users": hobbyists who offer virtualization to non-profit and charity users, using old, out-of-maintenance hardware that had been inherited or passed on to them. Enthusiast users, with no funds to buy licenses? -
@Obsolesce said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
Jaja, yay I got sort of referenced
The
"weird systems users": hobbyists who offer virtualization to non-profit and charity users, using old, out-of-maintenance hardware that had been inherited or passed on to them. Enthusiast users, with no funds to buy licenses?That too.
-
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
-
@stacksofplates damn, that's significant.
-
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
-
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
-
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
-
@Dashrender said in Miscellaneous Tech News:
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
So in a way, they get nothing, in another, everything. Normally Windows has security protections by way of signed drivers - "known good" drivers that you should be able to trust (but anything guaranteed by Microsoft should be highly suspect, of course) and an installer gets scanned by Defender AV to ensure that there is no malicious code.
A normal elevated permissions situation here only allows the scanned installer to run, once. It's a very limited set of permissions. And the code gets scanned to see if there is anything malicious in it.
But in this case, the scanning and the notification / warning are bypassed by leveraging the fact that Microsoft has signed known vulnerable code and given it a free pass to run on your system allowing a malicious entity to bypass security. So something that is "guaranteed" to be safe because MS claims to have verified it and signed it, is actually known to be vulnerable and providing a way to access your systems to a malicious third party, not the person installing software.
So yes, if YOU were the malicious entity AND you are also the admin, it doesn't make any difference. But if you are the malicious entity and you are trying to get past security, it's a useful tool.
-
@scottalanmiller said in Miscellaneous Tech News:
But if you are the malicious entity and you are trying to get past security, it's a useful tool.
I agree with this - but that's not what the article said.
@article said
—makes it easy for an attacker with administrative control to bypass Windows kernel protections.
-
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
But if you are the malicious entity and you are trying to get past security, it's a useful tool.
I agree with this - but that's not what the article said.
@article said
—makes it easy for an attacker with administrative control to bypass Windows kernel protections.
But that's true. normally there are kernel level protections even against the admin, and this bypasses those.
Think of the attacker being someone making an installer that gets admin privs.
-
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
Because they’re mostly things like automated installs. It’s not like someone is sitting at the keyboard as a bad actor. It’s an email with an attachment for a doc that when Sally opens it installs a valid signed driver that is vulnerable.
-
@stacksofplates said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
Because they’re mostly things like automated installs. It’s not like someone is sitting at the keyboard as a bad actor. It’s an email with an attachment for a doc that when Sally opens it installs a valid signed driver that is vulnerable.
Exactly. Automated or confused users OR, don't forget, confused DEVELOPERS. It's not hard to get legit software, especially closed source, to think that MS signed drivers are safe (as that's the whole idea of the system is that everyone can trust them because MS is vouching for them) and trigger that they be installed, bypassing the expected security system.
