Lots happened in Vegas last week. Most of it should have stayed in Vegas. But some of it bears digging out from piles of mediocre nonsense.
Especially for app developers, here are a few nuggets that caught my eye: Electron bugs, the ÆPIC SGX vuln, Rickrolling schools and buzzword bingo.
I’ll peruse the news of the week … so you don’t have to. In this week’s Secure Software Blogwatch, we sort the heat from the chai.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Everyone loves Toxic by Britney.
Hacker summer camp is back
First up: Does your app use Electron? Lorenzo Franceschi-Bicchierai has news for you—“Researchers find vulnerabilities in software underlying … apps used by millions of users”:
“He doesn’t run Electron apps”
A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Slack and many others. … At the Black Hat cybersecurity conference in Las Vegas [they] presented their findings, detailing how they could have hacked people … by exploiting the software underlying [many apps]: Electron.
Aaditya Purani, one of the researchers [said] “Electron apps are not the same as … browsers,” meaning they are potentially more vulnerable. … In the case of Discord, the bug [they] found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers.
“If you are more paranoid, I recommend using the website itself because then you have the protection which Chromium has, which is much larger than the Electron,” Purani said. … He doesn’t run Electron apps, instead opting for using … Discord or Slack inside his browser, which is more hardened against hackers.
Sounds like a software supply chain problem. keithdowsett wants to nuke it from orbit:
Welcome to the world of 2020's software development.
1) Design project (optional)
2) Munge together a bunch of libraries on AWS …
3) Add a GUI (more libraries)
4) Port to Android and Apple phones (more libraries)
5) Release the code waay before it's ready …
6) Waste a heap of cash on Tiktok advertising …
7) Profit (optional)
8) Sell the whole heap of **** to venture capitalists for a stupid amount of money
But seriously, from an project perspective it makes sense to use libraries to perform as many functions as possible. That way instead of re-inventing the wheel you can focus on developing core functionality.
There's no prospect of a project team auditing all the libraries they use, let alone all their dependencies. … So for purely financial reasons we're reliant on the white hat community finding these obscure bugs.
Was there an oddly-named vuln? Steven J. Vaughan-Nichols offers—“ÆPIC Leak”:
“Disable APIC MMIO”
Intel’s Software Guard Extensions (SGX) memory encryption technology sounded like such a good idea back in 2015. [But] over half-a-dozen vulnerabilities … soon appeared. And now, at the 2022 Black Hat Security Conference, another … has been uncovered: ÆPIC Leak.
This one … is a new Intel architectural CPU bug that can leak data without using a side channel. It’s in a word, “Bad!” [It] works by sampling data transferred between the L2 and last-level cache. … This end-to-end attack extracts AES-NI, RSA, and even SGX attestation keys from enclaves within a few seconds.
Intel is … creating an updated … SDK that helps mitigate potential exposure. Intel also recommends users update to the latest firmware. Microcode to address the problem is already available for Linux. The Trusted Computing Base (TCB) recovery for ÆPIC Leak, however, won’t be available until March 7, 2023.
But I agree with the researchers: “The only short-term mitigations for ÆPIC Leak are to disable APIC MMIO or not rely on SGX.” For people who rely on SGX for security, it’s much nastier [than the] CVSS score [of] only 6.0.
How can we protect our servers? hardenedvault has this suggestion:
Another day, another vulnerability. Remote attestation can be compromised if the EPID key has been extracted.
Attacks targeting SGX require root privileges on Linux host. Try VED community version if you intend to protect the Linux kernel
Any child prodigies on The Strip? Sean Michael Kerner’s never gonna give you up—“How US Teen Rickrolled His High School District”:
“26 page penetration report”
At the at the DEF CON 30 security conference in Las Vegas, Minh Duong outlined how he … was able to gain control of the presentation and public address systems in his local high school district outside of Chicago and Rickrolled it. [He and] his friends decided that Rickrolling his high school would make for a great senior prank and they dubbed their effort - Operation Big Rick.
Duong outlined a litany of device misconfigurations across his local school and his school district's IT system that enabled [them] to gain access to services they have no business accessing. … the teenage hackers decided to load the Rickroll screen onto … the school's IPTV presentation system, which is used to show announcements. [And they] disabled the ability for infrared remotes within classrooms to shutoff any screen.
Duong and his friends just wanted to execute a prank and didn't intend to be malicious. To that end, they anonymously sent out a 26 page penetration report to the school that identified all the areas of weakness that needed to be improved.
Such a legendary hack. And Duong’s legendary status shall persist, says u/AnalyzeTheRodeo:
This man will die a legend.
What about the booths? Mike Rothman is going back to school—“Black Hat 2022 Trip Report”:
“I couldn’t be happier”
I couldn’t attend the RSA Conference back in June, so it had been 30 months since I’ve seen the security community in person. … There were … lots of vendor personnel on the show floor and … most of the companies said they had a steady stream of booth traffic. It was nice to see people out and about.
I saw some of the buzzword bingo, but it was muted. That doesn’t mean I understood what most of the companies did, based on their booth—I didn’t. Most had some combination of detection, cloud and response as well as a variety of Gartner-approved category acronyms. I guess the events marketing teams are a bit rusty.
Magicians still fill the booth: … Whenever I saw a crowd around a booth, there was typically some kind of performer. … Not sure how having some guy do magic tricks helped create demand for a security product, but it did fill the booths. … Every other booth had an espresso machine.
Some very large public companies had small booths. Some startups that I’d never heard of had large booths. … It means some companies burned a lot of their VC money in Vegas this week.
Meanwhile, what happens in Vegas … doesn’t involve Michael Wojcik:
When I was younger I quite liked attending and presenting at conferences. These days it doesn't appeal.
Slide decks and presentation videos are often available soon after, and … written accounts of [the] research too, which I prefer (I find synchronous media increasingly tiresome as I get older). And Las Vegas is pretty low on my list of places I have any interest in spending my time.
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
- Learn more about software supply chain security trends
- Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security
- See survey report: Tampering top of mind for dev — but detection lags
- Explore solutions for detecting software tampering