DOUG. Router woes, Megaupload in megatrouble, and extra MOVEit mayhem.
All that and extra on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, all people.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do?
DUCK. Only a disambiguation for our British and Commonwealth English listeners, Doug…
DOUG. “Router.” [PRONOUNCED UK-STYLE AS ‘ROOTER’, NOT US-STYLE AS ‘ROWTER’]
DUCK. You don’t imply the woodworking instruments, I suppose?
DOUG. No! [LAUGHS]
DUCK. You imply the issues that allow crooks break into your community in the event that they’re not patched in time?
DOUG. Sure!
DUCK. The place the behaviour of what we’d name a ‘ROOTER’ does to your community extra like what a ‘ROWTER’ would do to the sting of your desk? [LAUGHS]
DOUG. Precisely! [LAUGHS]
We’ll get to that shortly.
However first, our This Week in Tech Historical past section.
Paul, this week, on 18 June, method again in 1979: an enormous step ahead for 16-bit computing as Microsoft rolled out a model of its BASIC programming language for 8086 processors.
This model was backward appropriate with 8-bit processors, making BASIC, which had been obtainable for the Z80 and 8080 processors, and was discovered on some 200,000 computer systems already, an arrow in most programmers’ quivers, Paul.
DUCK. What was to turn into GW-BASIC!
I don’t know whether or not that is true, however I hold studying that GW-BASIC stands for “GEE WHIZZ!” [LAUGHS]
DOUG. Ha! [LAUGHTER]
DUCK. I don’t know whether or not that’s true, however I wish to assume it’s.
DOUG. Alright, let’s get into our tales.
Earlier than we get to stuff that’s within the information, we’re happy, nay thrilled, to announce the primary of three episodes of Assume You Know Ransomware?
It is a 48-minute documentary collection from your pals at Sophos.
“The Ransomware Documentary” – model new video collection from Sophos beginning now!
The primary episode, known as Origins of Cybercrime, is now obtainable for viewing at https://sophos.com/ransomware.
Episode 2, which is named Hunters and Hunted, might be obtainable on 28 June 2023.
Episode 3, Weapons and Warriors, will drop on 5 July 2023.
Test it out at https://sophos.com/ransomware.
I’ve seen the primary episode, and it’s nice.
It solutions all of the questions you’ll have in regards to the origins of this scourge that we hold combating yr after yr, Paul.
DUCK. And it feeds very properly into what common listeners will know is my favorite saying (I hope I haven’t turned it right into a cliche by now), specifically: Those that can’t keep in mind historical past are condemned to repeat it.
Don’t be that individual! [LAUGHS]
DOUG. Alright, let’s stick as regards to crime.
Jail time for 2 of the 4 Megaupload founders.
Copyright infringement at concern right here, Paul, and a few decade within the making?
Megaupload duo will go to jail eventually, however Kim Dotcom fights on…
DUCK. Sure.
Bear in mind final week once I paraphrased that joke about, “Oh, you already know what buses are like? None come for ages, after which three arrive without delay?” [LAUGHTER]
However I needed to parlay it into “two arrive without delay”…
…and no sooner had I stated it than the third one arrived. [LAUGHTER]
And that is out of New Zealand, or Aotearoa, because it’s alternatively identified.
Megaupload was an notorious early so-called “file locker” service.
That’s not “file locker” as in ransomware that locks up your recordsdata.
It’s “file locker” like a gymnasium locker… the cloud place the place you add recordsdata so you may get them later.
That service received taken down, primarily as a result of the FBI within the US received a takedown order, and alleged that its major goal was truly not a lot to be a mega *add* service as to be a mega *obtain* service, the enterprise mannequin of which was based mostly on encouraging and incentivising copyright infringement.
The first founding father of this enterprise is a well-known title: Kim Dotcom.
And that actually is his surname.
He modified his title (I believe he was initially Kim Schmitz) to Kim Dotcom, created this service, and he’s simply been combating extradition to the US and continues to take action, regardless that the Aotearoa courts have dominated that there’s no cause why he can’t be extradited.
One of many different 4, a chap by the title of Finn Batato, sadly died of most cancers final yr.
However two of the opposite people who have been the prime movers of the Megaupload service, Mathias Ortmann and Bram van der Kolk…
…they fought extradition (you’ll be able to perceive why) to the US, the place they probably confronted massive jail sentences.
However ultimately they appeared to have finished a take care of the courts in NZ [New Zealand/Aotearoa] and with the FBI and the Division of Justice within the US.
They agreed to be prosecuted in NZ as a substitute, to plead responsible, and to help the US authorities of their ongoing investigation.
And so they ended up with jail sentences of two years 7 months and a pair of years 6 months respectively.
DOUG. The decide in that case had some attention-grabbing observations, I felt.
DUCK. I believe you’re proper there, Doug.
Notably, that it wasn’t a query of the courtroom saying, “We settle for the truth that these huge megacorporations all around the globe misplaced billions and billions of {dollars}.”
In truth, the decide stated that it’s a must to take these claims with a pinch of salt, and quoted proof to recommend that you could’t simply say that everyone who downloaded a pirated video would in any other case have purchased the unique.
So you’ll be able to’t add up the financial losses in the way in which that a few of the megacorps like to take action.
However, he stated, that doesn’t make it proper.
And much more importantly, he stated, “You actually did damage the little guys as nicely, and that issues simply as a lot.”
And he quoted the case of an indie software program developer from the South Island in NZ who had written to the courtroom to say, “I seen piracy was making an enormous dent in my revenue. I discovered that 10 or 20 instances I needed to enchantment to Megaupload to have infringing content material taken down; it took me plenty of time to do this, and it by no means made the slightest distinction. And so I’m not saying that they’re totally answerable for the truth that I may now not make a dwelling out of my enterprise, however I’m saying I went to all this effort to get them to take the stuff down which they stated they might do, however it by no means labored.”
Truly that got here out elsewhere within the judgment… which is 38 pages, so it’s fairly an extended learn, however it’s very readable and I believe it’s very nicely price studying.
Notably, the decide stated to the defendants that they needed to bear accountability for the truth that they admitted that they didn’t wish to get too robust on copyright infringers as a result of “Progress is especially based mostly on infringement.”
And he additionally famous that they devised a takedown system that principally, if there have been a number of URLs to obtain the identical file…
…they saved one copy of the file, and in the event you complained in regards to the URL, they might take down *that URL*.
DOUG. Ah ha!
DUCK. So you’ll assume they’d eliminated the file, however they would depart the file there.
And he described that as follows: “You knew, and meant, that takedowns would haven’t any materials impact.”
Which is precisely what this indie Kiwi software program developer had claimed in his assertion to the courtroom.
And so they definitely should have made some huge cash out of it.
In case you have a look at the pictures from the controversial raid on Kim Dotcom again in 2012…
…he had this monumental property, and all these flash vehicles with bizarre quantity plates [vehicle tags] like GOD and GUILTY, as if he was anticipating one thing. [LAUGHS]
Megaupload takedown makes headlines and waves as Mr Dotcom applies for bail
So, Kim Dotcom continues to be combating his extradition, however these different two have determined that they wish to get it throughout with.
So that they pleaded responsible, and as a few of our commenters have identified on Bare Safety, “Golly, for what evidently they did whenever you learn by means of the judgment intimately, it does sound that their sentence was mild.”
However the way in which it was calculated is the decide labored out that he thought that the utmost sentences they need to get underneath Aotearoa regulation needs to be about 10 years.
After which he figured, based mostly on the very fact they have been pleading responsible, that they have been going to cooperate, that they’re going to pay again $10 million, and so forth and so forth, that they need to get 75% off.
And my understanding is that implies that they may put to mattress this worry that they are going to be extradited to the US, as a result of my understanding is the Division of Justice has stated, “OK, we’ll let the conviction and the sentencing occur out of the country.”
Greater than ten years on, and nonetheless not over!
You’d higher say it, Doug…
DOUG. Yesss!
We’ll keep watch over this.
Thanks; let’s transfer on.
In case you’ve received an ASUS router, you’ll have some patching to do, though fairly a murky timeline right here for some fairly harmful vulnerabilities, Paul.
ASUS warns router prospects: Patch now, or block all inbound requests
DUCK. Sure, it isn’t extremely clear fairly when these patches got here out for the assorted many fashions of router which might be listed within the advisory.
A few of our readers are saying, “Properly, I went and had a glance; I’ve received a type of routers and it’s on the listing, however there aren’t any patches *now*. However I did get some patches a short time in the past that appeared to repair these issues… so why the advisory *now*?”
And the reply is, “We don’t know.”
Besides, maybe, that ASUS have found that the crooks are onto these?
However it’s not simply, “Hey, we advocate you patch.”
They’re saying it’s worthwhile to patch, and in the event you’re unwilling or unable to take action, then we “strongly advocate to (which principally means ‘you had higher’) disable providers accessible from the WAN aspect of your router to keep away from potential undesirable intrusions.”
And that’s not simply your typical warning, “Oh, guarantee that your admin interface isn’t seen on the web.”
They’re noting that what they imply by blocking incoming requests is that it’s worthwhile to flip off principally *every part* that includes the router accepting the surface initiating some community connection…
…together with distant administration, port forwarding (unhealthy luck in the event you use that for gaming), dynamic DNS, any VPN servers, and what they name port triggering, which I suppose is port knocking, the place you await a specific connection and solely whenever you see that connection do you then hearth up a service regionally.
So it’s not simply internet requests which might be harmful right here, or that there could be some bug that lets somebody log in with a secret username.
It’s a complete vary of various kinds of community visitors that if it may possibly attain your router from the surface, may pwn your router, it appears.
So it does sound terribly pressing!
DOUG. The 2 predominant vulnerabilities right here…
…there’s a Nationwide Vulnerability Database, the NVD, which scores vulnerabilities on a scale of 1 to 10, and each of those are 9.8/10.
After which there’s a complete bunch of different ones which might be 7.5, 8.1, 8.8… a complete bunch of stuff that’s fairly harmful right here. Paul.
DUCK. Sure.
“9.8 CRITICAL”, all in capital letters, is the type of factor meaning [WHISPERING], “If the crooks determine this out, they’re going to be throughout it like a rash.”
And what’s maybe the weirdest about these two 9.8/10 badness-score vulns is that certainly one of them is CVE-2022-26376, and that’s a bug in HTTP unescaping, which is principally when you’ve a URL with humorous characters in, like, areas…
…you’ll be able to’t legally have an area within the URL; it’s a must to put %20 as a substitute, its hexadecimal code.
That’s fairly basic to processing any form of URL on the router.
And that was a bug that was revealed, as you’ll be able to see from the quantity, in 2022!
And there’s one other one within the so known as Netatalk protocol (that gives assist for Apple computer systems) which was the vulnerability, Doug, CVE-2018-1160.
DOUG. That was a very long time in the past!
DUCK. It was!
It was truly fastened in a model of Netatalk which I believe was model 3.1.12, which got here out on 20 December *2018*.
And so they’re solely warning about “it’s worthwhile to get the brand new model of Netatalk” proper now, as a result of that too, it appears, might be exploited through a rogue packet.
So that you don’t want a Mac; you don’t want Apple software program.
You simply want one thing that talks Netatalk in a dodgy method, and it can provide you arbitrary reminiscence write entry.
And with a 9.8/10 bug rating, it’s a must to assume meaning “distant outsider pokes in a single or two community packets, takes over your router fully with root degree entry, distant code execution horror!”
So fairly why it took them that lengthy to warn people who they wanted to get the repair for this 5 yr previous bug…
…and why they didn’t even have the repair for the 5 yr previous bug 5 years in the past just isn’t defined.
DOUG. OK, so there’s a listing of routers that you need to verify, and in the event you can’t patch, you’re presupposed to do all that “block all of the inbound stuff”.
However I believe our recommendation can be patch.
And my favorite recommendation: In case you’re a programmer, sanitise thine inputs, please!
DUCK. Sure, Little Bobby Tables has appeared but once more, Doug.
As a result of one of many different bugs that wasn’t on the 9.8 degree (this was on the 7/10 or 8/10 degree) was CVE-2023-28702.
It’s principally the MOVEit-type bug another time: Unfiltered particular characters in internet URL enter may trigger command injection.
In order that appears like a fairly broad brush for cybercriminals to color with.
And there was CVE-2023-31195 that caught my consideration, underneath the guise of a Session hijack.
The programmers have been setting what are basically authentication token cookies… these magic strings that, if the browser can feed them again in future requests, proves to the server that earlier on within the session the consumer logged in, had the fitting username, the fitting password, the fitting 2FA code, no matter.
And now they’re bringing this magic “entry card”.
So, you’re presupposed to tag these cookies, whenever you set them, in order that they may by no means get transmitted in unencrypted HTTP requests.
That method it makes it a lot more durable for a criminal to hijack them… they usually forgot to do this!
In order that’s one other factor for programmers: Go and evaluation the way you set actually vital cookies, ones that both have personal info in them or have authentication info in them, and ensure you aren’t leaving them open to inadvertent and straightforward publicity.
DOUG. I’m marking this down (in opposition to my higher judgment, however that is the second of two tales thus far) as one that we are going to keep watch over.
DUCK. I believe you’re proper, Doug, as a result of I don’t actually know why, provided that for a few of the routers these patches had already appeared (albeit later than you might need wished)… why *now*?
And I suppose that a part of the story should should emerge.
DOUG. Seems that we completely can’t *not* keep watch over this MOVEit story.
So, what do we have now this week, Paul?
MOVEit mayhem 3: “Disable HTTP and HTTPS visitors instantly”
DUCK. Properly, sadly for Progress Software program, the third bus got here alongside without delay, because it have been. [LAUGHTER]
So, simply to recap, the primary one was CVE-2023-34362, which is when Progress Software program stated, “Oh no! There’s a zero-day – we genuinely didn’t learn about this. It’s a SQL injection, a command injection downside. Right here’s the patch. However it was a zero-day, and we discovered about it as a result of ransomware crooks, extortion crooks, have been actively exploiting this. Listed below are some Indicators of Compromise [IoCs].”
So that they did all the fitting issues, as shortly as they may, as soon as they knew that there was an issue.
Then they went and reviewed their very own code, figuring, “You recognize what, if the programmers made that mistake in a single place, possibly they made some comparable errors in different components of the code.”
And that led to CVE-2023-35036, the place they proactively patched holes that have been like the unique one, however so far as they knew, they discovered them first.
And, lo and behold, there was then a 3rd vulnerability.
This one is CVE-2023-35708, the place evidently the one who discovered it, absolutely understanding full nicely that Progress Software program was totally open to accountable disclosure and immediate response…
…determined to go public anyway.
So I don’t know whether or not you name that “‘full disclosure” (I believe that’s the official title for it), “irresponsible disclosure” (I’ve heard it referred to love that by different individuals at Sophos), or “dropping 0-day for enjoyable”, which is how I consider it.
In order that was a little bit little bit of a pity.
And so Progress Software program stated, “Look, anyone dropped this 0-day; we didn’t learn about it; we’re engaged on the patch. On this tiny interim interval, simply flip off your internet interface (we all know it’s a problem), and allow us to end testing the patch.”
And inside a few day they stated, “Proper, right here is the patch, now apply it. Then, in order for you, you’ll be able to flip your internet interface again on.”
So I believe, all in all, though it’s a nasty search for Progress Software program for having the bugs within the first place…
…if this could ever occur to you, then following their type of response is, for my part, a fairly jolly first rate approach to do it!
DOUG. Sure, we do have reward for Progress Software program, together with our remark for this week on this story.
Adam feedback:
Looks like tough going for MOVEit these days, however I applaud them for his or her fast, proactive, and apparently trustworthy work.
They might theoretically have tried to maintain this all quiet, however as a substitute they’ve been fairly up-front about the issue and what must be finished about it.
On the very least it makes them look extra reliable in my eyes…
…and I believe that’s a sentiment that’s shared with others as nicely, Paul.
DUCK. It’s certainly.
We’ve heard the identical factor on our social media channels too: that though it’s regrettable that they had the bug, and everybody needs they didn’t, they’re nonetheless inclined to belief the corporate.
In truth, they could be inclined to belief the corporate greater than they have been earlier than, as a result of they assume that they hold cool heads in a disaster.
DOUG. Excellent.
Alright, thanks, Adam, for sending that in.
You probably have an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You’ll be able to electronic mail suggestions@sophos.com, you’ll be able to touch upon any certainly one of our articles, or you’ll be able to hit us up on social: @nakedsecurity.
That’s our present for as we speak; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Keep safe!
[MUSICAL MODEM]
