Cybersecurity Newsletter, February 8 - 14
Qrator Newsletter

Hello and welcome back to the regular cyber and infosecurity letter! This time we are going through the relevant articles published 8 - 14 February 2021.

Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online

"According to a researcher, though, these icons can also be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online."
The repository: https://github.com/jonasstrehle/supercookie
 

IPCDump – Guardicore’s New Open-Source Tool for Linux IPC Inspection

"Modern software exacerbates many of these issues: more than before, applications are made up of distinct processes that plug in to one another in a black-box approach. So when something breaks, it can be very, very frustrating to zero in on where that happened. We had issues like these with some of our more complex systems at Guardicore, and we needed a tool to help diagnose them.

That’s why we wrote IPCDUMP. You can find it on Github: https://github.com/guardicore/IPCDump."
 

The Long Hack: How China Exploited a U.S. Tech Supplier

"Following up on a disputed 2018 claim in its BusinessWeek publication that tiny spy chips were found on Supermicro server motherboards in 2015, Bloomberg on Friday doubled down by asserting that Supermicro's products were targeted by Chinese operatives for over a decade, that US intelligence officials have been aware of this, and that authorities kept this information quiet while crafting defenses in order to study the attack.

"China’s exploitation of products made by Supermicro, as the US company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter," states Bloomberg in its report, said to rely on interviews with more than 50 sources, mostly unnamed, in government and the private sector." - The Register.
 

ISPs step up fight against SpaceX, tell FCC that Starlink will be too slow

"More broadband-industry groups are lining up against SpaceX's bid to get nearly $900 million in Federal Communications Commission funding. Two groups representing fiber and rural Internet providers yesterday submitted a report to the FCC claiming that Starlink will hit a capacity shortfall in 2028, when the satellite service may be required to hit a major FCC deployment deadline.

The study was commissioned by the Fiber Broadband Association (FBA) and NTCA-The Rural Broadband Association. They are urging the FCC to carefully examine whether SpaceX's Starlink broadband service should receive money from the Rural Digital Opportunity Fund (RDOF), which recently awarded SpaceX $885.51 million over 10 years to bring Starlink to 642,925 homes and businesses in 35 states. The funding for SpaceX and other ISPs won't be finalized until the FCC reviews their long-form applications, which were submitted after the reverse auction."
 

Apple iOS 14.5 will hide Safari users' IP addresses from Google's Safe Browsing

"That means when Safari users visit a website with Safe Browsing active, their IP addresses will be associated with an Apple domain rather than their internet service provider or corporate network. Google would normally have access to this information from those using Safe Browsing-enabled applications, depending on the specific API used, but now won't for mobile Safari users."
 

Uncovering a 24-year-old bug in the Linux Kernel

"One of the most interesting issues we encountered led to the discovery of a fairly old bug in the Linux kernel TCP implementation: every now and then, an rsync transfer from a source server would hang indefinitely for no apparent reason, as — apart from the stuck transfer — everything else seemed to be in order. What’s more, for reasons that became apparent later, the issue could not be reproduced at will, although some actions (e.g. adding an rsync-level rate limit) seemed to make the issue less frequent, with frequency ranging from once or twice per week to once every three months.
As is not unusual in these cases, we had more urgent systems and issues to attend to, so we labeled this a “race condition in rsync” that we should definitely look into at some point, and worked around it by throttling the rsync transfers.
Until it started biting us every single day."
 

Browser fuzzing at Mozilla

"Mozilla has been fuzzing Firefox and its underlying components for a while. It has proven to be one of the most efficient ways to identify quality and security issues. In general, we apply fuzzing on different levels: there is fuzzing the browser as a whole, but a significant amount of time is also spent on fuzzing isolated code (e.g. with libFuzzer) or whole components such as the JS engine using separate shells. In this blog post, we will talk specifically about browser fuzzing only, and go into detail on the pipeline we’ve developed. This single pipeline is the result of years of work that the fuzzing team has put into aggregating our browser fuzzing efforts to provide consistently actionable issues to developers and to ease integration of internal and external fuzzing tools as they become available."
 

Notes from DNS-OARC 34 by Geoff Huston

"It’s an interesting topic of speculation to think about what form of network architecture we would be using if we were to start afresh using today’s world of scalable content and service distribution as the starting point. Like the ‘clean slate’ discussions of over a decade ago, if we were to think about today’s world without inherent assumptions based on unicast models of networks largely derived from the telephony service model, and we were to think about the network architecture in massively replicated service terms that are more like the old school publication or retail worlds, we probably would not have come up with a network architecture based on unicast destination endpoint address-based packet forwarding.
Maybe such an Internet would be based on some form of what we’ve come to call name-based-networking. We would probably start such a design exercise with the functions that today are found largely in the functions that are currently embedded in the DNS.
What are these functions? What’s going on in the DNS these days? One way to understand the current topics of focus in the DNS is to tune in to the regular meetings of the DNS Operations and Research (OARC) community. OARC 34 was held in the first week of February and here are some items from that meeting that interested me."
 

Preparing to Issue 200 Million Certificates in 24 Hours

"On a normal day Let’s Encrypt issues nearly two million certificates. When we think about what essential infrastructure for the Internet needs to be prepared for though, we’re not thinking about normal days. We want to be prepared to respond as best we can to the most difficult situations that might arise. In some of the worst scenarios, we might want to re-issue all of our certificates in a 24 hour period in order to avoid widespread disruptions. That means being prepared to issue 200 million certificates in a day, something no publicly trusted CA has ever done."
 

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

"Ever since I started learning how to code, I have been fascinated by the level of trust we put in a simple command like this one:
pip install package_name
Some programming languages, like Python, come with an easy, more or less official method of installing dependencies for your projects. These installers are usually tied to public code repositories where anyone can freely upload code packages for others to use.
You have probably heard of these tools already — Node has npm and the npm registry, Python’s pip uses PyPI (Python Package Index), and Ruby’s gems can be found on… well, RubyGems.
When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors?"

Thanks for sharing the newsletter!
For feedback, please write to us at cybersec@qrator.net.