Cybersecurity Newsletter, November 30 - December 13
Qrator Newsletter

Greetings fellow subscriber! This week we are going to scroll through the two-weeks events in cybersecurity, everything that happened between November 30 and December 13, 2020.

Of course, the most important piece of news is that Qrator Labs is celebrating ten year anniversary on January 19, 2021. You can find all the details by following this link - register with the form and add the event to your calendar, and we would be glad to meet you there!
 

Netnod NTS Whitepaper: How does NTS work and why it is important?

"Many of the important security tools that keep us safe online depend on accurate time. But until recently there was no way to ensure that the time you received over the Internet was correct. There was simply no way to tell if you were being fed time from a malicious or trusted source. This is largely because the current standard for receiving time over the Internet, the Network Time Protocol (NTP), was created in 1985. In those more innocent times, the need to secure NTP, the type of security needed, and how to provide it were less understood. Over the last 35 years, a range of security flaws and some high-profile attacks have shown that NTP needed significantly improved security. The new Network Time Security (NTS) standard has been designed to fix that."
 

“A damn stupid thing to do”—the origins of C

"In one form or another, C has influenced the shape of almost every programming language developed since the 1980s. Some languages like C++, C#, and objective C are intended to be direct successors to the language, while other languages have merely adopted and adapted C’s syntax. A programmer conversant in Java, PHP, Ruby, Python or Perl will have little difficulty understanding simple C programs, and in that sense, C may be thought of almost as a lingua franca among programmers.
But C did not emerge fully formed out of thin air as some programming monolith. The story of C begins in England, with a colleague of Alan Turing and a program that played checkers."
 

Four years after the Dyn DDoS attack, critical DNS dependencies have only gone up

"A team of academics from Carnegie Mellon University have conducted a large-scale study of the top 100,000 websites on the internet to see how website operators reacted to this attack and how many are still operating with one single DNS provider and no other backup.
Their findings, published at the Internet Measurement Conference last month, show that, currently, in 2020, 89.2% of all websites use a third-party DNS provider rather than managing their own DNS server.
But even worse is the fact that 84.8% of all analyzed websites relied on one single DNS provider, without having a backup redundancy to which they could switch in case of a failure or attack."
Related paper - Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident?
 

Whac-A-Mole: Six Years of DNS Spoofing

"DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see."
 

The impact of COVID-19 on last-mile latency

"As we reported at the Internet Measurement Conference (IMC 2020) in November, we found that in normal times Atlas probes in only 10% of ASes experience persistent last-mile congestion but we recorded 55% more congested ASes during the COVID-19 outbreak. This deterioration caused by stay-at-home measures is particularly marked in large eyeball networks and certain parts of the world."
Related paper - Persistent Last-mile Congestion: Not so Uncommon.
 

Linux kernel heap quarantine versus use-after-free exploits

"In this article I'll describe the Linux Kernel Heap Quarantine that I developed for mitigating kernel use-after-free exploitation. I will also summarize the discussion about the prototype of this security feature on the Linux Kernel Mailing List (LKML)."
 

FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community

"FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats. We witness the growing threat firsthand, and we know that cyber threats are always evolving. Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. Our number one priority is working to strengthen the security of our customers and the broader community. We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber attacks."
 

Continuing our journey to bring instant experiences to the whole web

"Speed has always been a core tenet of Chrome. We care about speed, not only because it helps our users get things done quicker, but because it also contributes to making the web ecosystem more diverse by lowering the friction of discovering and engaging with more content or new websites. So, what if we could make the web more instant? Building on some of our previous work in this space, we have a new proposal that aims at speeding up navigations by downloading resources ahead of time, i.e. prefetching. The proposal defines the concept of a “private prefetch proxy” through the combination of an end-to-end encrypted CONNECT proxy to hide potentially identifiable information (e.g. user’s IP address), as well as rules governing its usage, and additional measures to ensure that the prefetches can not be personalized to the user. We are eager to work with the community on refining and generalizing the proposal for the benefit of the whole web."
 

Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks

"During the day, I spend my time analyzing Terraform code, Kubernetes object configuration files, and identifying common security issues. When the sun sets, I put on my hoodie, fire up Linux VMs and debuggers to look under the hood of technologies that make up the cloud native ecosystem.
In this post, we will explore how Kubernetes container isolation impacts privilege escalation attacks. We will use common kernel exploitation techniques to figure out how container abstractions layers can hinder our path to that precious root shell."
 

Name by role

"My recent article on good names might leave you with the impression that I consider good names unimportant. Not at all. That article was an attempt at delineating the limits of naming. Good names aren't the panacea some people seem to imply, but they're still important.
As the cliché goes, naming is one of the hardest problems in software development. Perhaps it's hard because you have to do it so frequently. Every time you create a variable, you have to name it. It's also an opportunity to add clarity to a code base."
 

2020 ISRG Annnual Report with details about Let's Encrypt


Data exfiltration via IPv6

"Within the Aposemat Team, we’ve been working on testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics we explored was exfiltration of data via the IPv6 protocol. In this blog post we will share our study into this topic."
 

New RISC-V CPU claims recordbreaking performance per watt 

"We first noticed Micro Magic's claims earlier this week, when EE Times reported on the company's new prototype CPU, which appears to be the fastest RISC-V CPU in the world. Micro Magic adviser Andy Huang claimed the CPU could produce 13,000 CoreMarks (more on that later) at 5GHz and 1.1V while also putting out 11,000 CoreMarks at 4.25GHz—the latter all while consuming only 200mW. Huang demonstrated the CPU—running on an Odroid board—to EE Times at 4.327GHz/0.8V and 5.19GHz/1.1V."
 

Seagate says it's designed two of its own RISC-V CPU cores – and they'll do more than just control storage drives 

"Seagate says it has, after several years of effort, designed two custom RISC-V processor cores for what seems a range of functions including computational storage."
 

Now you C me, now you don't, part two: exploiting the in-between

"In the first installment of this series on the native attack surface of interpreted languages, we learned that even in core implementations of interpreted languages such as Javascript, Python and Perl, memory safety is not always a guarantee.

In this second installment we’ll take a deeper dive into how vulnerabilities may be introduced when glueing C/C++ based libraries into interpreted languages through a Foreign Function Interface (FFI). As we discussed previously, an FFI is an interface between code written in two different languages. For example, making a C based library available for use in a Javascript program."
 

Linux Security Summit Europe 2020 Presentations


FBI confirms Zodiac Killer's 340 cipher solved by trio of amateur math and software codebreakers

"A team of code breakers has solved a cipher attributed to the Zodiac Killer, a serial murderer known for a Northern California killing spree in the late 1960s who has still not been identified or apprehended."
 

Thanks for being an awesome subscriber!

For feedback or any suggestions, please write to us at cybersec@qrator.net.