Cybersecurity Newsletter, September 7 - 13
Qrator

Let's take a look at the most relevant materials published between September 7 and 13, 2020.

The 2020 National Internet Segment Reliability Research

"The global connectivity of any given AS, regardless of whether it is an international giant or regional player, depends on the quantity and quality of its path to Tier-1 ISPs.
Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will be maintained all the time. For many ISPs at all "tiers", losing connection to just one Tier-1 peer would likely render them unreachable from some parts of the world. We identified the AS with the greatest/largest impact on other ASes in their region. 

We took that AS’s impact value as a reliability score for the country. And used that score to rate reliability of countries. The less score­ is — the better reliability."
 

C++20 approved, C++23 meetings and schedule update

"On Friday September 4, C++20's DIS (Draft International Standard) ballot ended, and it passed unanimously. This means that C++20 has now received final technical approval and is done with ISO balloting, and we expect it to be formally published toward the end of 2020 after we finish a final round of ISO editorial work."
 

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) 

"In this post, I demonstrate how upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers."
 

Coming Out of Your Shell: From Shlayer to ZShlayer 

"Earlier this year, we discussed how threat actors have been turning to scripting languages as a preferred means of both dropping malware and executing payloads. That trend has continued with some interesting innovations in response to the static detection signatures now widely in use both by Apple and other vendors. A recent variant of the Shlayer malware follows Apple's lead in preferring Zsh to Bash as its default shell language and employs a novel encoding method to avoid detection. In this post, we describe this variant and show how it can be decoded to reveal the telltale Shlayer signature."
 

CRYLOGGER: Detecting Crypto Misuses Dynamically

"Academics find crypto bugs in 306 popular Android apps, none get patched. Only 18 of 306 app developers replied to the research team, only 8 engaged with the team after the first email." - ZDNet.
 

Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)

"Raccoon is a timing vulnerability in the TLS specification that affects HTTPS and other services that rely on SSL and TLS. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.
Raccoon allows attackers under certain conditions to break the encryption and read sensitive communications. The vulnerability is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable."
 

NVMe over TCP

"Oracle Linux UEK5 introduced NVMe over Fabrics which allows transferring NVMe storage commands over a Infiniband or Ethernet network using RDMA Technology. UEK5U1 extended NVMe over Fabrics to also include Fibre Channel storage networks. Now with UEK6, NVMe over TCP is introduced which again extends NVMe over Fabrics to use a standard Ethernet network without having to purchase special RDMA-capable network hardware."
 

StreamDivert: Relaying (specific) network connections

"StreamDivert is a tool to man-in-the-middle or relay in and outgoing network connections on a system. It has the ability to, for example, relay all incoming SMB connections to port 445 to another server, or only relay specific incoming SMB connections from a specific set of source IPs to another server."
 

Hacking Ethernet out of Fibre Channel cards

"This story, like another in the past, started as an eBay purchase that I would soon regret. I was scrolling through my favorite eBay supplier when I found a listing titled Job Lot Of Roughly 350 Various Network Cards. This of course piqued my interest. Some close photo inspection identified a whole load of cards in the pile that were worth the price of the whole lot. So I naturally bought it."
 

CVE-2018-17145: Bitcoin Inventory Out-of-Memory Denial-of-Service Attack

"Researcher kept a major Bitcoin bug secret for two years to prevent attacks. The INVDoS bug would have allowed attackers to crash Bitcoin nodes and other similar blockchains." - ZDNet.
 

Passing the final checkpoint! NIST PQC 3rd round begins

"Recently, Daniel Apon of NIST gave a talk detailing the (NIST's post-quantum cryptography) selection criteria. Interesting stuff." - Bruce Schneier.
 

Thank you for being a subscriber!

For feedback, please write to us at cybersec@qrator.net.