infosec
-
Screenshot your LinkedIn app home screen.
-
Make a web page with that background.
-
Add a link at the top to display the QR code of your choice.
-
Add a link to that on your home screen.
- Log in with my username and password.
- Try the 2FA challenge once and let it fail.
- Navigate to accounts.creditkarma.com
- Defending your AI assets
- Defending your assets from AI
- Defending your assets with AI
- Prompt injection for lolz and cash
The emergency room I went to a couple weeks ago texted me a link to pay the bill. It’s to some generic payment system called “Papapapay”, which couldn’t sound scammier if it tried, and it shows a white screen if you open it in Safari.
Sometimes I’d swear they’re trying to train us to open phishing emails.
I think someone at Target’s having a bad day. I got a store credit card there a while back. It’s never left my house except to take it to Target. Today I got an unauthorized transaction message. Now I’m on the phone with their fraud department, with a wait time of 15 minutes.
Bathroom poster, Brickhouse, SF.
I did not add that sticker.
The GL.iNet GL-AXT1800 travel router I bought a year ago is on sale today for 38% off. If you’ve been on the fence, get this now.
Summary: check into a hotel and connect this, instead of your phone, to the paid WiFi instead. Then connect your phone, laptop, Switch, whatever to the router’s WiFi. Only pay for the one device, have your own firewall in place, and route everything through your own VPN if you want (we watched American Netflix from Germany).
I’ll never travel without one again.
In March, Waltz came under scrutiny after he put together a Signal chat and mistakenly included The Atlantic’s Jeffrey Goldberg, disclosing discussions with top national security officials about plans for a military strike on Houthi targets in Yemen.
Part of being a security adviser is being, you know, competent at security.
Voila. Now you can make anyone at any tech conference open the QR code of your choosing. “Hey, let’s be buddies!”
How to bypass Credit Karma's 2FA
Locked out of your Credit Karma account’s 2FA? No problem! Here’s how I can log into mine:
Ta-da! I’m in. I reported this a month ago but they haven’t acknowledged it as an issue yet. If I stumbled across this, you can bet the bad guys are already using it.
2025-03-17: I report a critical vulnerability (trivial, complete 2FA bypass) to a well-known company’s security email alias. No reply.
2025-04-07: I report it again to their bug bounty program.
2025-04-09: They close it as a duplicate.
Their bug bounty program says, basically, “we never disclose reports. Don’t discuss them with anyone.”
23 days into this episode, I’m starting to weigh the responsible thing to do here.
AWS WAF now uses /64s instead of /128s for IPv6 rate-limit bucketing. That’s a huge and welcome improvement!
Credit Karma stopped accepting my decade-old Google Voice phone number for 2FA. It won’t let me change to use my regular number because we were already using that for my wife’s account (which she asked me to manage for her). Their support’s idea for resolving this? Just ask Verizon for a new temporary phone number each month or so forever.
Um, no.
The coffee shop is fine
I hear too many acquaintances worry that employees might work from a coffee shop or other public network, putting their whole company at risk. So what if they do? The idea that a coffee shop’s Wi-Fi is insecure implies that there’s a mythical “secure” network that can be trusted with the company’s secrets. That’s almost never true.
Work-from-home employees are on a tame home Wi-Fi setup, right? Don’t count on it. Is their gear current? Are they sharing Wi-Fi with their neighbors? Are they using their apartment building’s network? Who’s their ISP? Although their home setup might – or might not – have fewer people on it than the local cafe’s, that doesn’t make it trustworthy.
What about the employees we coerced into returning to a legacy office and using its Wi-Fi? Oh. You mean that named network that sits around with a target on its back as belonging to important people? Unless you manage your own office, and it’s in a Faraday cage blocking all outbound or inbound radio signals, and you pretend that MAC filtering is a security feature, and all your equipment is patched with the latest security updates, and you have guards walking around with fox hunt antennas to spot rogue access points, it’s not substantially better in the ways that count. If you can read this at work, at least a few of those assumptions are likely wrong.
The idea of a “trusted network” is dead. It’s time we stop pretending. If an employee can be compromised at the coffee shop, they can be compromised at the office. We have to design our defenses as though our staff are working from the free network at DEF CON. That means making sure all employee devices and servers are patched. That all connections are encrypted, even those between internal systems. That authentication uses cryptography, not passwords. That we don’t pretend that “route all traffic” VPNs are a good idea. That we don’t rely on allowlisted IPs as a critical defense. That we don’t trust any network our employees might use, and that our systems are robust enough to endure hostile environments. Yes, even the ones we tell ourselves are safe.
And if we’re not comfortable with our coworkers typing away next to a fresh latte, it’s our responsibility to figure out what part of that bothers us and then fix it. The issues that would make that scenario dangerous affect the “secure” office, too.
The email: Click here to enhance your account’s security with two-factor authentication!
Click.
The website: Please enter your phone number to receive your access code.
Cmd-W.
When a coworker forwards you an email to ask if it looks like phishing, take a moment to publicly praise them for it. “Jane sent me an example of a new phishing campaign going around. Her instinct to let us know about it was exactly right. Thanks, Jane!” Reinforce the idea that Security has their back and will be pleasant to interact with. That’s how you get them to want to report things.
Polyfill supply chain attack hits 100K+ sites:
The
polyfill.jsis a popular open source library to support older browsers. 100K+ sites embed it using thecdn.polyfill.iodomain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embedscdn.polyfill.io.
This is fine.
This is interesting and dangerous. I’m trying the new macOS Sequoia Passwords app. I exported my passwords from 1Password to a CSV and imported them into the new app, then soon saw a bunch of ancient logins from old employers. What? Searching for them in 1Password found nothing.
Oh, turns out those are archived in 1Password. The normal cmd-F search doesn’t look in Archive even if you’ve selected it. The other opt-cmd-F find does.
Hope you remembered to delete the passwords that would get you beaten up.
Little Snitch 6 came out yesterday with many quality of life improvements.
It’s always the first app I install on a new Mac. New versions are no-brainer upgrades for me. I still wish it had a way to sync rulesets between Macs so that I don’t have to train each one independently.
I am not exaggerating this:
I created a new hostname in DNS, then added it to my existing webserver config.
It was online for 3 seconds – 3! – before getting a 404 request for /.git/config.
If you’re relying on obscurity to protect your services, get that right out your fool head today. You have about 3 seconds to get your act together.
In the time it took me to type this, I got another 62 requests:
30 "/"
3 "/.git/config"
2 "/.vscode/sftp.json"
2 "/v2/_catalog"
2 "/telescope/requests"
2 "/server-status"
2 "/server"
2 "/s/431323e2230323e2134323e2239313/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties"
2 "/?rest_route=/wp/v2/users/"
2 "/login.action"
2 "/.env"
2 "/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"
2 "/.DS_Store"
2 "/debug/default/view?panel=config"
2 "/config.json"
2 "/_all_dbs"
2 "/about"
You know how sometimes you come to decide that an entire niche market is so filled with awful and overpriced alternatives that you’d rather just write your own and give it away for free?
My toes are on the precipice.
Conference tracks where more than a few people are wearing khaki:
Additional conference tracks where more than a few people have primary colored hair:
Palo Alto's exploited Python code
watchTowr Labs has a nice blog post dissecting CVE-2024-3400. It’s very readable. Go check it out.
The awfulness of Palo Alto’s Python code in this snippet stood out to me:
def some_function():
...
if source_ip_str is not None and source_ip_str != "":
curl_cmd = "/usr/bin/curl -v -H \"Content-Type: application/octet-stream\" -X PUT \"%s\" --data-binary @%s --capath %s --interface %s" \
%(signedUrl, fname, capath, source_ip_str)
else:
curl_cmd = "/usr/bin/curl -v -H \"Content-Type: application/octet-stream\" -X PUT \"%s\" --data-binary @%s --capath %s" \
%(signedUrl, fname, capath)
if dbg:
logger.info("S2: XFILE: send_file: curl cmd: '%s'" %curl_cmd)
stat, rsp, err, pid = pansys(curl_cmd, shell=True, timeout=250)
...
def dosys(self, command, close_fds=True, shell=False, timeout=30, first_wait=None):
"""call shell-command and either return its output or kill it
if it doesn't normally exit within timeout seconds"""
# Define dosys specific constants here
PANSYS_POST_SIGKILL_RETRY_COUNT = 5
# how long to pause between poll-readline-readline cycles
PANSYS_DOSYS_PAUSE = 0.1
# Use first_wait if time to complete is lengthy and can be estimated
if first_wait == None:
first_wait = PANSYS_DOSYS_PAUSE
# restrict the maximum possible dosys timeout
PANSYS_DOSYS_MAX_TIMEOUT = 23 * 60 * 60
# Can support upto 2GB per stream
out = StringIO()
err = StringIO()
try:
if shell:
cmd = command
else:
cmd = command.split()
except AttributeError: cmd = command
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, bufsize=1, shell=shell,
stderr=subprocess.PIPE, close_fds=close_fds, universal_newlines=True)
timer = pansys_timer(timeout, PANSYS_DOSYS_MAX_TIMEOUT)
It uses string building to create a curl command line. Then it passes that command line down into a function that calls subprocess.Popen(cmd_line, shell=True). What? No! Don’t ever do that!
I fed that code into the open source bandit static analyzer. It flagged this code with a high severity, high confidence finding:
ᐅ bandit pan.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.12.1
Run started:2024-04-16 17:14:52.240258
Test results:
>> Issue: [B604:any_other_function_with_shell_equals_true] Function call with shell=True parameter identified, possible security issue.
Severity: Medium Confidence: Low
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b604_any_other_function_with_shell_equals_true.html
Location: ./pan.py:14:26
13 logger.info("S2: XFILE: send_file: curl cmd: '%s'" % curl_cmd)
14 stat, rsp, err, pid = pansys(curl_cmd, shell=True, timeout=250)
15
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html
Location: ./pan.py:49:8
48 bufsize=1,
49 shell=shell,
50 stderr=subprocess.PIPE,
51 close_fds=close_fds,
52 universal_newlines=True,
53 )
54 timer = pansys_timer(timeout, PANSYS_DOSYS_MAX_TIMEOUT)
--------------------------------------------------
Code scanned:
Total lines of code: 41
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 1
High: 1
Total issues (by confidence):
Undefined: 0
Low: 1
Medium: 0
High: 1
Files skipped (0):
From that we can infer that Palo Alto does not use effective static analysis on their Python code. If they did, this code would not have made it to production.