Security Leftovers
-
Twilio Reveals Another Breach from the Same Hackers Behind the August Hack
Communication services provider Twilio this week disclosed that it experienced another "brief security incident" in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.
The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of its probe into the digital break-in.
-
You should prepare for the OpenSSL 3.x secvuln [Ed: So much hype-building, still no beef. Almost a decade ago someone in Google found and fixed the issue. Then a Microsoft shill coined the term "heartbleed" and stole credit for the bug to go on and on for years smearing Free software.]
Hoooo boy, 2022 keeps delivering. It seems that the latest way things are getting fun is that the OpenSSL project announced a "CRITICAL" patch coming on tuesday for every release of OpenSSL that starts with 3.0. The fixes will be released as OpenSSL 3.0.7. If you run OpenSSL 3.0.0 through 3.0.6, you should consider yourself vulnerable. I will cover how to check later in the post.
For people that only have casually followed the OpenSSL project, note that the last time a "CRITICAL" patch was issued was to mitigate the "Heartbleed" vulnerability. I am going to split my analysis into two parts: facts and speculation.
-
Critical zero-day bug, first since Heartbleed, identified in OpenSSL [Ed: This is not what zero-day means]
-
Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th)
Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open-source projects to rethink how they address security issues and communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time.
-
Debating VPN options - anarcat
I managed setup a HE.net tunnel at home, because I also need IPv6 for other reasons (namely debugging at work). My first attempt at setting this up in the office failed, but now that I found the openwrt.org guide, it worked... for a while, and I was able to produce the above, encouraging, mini benchmarks.
Unfortunately, a few minutes later, IPv6 just went down again. And the problem with that is that many programs (and especially OpenSSH) do not respect the Happy Eyeballs protocol (RFC 8305), which means various mysterious "hangs" at random times on random applications. It's kind of a terrible user experience, on top of breaking the one thing it's supposed to do, of course, which is to give me transparent access to all the nodes I maintain.
Even worse, it would still be a problem for other remote nodes I might setup where I might not have acess to the router to setup the tunnel. It's also not absolutely clear what happens if you setup the same tunnel in two places... Presumably, something is smart enough to distribute only a part of the /48 block selectively, but I don't really feel like going that far, considering how flaky the setup is already.
-
Microsoft links Raspberry Robin worm to Clop ransomware attacks [Ed: When it comes to security, Microsoft is the culprit rather than an expert, but this is a Microsoft-linked site]
Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.
DEV-0950 malicious activity overlaps with financially motivated cybercrime groups tracked as FIN11 and TA505, known for deploying Clop payloads ransomware on targets' systems.