An anonymous reader writes: Given the widespread understanding that sophisticated hackers are regularly using zero-day vulnerabilities to break into high-value systems, why is it that when I search for "zero day" on Australia's most popular job search engine only one "real" job comes up? Is the security of the Internet totally dependent on dedicated hobbyists, part-time showboats, and people willing to take meagre bug bounties (on average paying $3,650 for a critical vulnerability) instead of selling their findings (sometimes for millions of dollars) to dubious buyers?
Are they all in-house security people hunting for zero-days as part of their regular responsibilities? Share your own thoughts in the comments.

Where are all the jobs preventing zero-day exploits?

In 2020 Microsoft's GitHub acquired NPM (makers of the default package manager for Node.js). The company's web page boasts that npm "is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world."

But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com's 'replica' server (consumed by third-party services) were leaked — but in addition, a second flaw could've allowed attackers "to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks."

In a blog post this week GitHub's chief security officer explained the details: During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon discovery of the issue, we immediately began work on implementing a fix and determining the scope of the exposure. On October 29, all records containing private package names were removed from the replication database. While these records were removed from the replicate.npmjs.com service on this date, the data on this service is consumed by third-parties who may have replicated the data elsewhere. To prevent this issue from occuring again, we have made changes to how we provision this public replication database to ensure records containing private package names are not generated during this process.

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.
BleepingComputer adds: Both announcements come not too long after popular npm libraries, 'ua-parser-js,' 'coa,' and 'rc' were hijacked in a series of attacks aimed at infecting open source software consumers with trojans and crypto-miners. These attacks were attributed to the compromise of npm accounts [1, 2] belonging to the maintainers behind these libraries.

None of the maintainers of these popular libraries had two-factor authentication (2FA) enabled on their accounts, according to GitHub. Attackers who can manage to hijack npm accounts of maintainers can trivially publish new versions of these legitimate packages, after contaminating them with malware. As such, to minimize the possibility of such compromises from recurring in near future, GitHub will start requiring npm maintainers to enable 2FA, sometime in the first quarter of 2022.

GitHub's annual report on its user community "combined telemetry data from over four million repositories with direct survey from over 12,000 developers to identify current trends among software development companies and open-source projects," reports InfoQ.

ZDNet notes the data shows that remote developers "aren't planning to go back to the office." Before the pandemic, only 41% of developers worked at an office either full-time or part-time, but of the 12,000 surveyed in GitHub's 2021 State of the Octoverse report, just 10.7% expect to go back to the office after the pandemic ends... Pre-pandemic, 28.1% of developers had hybrid arrangements but after the pandemic, 47.8% expect some hybrid arrangements. Before the pandemic, 26.5% worked in places where all workers were remote. Now, 38.8% expect to be fully remote.
ZDNet also highlighted some other general statistics: GitHub says it now has 73 million developer users and that it gained 16 million new users in 2021. Users created 61 million new repositories and there were 170 million pull requests that got merged into projects... One of the biggest projects on GitHub is the container software Docker, which has a whopping 632,000 contributors from 215 countries and consists of 49,593 packages.
That's more than a magnitude larger than the estimated number of Linux contributors — and implies that for every 117 developers now on GitHub, there was one who contributed to Docker.

Meanwhile, 2021's most popular language rankings for GitHub are the same as 2020, with one exception: Shell has risen one position to become the 8th most popular language, edging out C (which now ranks as the 9th most popular language).

And InfoQ summarized some other interesting statistics from GitHub's report:

• Good, reliable, and up-to-date documentation can boost productivity by 50%.

• Documentation is often under-invested.

• The number of pull requests merged within the workday goes down by 17% with each additional reviewer.

Rockstar has issued an apology for the "unexpected technical issues" that marred the release of Grand Theft Auto: The Trilogy - The Definitive Edition last week and led to the quick removal of the PC version from Rockstar's online store. From a report: Last week, Rockstar said that the PC version of the game was being taken down "as we remove files unintentionally included in these versions." That led to reports that the package included copies of original soundtrack songs that had not been re-licensed for the new release. Other reports suggested that the original package accidentally included uncompiled source code and revealed some interesting programmer comments, including references to the infamous "hot coffee" scene that caused the game so much controversy back in 2005. Today, though, the developer admitted in a blog post that "the updated versions of these classic games did not launch in a state that meets our own standards of quality, or the standards our fans have come to expect."

We noted some of the remaster's many issues in our initial impressions, which recommended that you skip the bundle for now. Since then, players have chronicled countless bugs and questionable "remastering" decisions. Those range from disturbing textures to eye-searing rainfall to hilariously broken cutscenes to car-inflating wiggles to odd-looking character models and plain old typos that weren't in the original game.

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. The Register reports: These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork." Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."

Marlin then asked whether he could make his findings public and was told he's free to do so. "I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake. Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."

There's some unusual activity brewing on Russian-speaking cybercrime forums, where hackers appear to be reaching out to Chinese counterparts for collaboration. BleepingComputer reports: These attempts to enlist Chinese threat actors are mainly seen on the RAMP hacking forum, which is encouraging Mandarin-speaking actors to participate in conversations, share tips, and collaborate on attacks. The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable. The researchers suggest that the most probable cause is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations.

A threat analyst told BleepingComputer earlier this month that this initiative was started by a RAMP admin known as Kajit, who claims to have recently spent some time in China and can speak the language. In the prior version of RAMP, he had intimated that he would be inviting Chinese threat actors to the forum, which appears to now be taking place. However, Russian hackers attempting to collaborate with Chinese threat actors is not limited to the RAMP hacking forum as Flashpoint has also seen similar collaboration on the XSS hacking forum. [...] RAMP was set up last summer by a core member of the original Babuk ransomware gang, aiming to serve as a new place to leak valuable data stolen from cyberattacks and recruit ransomware affiliates. Further reading: US Says Iran-backed Hackers Are Now Targeting Organizations With Ransomware

Z00L00K writes: From Schneier on Security

I received email from two people who told me that Microsoft Edge enabled synching without warning or consent, which means that Microsoft sucked up all of their bookmarks. Of course they can turn synching off, but it's too late. Has this happened to anyone else, or was this user error of some sort? If this is real, can some reporter write about it? (Not that "user error" is a good justification. Any system where making a simple mistake means that you've forever lost your privacy isn't a good one. We see this same situation with sharing contact lists with apps on smartphones. Apps will repeatedly ask, and only need you to accidentally click "okay" once.) EDITED TO ADD: It's actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

Also from one comment:

Ted November 17, 2021 8:29 AM It looks like Microsoft released some documentation on "Microsoft Edge -- Policies" for Enterprise on 11-9-21. It is only a 472 minute read, but there is some info on Forced Synching, for example: ForceSync Force synchronization of browser data and do not show the sync consent prompt https://docs.microsoft.com/en-...

shoor writes: As much as 38 percent of the Internet's domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com. The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.

The sleight of hand worked because DNS at the time relied on a transaction ID to prove the IP number returned came from an authoritative server rather than an imposter server attempting to send people to a malicious site. The transaction number had only 16 bits, which meant that there were only 65,536 possible transaction IDs. Kaminsky realized that hackers could exploit the lack of entropy by bombarding a DNS resolver with off-path responses that included each possible ID. Once the resolver received a response with the correct ID, the server would accept the malicious IP and store the result in cache so that everyone else using the same resolver -- which typically belongs to a corporation, organization, or ISP -- would also be sent to the same malicious server.

The U.S. government, along with counterparts in Australia and the U.K, have warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors -- in some cases with ransomware. From a report: The rare warning linking Iran with ransomware landed in a joint advisory Wednesday, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K's National Cyber Security Centre (NCSC). The advisory said that Iran-backed attackers have been exploiting Fortinet vulnerabilities since at least March and a Microsoft Exchange ProxyShell vulnerability since October to gain access to U.S. critical infrastructure organizations in the transport and public health sectors, as well as organizations in Australia. The aim of the hackers is ultimately to leverage this access for follow-on operations such as data exfiltration, extortion and ransomware deployment. In May this year, for example, the hackers abused Fortigate gear to access a web server hosting the domain for a U.S. municipal government. The following month, CISA and the FBI observed the hackers exploiting Fortinet vulnerabilities to access the networks of a U.S.-based hospital specializing in healthcare for children. The joint advisory has been released alongside a separate report from Microsoft on the evolution of Iranian APTs, which are "increasingly utilizing ransomware to either collect funds or disrupt their targets." In the report, Microsoft said it has been tracking six Iranian threat groups that have been deploying ransomware and exfiltrating data in attacks that started in September 2020.

The recent hack at app-based investment platform Robinhood also impacted thousands of phone numbers, Motherboard has learned. From the report: Originally, Robinhood said that the breach included the email addresses of 5 million customers, the full names of 2 million customers, and other data from a smaller group of users. Motherboard obtained a copy of the stolen phone numbers from a source who presented themselves as a proxy for the hackers. The file includes around 4,400 phone numbers.

When asked if the numbers belonged to Robinhood customers, the company told Motherboard in a statement that "We've determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we're continuing to analyze." "We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We'll continue making appropriate disclosures to affected people," the statement added. Robinhood said it plans to update its blog post about the breach with the new information about the phone numbers.

Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version. BleepingComputer reports: The issues have been reported to Google in a Chromium bug post where Google employees have started to investigate the problems. "We're continuing to see user reports about this behavior, including reports from our social team," notes Google product manager Craig Tumblison. "One user has shared that disabling the "chrome://flags/#cross-origin-embedder-policy-credentialless" flag resolves the behavior. Another report shares a specific error message: "The connection was rejected at https://cards-frame.twitter.com". Test team, would you be able to try enabling that flag to see if the behavior appears?"

The 'chrome://flags/#cross-origin-embedder-policy-credentialles' flag is related to a new Cross-Origin-Embedder-Policy feature released with Chrome 96. Google states that you can fix these bugs in some cases by setting the "chrome://flags/#cross-origin-embedder-policy-credentialless" to disabled. If you are affected by these issues, you can copy and paste the above chrome:// address into the Google Chrome address bar and press enter. When the experimental flag appears, please set it to Disabled and relaunch the browser when prompted.

Google, Instagram, AWS, Twitter, Spotify, Discord, Etsy, Shopify, TikTok and dozens of other services are facing outages, according to several users report on DownDetector. It's unclear at this time what has caused the issue and how widespread it is.

Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps, making it one of the largest ever recorded. From a report: The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances. The DDoS attack comes just two weeks after Rapid7 warned of a GitLab vulnerability -- rated a full 10.0 on the CVSS severity scale -- that could be exploited to allow an attacker to remotely run code, like botnet malware, on an affected server. Rapid7 found that at least half of the 60,000 internet-facing GitLab instances remain unpatched, and warned that it expected "exploitation to increase" as details of the bug became public. The company wasn't wrong; Cloudflare said it blocked the massive DDoS attack just one week later. From its analysis of the attack, Cloudflare believes that it was a multi-vector attack that combined both DNS amplification attacks along with UDP floods.

Mozilla launched Firefox Relay as a free product that gives you five email aliases you can use every time you need to sign up for a random account online. From a report: Now, the organization has introduced a paid Premium tier for the service that will give you access to even more aliases. You'll get your own subdomain (yourdomain.mozmail.com) when you subscribe, and you'll be able to create an unlimited number of emails. The tier will also give you access to a summary dashboard with the emails you make, the option to use your aliases when you reply to messages and a 150 kb attachment allowance. After you sign up for Relay, you'll have to install its Firefox extension to be able to take advantage of its features. Every time you visit a website that asks for an email address, the Relay icon will appear on your browser, and you can click it to generate a random address.The service will forward messages you get using your aliases to your primary email account, and you can block all messages from coming in or even delete the alias when it starts getting spam. Mozilla didn't say how much a Premium subscription will cost in the future, but it's offering the tier at an introductory price of $1/EUR1 per month for a limited time.

An anonymous reader quotes a report from The Record: The Emotet malware botnet is back up and running once again almost ten months after an international law enforcement operation took down its command and control servers earlier this year in January. The comeback is surprising because after taking over Emotet's server infrastructure, law enforcement officials also orchestrated a mass-uninstall of the malware from all infected computers on April 25, effectively wiping out the entire botnet across the internet.

[O]ver the weekend, security researcher Luca Ebach said he spotted that another malware botnet named TrickBot was helping the Emotet gang get back on its feet by installing the Emotet malware on systems that had been previously infected with TrickBot. "We used to call this Operation ReachAround back when Emotet was dropped by Trickbot in the past," a spokesperson for Cryptolaemus, a group of security researchers who tracked Emotet in the past, told The Record today. [...]

Cryptolaemus said that right now, the Emotet gang is not sending out any new email spam but relying on the TrickBot gang to help them create an initial footprint of their new botnet incarnation before ramping up spam operations again. But if Emotet's comeback will succeed remains to be seen. It would be very hard for Emotet to reach its previous size any time in the coming months; however, the malware strain itself remains a very sophisticated and capable threat that shouldn't be ignored.

Intel has disclosed two high-severity vulnerabilities that affect a wide range of Intel processor families, allowing threat actors and malware to gain higher privilege levels on the device. BleepingComputer reports: The flaws were discovered by SentinelOne and are tracked as CVE-2021-0157 and CVE-2021-0158, and both have a CVSS v3 score of 8.2 (high). The former concerns the insufficient control flow management in the BIOS firmware for some Intel processors, while the latter relies on the improper input validation on the same component. These vulnerabilities could lead to escalation of privilege on the machine, but only if the attacker had physical access to vulnerable devices.

Intel hasn't shared many technical details around these two flaws, but they advise users to patch the vulnerabilities by applying the available BIOS updates. This is particularly problematic because motherboard vendors do not release BIOS updates often and don't support their products with security updates for long. Considering that 7th gen Intel Core processors came out five years ago, it's doubtful that MB vendors are still releasing security BIOS updates for them. As such, some users will be left with no practical way to fix the above flaws. In these cases, we would suggest that you set up a strong password for accessing the BIOS settings. Intel also released a separate advisory for a high-severity elevation of privilege flaw (CVE-2021-0146) that affects several car models that use the Intel Atom E3900. "Intel has released a firmware update to mitigate this flaw, and users will get it through patches supplied by the system manufacturer," the report says.

HPE has confirmed that a "limited subset" of customer data was taken in a data breach involving its subsidiary Aruba Networks, a maker of networking equipment. From a report: The enterprise technology giant said in a statement that an unauthorized person used a private key to gain access to customer data stored in its Aruba Central cloud. HPE did not say how the hacker obtained the private key, but said the key allowed access to cloud servers in multiple regions where customer data was stored. HPE bought Aruba Networks in 2015 for $3 billion in cash. Aruba provides networking gear, like wireless access points, and network security for companies. Through its dashboard, Aruba Central, companies can centrally monitor and manage their Wi-Fi networks. It's the Wi-Fi data collected in Aruba Central that HPE said was compromised. HPE said two datasets were exposed: one for network analytics containing information about devices accessing a customer's Wi-Fi network, and a second dataset containing location data about devices on the network.

"If current progress continues, quantum computers will be able to crack public key cryptography," writes CNET, "potentially creating a serious threat to the crypto world, where some currencies are valued at hundreds of billions of dollars." If encryption is broken, attackers can impersonate the legitimate owners of cryptocurrency, NFTs or other such digital assets. "Once quantum computing becomes powerful enough, then essentially all the security guarantees will go out of the window," Dawn Song, a computer security entrepreneur and professor at the University of California, Berkeley, told the Collective[i] Forecast forum in October. "When public key cryptography is broken, users could be losing their funds and the whole system will break...."

"We expect that within a few years, sufficiently powerful computers will be available" for cracking blockchains open, said Nir Minerbi, CEO of quantum software maker Classiq Technologies.

The good news for cryptocurrency fans is the quantum computing problem can be fixed by adopting the same post-quantum cryptography technology that the computing industry already has begun developing. The U.S. government's National Institute of Standards and Technology, trying to get ahead of the problem, is several years into a careful process to find quantum-proof cryptography algorithms with involvement from researchers around the globe. Indeed, several cryptocurrency and blockchain efforts are actively working on quantum resistant software...

A problem with the post-quantum cryptography algorithms under consideration so far, though, is that they generally need longer numeric encryption keys and longer processing times, says Peter Chapman, CEO of quantum computer maker IonQ. That could substantially increase the amount of computing horsepower needed to house blockchains...

The real quantum test for cryptocurrencies will be governance structures, not technologies, says Hunter Jensen, chief technology officer of Permission.io, a company using cryptocurrency for a targeted advertising system... "It will be the truly decentralized currencies which will get hit if their communities are too slow and disorganized to act," said Andersen Cheng, chief executive at Post Quantum, a London based company that sells post-quantum encryption technology.

Long-time Slashdot reader davidwr brings news of "an exploit in the FBI's Law Enforcement Enterprise Portal web site that would let anyone send an email to any arbitrary recipient..."

Security researcher Brian Krebs reports: Late in the evening of November 12 ET, tens of thousands of emails began flooding out from the FBI address eims@ic.fbi.gov, warning about fake cyberattacks.

Around that time, KrebsOnSecurity received an email from the same email address. "Hi its pompompurin," read the message. "Check headers of this email it's actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks." A review of the email's message headers indicated it had indeed been sent by the FBI, and from the agency's own Internet address. The domain in the "from:" portion of the email I received — eims@ic.fbi.gov — corresponds to the FBI's Criminal Justice Information Services division (CJIS).

According to the Department of Justice... "CJIS systems are available to the criminal justice community, including law enforcement, jails, prosecutors, courts, as well as probation and pretrial services..."

In an interview with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI's system. "I could've 1000% used this to send more legit looking emails, trick companies into handing over data etc.," Pompompurin said.
Instead Pompompurin apparently sent emails with the subject line, "Urgent: Threat actor in systems," with the body (apparently from eims@ic.fbi.gov) warning that "Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack...." The email then blames the real-world founder of two dark web intelligence companies (apparently the subject of a long standing feud with Pompompurin's community), and ultimately closes with the words "Stay safe, U.S. Department of Homeland Security — Cyber Threat Detection and Analysis — Network Analysis Group."

The FBI issued a statement in response to the incident — saying "The impacted hardware was taken offline quickly upon discovery of the issue."

Costco Wholesale Corporation has warned customers in notification letters sent this month that their payment card information might have been stolen while recently shopping at one of its stores. BleepingComputer reports: Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel. The company removed the device, notified the authorities, and is now working with law enforcement agents who are investigating the incident. "We recently discovered a payment card skimming device at a Costco warehouse you recently visited," Costco told potentially impacted customers in breach notification letters. "Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating."

Costco added that individuals impacted by this incident might have had their payment information stolen if those who planted the card theft device were able to gain access to the info before the skimmer was found and removed. "If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV," Costco revealed. The retailer advised the customers to monitor their bank and credit card statements for fraudulent charges and report suspicious transactions to relevant financial institutions. Data breach notification letters sent to affected individuals did not disclose the total number of impacted customers or the warehouse location where the skimmer device was found.