{"id":22776,"date":"2021-01-03T13:56:33","date_gmt":"2021-01-03T21:56:33","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=22776"},"modified":"2021-01-03T13:56:33","modified_gmt":"2021-01-03T21:56:33","slug":"sb-2021-01-03","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/01\/sb-2021-01-03\/","title":{"rendered":"Security Bits \u2014 3 Jan 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>More Details Emerge on the Solar Winds Attack\n<ul>\n<li>As expected, the private sector was targeted too:\n<ul>\n<li><a href=\"https:\/\/www.theverge.com\/2020\/12\/21\/22194183\/intel-nvidia-cisco-government-infected-solarwinds-hack\">Big tech companies including Intel, Nvidia, and Cisco were all infected during\u00a0the SolarWinds hack \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.nytimes.com\/2020\/12\/31\/technology\/microsoft-russia-hack.html?searchResultPosition=1\">Microsoft Says Russian Hackers Viewed Some of Its Source Code \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/a-second-hacking-group-has-targeted-solarwinds-systems\/\">A second hacking group has targeted SolarWinds systems \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<li>A second vulnerability has been found in SolarWinds Orion, so US CISA is ordered government agencies to update again before the end of the year or shut down their Orion systems \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/cisa-says-update-software\/\">www.macobserver.com\/\u2026<\/a> <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Steve asked a question for Bart in our Slack <a href=\"https:\/\/podfeet.com\/slack\" rel=\"noopener\" target=\"_blank\">podfeet.com\/slack<\/a>:<\/p>\n<blockquote><p>\n  In your discussion of the SolarWinds attack in the latest Security Bits, you mentioned the attack only affected Windows domain networks, albeit that probably impacts a high percentage of businesses out there. I infer this means that the few organizations that are not using a Windows domain network are definitely not impacted by this attack, correct?\n<\/p><\/blockquote>\n<p>Bart answered:<\/p>\n<blockquote><p>\n  Not quite, remember SolarWinds Orion is just one vector being used by this specific Advanced Persistent Threat (Fancy Bear), all-be-it the most prominent one. If you\u2019re a valuable enough target to this APT you can\u2019t assume all is grand just because you don\u2019t run Orion\/Windows. CISA would have told you what to look for in the Indicators of Compromise.  Secondly, while SolarWinds can be tightly integrated into Windows, it doesn&#8217;t only manage Windows.\n<\/p><\/blockquote>\n<p>Bruce Wilson also answered in our Slack:<\/p>\n<blockquote><p>\n  SolarWinds Orion often has high-level credentials, including Windows domain credentials, as well as ssh keys to log into privileged accounts on both Linux and network hardware.  Orion runs on Windows but is used to monitor and manage servers (Windows and Linux), applications, and network gear.  A lot depends on what accounts are given to Orion and what privileges are given to those accounts.  Tailoring that access to give those accounts what&#8217;s needed and no more can be time-consuming.  I&#8217;ve definitely seen people decide to just give the Orion accounts unrestricted sudo, rather than sort out exactly what commands it does need to run. And it matters a lot if someone is using Orion to just monitor or if they (were) using it to monitor and manage.  So, the point here is that multiple adversaries compromised Orion and got the ability to run code as the Orion process, and (thereby) using any credential to which Orion had access.\n<\/p><\/blockquote>\n<ul>\n<li>Discussion of Kernel Extensions (KEXTs)\n<ul>\n<li>Audio Capture Engine (ACE) from Rogue Amoeba is being treated like a KEXT (even though it is not a KEXT) so on macOS Big Sur we have to do the extreme dance where you boot into Recovery and reduce your security level to where you would have been in Catalina.  But Paul Kafasis says you can put it back up after the installation.\n<ul>\n<li>is this true for other extensions<\/li>\n<li>Can you delete KEXTs &#8211; give Steve&#8217;s example, needing a driver for DJI Phantom?<\/li>\n<li>look at <a href=\"https:\/\/www.maketecheasier.com\/add-remove-kexts-from-macos\/\">www.maketecheasier.com\/&#8230;<\/a> but these instructions are before the new Big Sur security levels<\/li>\n<li>Kernel extensions are in System\/Library\/Extensions look for .kext<\/li>\n<li>Might need to boot into recovery and use Terminal command <code>kext unload [full path to the kext]<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/welpmagazine.com\/bill-melinda-gates-foundations-charity-getschooled-breaches-900k-childrens-details\/\">Bill &amp; Melinda Gates Foundation\u2019s Charity GetSchooled Breaches 900k Children\u2019s Details \u2014 welpmagazine.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/20201231-t-mobile-breach\/\">Latest T-Mobile Data Breach Exposes Customer Data \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>From Listener Lynda: <a href=\"https:\/\/www.msn.com\/en-us\/news\/crime\/fbi-warns-smart-devices-are-being-hacked-to-live-stream-swatting-incidents\/ar-BB1cnYTV\">FBI Warns Smart Devices Are Being Hacked to Live-Stream &#8216;Swatting&#8217; Incidents \u2014 www.msn.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-hearing-study-unintentionally-collected-historical-data-users\">Apple Hearing Study unintentionally collected historical data from users \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1732395\">Corellium notches partial victory in Apple iOS copyright case \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-shares-how-protect-your-device-and-data-abusers-and-stalkers\">Apple shares how to protect your device and data from abusers and stalkers \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>The physics of cameras and lenses like you&#8217;ve never seen it before \u2014 it&#8217;s a long read, but the article is peppered with interactive &#8216;diagrams&#8217; that really help you see what&#8217;s going on \u2014 <a href=\"https:\/\/ciechanow.ski\/cameras-and-lenses\/\">ciechanow.ski\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. More Details Emerge on the Solar Winds Attack As expected, the private sector was targeted too: Big tech companies including Intel, Nvidia, and Cisco were all infected during\u00a0the SolarWinds hack \u2014 www.theverge.com\/\u2026 Microsoft Says [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4445,50,569],"class_list":["post-22776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-kext","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=22776"}],"version-history":[{"count":8,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22776\/revisions"}],"predecessor-version":[{"id":22784,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22776\/revisions\/22784"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=22776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=22776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=22776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}