Tech News - Security

We have been humbled by the amazing response to our recent launch of Win-KeX. After its initial release, we asked ourselves if that is truly the limit of what we can achieve or could we pull off something incredible to mark the 25th anniversary of Hackers? What about “a second concurrent session as root”, “seamless desktop integration with Windows”, or – dare we dream – “sound”? With no further further ado, we are thrilled to present to you Win-KeX v2.0 with the following features: Win-KeX SL (Seamless Edition) – bye bye borders Sound support Multi-session support KeX sessions can be run as root Able to launch “kex” from anywhere – no more cd-ing into the Kali filesystem required Shared clipboard – cut and paste content between Kali and Windows apps The installation of Win-KeX is as easy as always: sudo apt upgrade && sudo apt install -y kali-win-kex (in a Kali WSL installation) Win-KeX now supports two dedicated modes: Win-KeX Window mode is the classic Win-KeX look and feel with one dedicated window for the Kali Linux desktop. To launch Win-KeX in Window mode with sound support, type: kex --win -s Win-KeX SL mode provides a seamless integration of Kali Linux into the Windows desktop with the Windows Start menu at the bottom and the Kali panel at the top of the screen. All applications are launched in their own windows sharing the same desktop as Windows applications. kex --sl --s To enable sound: Start Win-KeX with the --sound or -s command line parameter. We’ve been watching Blu-rays in Win-KeX SL without problems. Why you ask? Because – now we can ;-) Win-KeX now supports concurrent sessions Win-KeX as unprivileged user Win-KeX as root user Win-KeX SL Windows Firewall Both SL mode and sound support require access through the Windows Defender firewall. When prompted, tick “Public networks”. You can later go to the firewall settings and restrict the scope to the WSL network (usually 172.3x.xxx.0/20) Manpage Forgotten that lifesaving parameter? Try: kex --help for a quick overview, or consult the manual page for a detailed manual: man kex Big shout-out to the authors of the following components without which there would be no Win-KeX: Win-KeX Win is brought to you by TigerVNC Win-KeX SL utilizes VcXsr Windows X Server Sound support is achieved through the integration of PulseAudio. Further Information: More information can be found on our documentation site. We hope you enjoy Win-KeX as much as we do and we’d love to see you around in the Kali Forums

Its that time of year again, time for another Kali Linux release! Quarter #3 – Kali Linux 20202.3. This release has various impressive updates, all of which are ready for immediate download or updating. A quick overview of what’s new since the last release in May 2020: New Shell – Starting the process to switch from “Bash” to “ZSH“ The release of “Win-Kex” – Get ready WSL2 Automating HiDPI support – Easy switching mode Tool Icons – Every default tool now has its own unique icon Bluetooth Arsenal – New set of tools for Kali NetHunter Nokia Support – New devices for Kali NetHunter Setup Process – No more missing network repositories and quicker installs New Shell (Is Coming) Most people who use Kali Linux, (we hope), are very experienced Linux users. As a result, they feel very comfortable around the command line. We understand that “shells” are a very personal and precious thing to everyone (local or remote!), as that is how most people interact with Kali Linux. To the point where lots of experienced users only use a “GUI” to spin up multiple terminals. By default, Kali Linux has always used “bash” (aka “Bourne-Again SHell”) as the default shell, when you open up a terminal or console. Any seasoned Kali user would know the prompt kali@kali:~$ (or root@kali:~# for the older users!) very well! Today, we are announcing the plan to switch over to ZSH shell. This is currently scheduled to be the default shell in 2020.4 (for this 2020.3 release, bash will still be the default). If you have a fresh default install of Kali Linux 2020.3, you should have ZSH already installed (if not, do sudo apt install -y zsh zsh-syntax-highlighting zsh-autosuggestions), ready for a try. However if you installed an earlier version of Kali Linux and have upgraded to 2020.3, your user will be lacking the default ZSH configuration that we cooked with lots of love. So for upgrade users only, make sure to copy the configuration file: kali@kali:~$ cp /etc/skel/.zshrc ~/ kali@kali:~$ Then all you need to do is switch to ZSH: kali@kali:~$ zsh ┌──(kali㉿kali)-[~] └─$ If you like what you see, you can set ZSH as your default (replacing bash) by doing chsh -s /bin/zsh. Which is what we will be doing in 2020.4. We wanted to give the community a notice before this switch happens. This is a very large change (some may argue larger than the Gnome to Xfce switch last year). We are also looking for feedback. We hope we have the right balance of design and functionality, but we know these typically don’t get done perfect the first time. And, we don’t want to overload the default shell with too many features, as lower powered devices will then struggle or it may be hard to on the eyes to read. ZSH has been something we have wanted to do for a long time (even before the switch over to Xfce!). We will be doing extensive testing during this next cycle so we reserve the right to delay the default change, or change direction all together. Again, we encourage you to provide feedback on this process. There is no way we can cover every use case on our own, so your help is important. Q.) Why did you make the switch? What’s wrong with bash? A.) You can do a lot of advanced things with bash, and customize it to do even more, but ZSH allows you to do even more. This was one really large selling point. Q.) Why did you pick ZSH and not fish? A.) In the discussion of switching shells, one of the options that came up is Fish (Friendly Interactive SHell). Fish is a nice shell (probably nicer than ZSH), but realistically it was not a real consideration due to the fact that it is not POSIX compatible. This would cause a lot of issues, as common one-liners just won’t work. Q.) Are you going to use any ZSH frameworks (e.g. Oh-My-ZSH or Prezto)? A.) At this point in time, by default, no. The weight of these would not be workable for lower powered devices. You can still install them yourself afterwards (as many of our team do). Win-KeX Having Kali Linux on “Windows Subsystem for Linux” (WSL) is something we have been taking advantage of since it came out. With the release of WSLv2, the overall functionality and user experience improved dramatically. Today, the experience is improving once more with the introduction of Win-KeX (Windows + Kali Desktop EXperience). After installing it, typing in kex, or clicking on the button, Win-KeX will give you a persistent-session GUI. After getting WSL installed (there’s countless guides online, or you can follow ours), you can install Win-KeX by doing the following: sudo apt update && sudo apt install -y kali-win-kex Afterwards, if you want to make a shortcut, follow our guide, or you can just type in kex! On the subject of WSL (and this is true for Docker and AWS EC2) something we have seen a bit is after getting a desktop environment, people have noticed the tools are not “there”. This is because they are not included by default, to keep the image as small as possible. You either need to manually install them one by one, or grab the default metapackage to get all the tools from out-of-the-box: sudo apt install -y kali-linux-default Please note, Win-KeX does require WSL v2 on x64 as it’s not compatible with WSL v1, or arm64. For more information, please see our documentation page Automating HiDPI HiDPI displays are getting more and more common. Unfortunately, Linux support, out of the box, hasn’t been great (older Linux users may remember a time where this was very common for a lot of hardware changes.). Which means after doing a fresh install, there is a bit of tweaking required to get it working, otherwise the font/text/display may be very small to read. We have had a guide out explaining the process required to get it working, but the process before was a little “fiddly”. We wanted to do better. So we made kali-hidpi-mode. Now, either typing in kali-hidpi-mode or selecting it from the menu (as shown below), should automate switching between HiDPI modes. Tool Icons Over the last few releases, we have been showing the progress on getting more themed icons for tools. We can now say, if you use the default tool listing (kali-linux-default), every tool in the menu (and then a few extra ones!), should have their own icon now. We will be working on adding missing tools to the menu (and creating icons for them) over the next few releases of Kali, as well as expanding into the kali-linux-large metapackage (then kali-tools-everything). We also have plans for these icons, outside of the menu – more information in an upcoming release! Kali NetHunter Bluetooth Arsenal We are proud to introduce Bluetooth Arsenal by yesimxev from the Kali NetHunter team. It combines a set of bluetooth tools in the Kali NetHunter app with some pre-configured workflows and exciting use cases. You can use your external adapter for reconnaissance, spoofing, listening to and injecting audio into various devices, including speakers, headsets, watches, or even cars. Please note that RFCOMM and RFCOMM tty will need to be enabled in kernels from now on to support some of the tools. Kali NetHunter for Nokia Phones Kali NetHunter now supports the Nokia 3.1 and Nokia 6.1 phones, thanks to yesimxev. Images are available on our download site. Please note that those images contain a “minimal Kali rootfs” due to technical reasons but you can easily install all the default tools via sudo apt install -y kali-linux-default. Setup Process The full installer image always had all the packages required for an offline installation but if you installed a Kali Linux system with this image and without disabling the network, the installer would automatically run dist-upgrade during the install. This is done to make sure that you have the latest packages on first boot. And that step can take a very long time, especially after a few months after a release when lots of updates have accumulated. Starting with 2020.3, we disabled the network mirror in the full installer so that you always get the same installation speed, and the same packages and versions for that release – just make sure to update after installing! Whilst we were at it, we fixed another related issue. If you didn’t have network access (either voluntarily or otherwise) during installation, you would get an empty network repository (/etc/apt/sources.list). This means, you would not be able to use apt to install additional packages. While there might be some users who will never have network, we believe that it’s best to actually configure that file in all cases. So that’s what we did. By default, any fresh installs going forward after 2020.3 will have network repositories pre-defined. ARM Device Updates We have (along with the work of Francisco Jose Rodríguez Martos who did a lot of the back end changes) refreshed our build-scripts for our ARM devices. We pre-generated various different ARM images (as of 2020.3 – 19 images) to allow for quick download and deployment, but we have build scripts for more (as of 2020.3 – 39 images). If your device is not one of ones that we release images for, you’ll need to use the scripts to self generate the image. Notable changes in ARM’s 2020.3 release: All of the ARM images come with kali-linux-default metapackage installed, bringing them in line with the rest of our releases, so more tools are available when you first boot We have reduced the size of all our ARM images that are created, so downloads should be smaller. However, you will still need to use at least a 16GB sdcard/USB drive/eMMC Pinebook and Pinebook Pro images can now be used on either sdcard or eMMC The Pinebook image now has the WiFi driver built during image creation, instead of on first boot, this should speed up first boot time massively The Pinebook Pro has a change from the upstream firmware, which changes ccode=DE to ccode=all – this allows access to more 2.4GHz and 5GHz channels The 64-bit RaspberryPi images now have the RaspberryPi userland utilities built during image creation, so vcgencmd and various other utilities that were previously only available on the 32-bit image are now usable on 64-bit as well The ODROID-C2 image now uses the Kali kernel, instead of a vendor provided one. This means in the future, an apt dist-upgrade will get you kernel updates instead of waiting for a new Kali release The /etc/fstab file now includes the root partition via UUID, this should make it easier when trying to use a USB drive instead of sdcard on devices that support it A few things which are work in progress: RaspberryPi images are using 4.19 kernels. We would like to move to 5.4 however, nexmon isn’t working properly with it (as the new kernel requires firmware version => 7.45.202) for which no nexmon patch exists yet There is a new USBArmory Mk2 build script. We don’t have the hardware to test it however, so we are looking for community feedback who is able to test it out Veyron image will be released at a later date to kernel issues that haven’t yet been tracked down Desktop Environment As there has been minor update to Gnome, we have been taking some advantages of the new settings: GNOME’s file manager nautilus has a new theme GNOME’s system-monitor now matches the colors and also has stacked CPU charts Improved the design for “nested headerbars” (example, in the Settings Window, where the left headerbar is joined with the side-navbar) Community Shoutouts A new section in the release notes, community shoutouts. These are people from the public who have helped Kali and the team for the last release. And we want to praise them for their work (we like to give credit where due!): Crash who has been helping the community for some time now, thank you! FrangaL who has been doing some great work with Kali Linux ARM, thank you! Anyone can help out, anyone can get involved! Download Kali Linux 2020.3 Fresh Images So what are you waiting for? Start downloading already! Seasoned Kali Linux users are already aware of this, but for the ones who are not, we do also produce weekly builds that you can use as well. If you can’t wait for our next release and you want the latest packages when you download the image, you can just use the weekly image instead. This way you’ll have fewer updates to do. Just know these are automated builds that we don’t QA like we do our standard release images. But we gladly take bug reports about those images because we want any issues to be fixed before our next release. Existing Upgrades If you already have an existing Kali Linux installation, remember you can always do a quick update: kali@kali:~$ echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" | sudo tee /etc/apt/sources.list kali@kali:~$ kali@kali:~$ sudo apt update && sudo apt -y full-upgrade kali@kali:~$ kali@kali:~$ [ -f /var/run/reboot-required ] && sudo reboot -f kali@kali:~$ You should now be on Kali Linux 2020.3. We can do a quick check by doing: kali@kali:~$ grep VERSION /etc/os-release VERSION="2020.3" VERSION_ID="2020.3" VERSION_CODENAME="kali-rolling" kali@kali:~$ kali@kali:~$ uname -v #1 SMP Debian 5.7.6-1kali2 (2020-07-01) kali@kali:~$ kali@kali:~$ uname -r 5.7.0-kali1-amd64 kali@kali:~$ NOTE: The output of uname -r may be different depending on the system architecture. As always, should you come across any bugs in Kali, please submit a report on our bug tracker. We’ll never be able to fix what we don’t know is broken! And Twitter is not a Bug Tracker!

On Wednesday, security researchers from the University of New Mexico disclosed a vulnerability impacting most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. This Linux vulnerability can be exploited by an attacker to determine if a user is connected to a VPN and to hijack VPN connections. The researchers shared that this security flaw tracked as CVE-2019-14899, “allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website." Additionally, attackers can determine the exact sequence and acknowledgment numbers by counting encrypted packets or by examining their size. With this information in hand, they can inject arbitrary data payloads into IPv4 and IPv6 TCP streams. What systems are affected by this Linux vulnerability While testing for this vulnerability, the researchers found that it did not affect any Linux distribution prior to Ubuntu 19.10. They further noted that all distributions that use 'systemd' versions released after November 28, 2018, that have their rp_filter (reverse path filtering) set to “loose” by default are vulnerable. Here’s a non-exhaustive list of systems that the researchers found vulnerable: Ubuntu 19.10 (systemd) Fedora (systemd) Debian 10.2 (systemd) Arch 2019.05 (systemd) Manjaro 18.1.1 (systemd) Devuan (sysV init) MX Linux 19 (Mepis+antiX) Void Linux (runit) Slackware 14.2 (rc.d) Deepin (rc.d) FreeBSD (rc.d) OpenBSD (rc.d) Attacks exploiting this Linux vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec. However, the team noted they were able to make all the inferences even when the responses from the victim were encrypted. Regardless of what VPN technology you are using, the size and number of packets sent were enough to find the kind of packets are being sent through the encrypted VPN tunnel. In response to the public disclosure, Jason A. Donenfeld, the creator of the WireGuard, clarified that "this isn't a WireGuard vulnerability, but rather something in the routing table code and/or TCP code on affected operating systems." He added, “However, it does affect us, since WireGuard exists on those affected OSes.” A network security consultant Noel Kuntze also said in a reply to the disclosure report that only route-based VPN implementations are impacted by this Linux vulnerability. The researchers have also shared a few mitigation strategies including turning reverse path filtering on, using bogon filtering, and encrypting packet size and timing. You can check out the full disclosure report of this Linux vulnerability for further details. StackRox Kubernetes Security Platform 3.0 releases with advanced configuration and vulnerability management capabilities An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems 10 times ethical hackers spotted a software vulnerability and averted a crisis

Yesterday, ZDNet reported that the Python security team removed two fake Python libraries from PyPI (Python Package Index). These libraries were caught stealing SSH and GPG keys from the Python projects. As per ZDNet, the two malicious clones were discovered by a German software developer Lukas Martini on 1st Dec. Both libraries were removed on the same day after Martini notified the developers and the PyPI security team. The two libraries were created by the same developer and mimicked as other more popular libraries -- using a technique called typosquatting, to register similar-looking names. The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (here the first L is an I), which mimicked the "jellyfish" library. One of them was uploaded on Pypi two days before while the other one was live for more than a year. Purpose of stealing SSH and GPG keys According to Martini, the malicious code was present only in the jeIlyfish library. The python3-dateutil package didn't contain malicious code of its own, but it did import the jeIlyfish library, meaning it was malicious by association. The malicious code read a list of hashes stored in a GitLab repository. The nature and purpose of these hashes is unknown, as neither Martini or the PyPI team detailed the behavior of stealing the keys before the library was removed. ZDNet spoke to Paul Ganssle from the dateutil dev team, "The code directly in the `jeIlyfish` library downloads a file called 'hashsum' that looks like nonsense from a gitlab repo, then decodes that into a Python file and executes it," Ganssle states. "It looks like [this file] tries to exfiltrate SSH and GPG keys from a user's computer and sends them to this IP address: http://68.183.212.246:32258. It also lists a bunch of directories, home directory, PyCharm Projects directory," Ganssle added. "If I had to guess what the purpose of that is, I would say it's to figure out what projects the credentials work for so that the attacker can compromise that person's projects." Python developers advised to review projects Excluding the malicious code, both typosquatted packages were identical copies of the original libraries, meaning they would have worked as the originals. Developers who didn't pay attention to the libraries they downloaded or imported into their projects are advised to check if they've used the correct package names and did not accidentally use the typosquatted versions. If they accidentally used any of the two, developers must change all SSH and GPG keys which they've used over the past year. This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository. Similar incidents took place recently in July 2019 and another in October 2018 and September 2017. On this news, developers on Hacker News discuss about this as an OS issue. One of the user comments, “I don't know what the solution is but it feels like this is a much bigger issue and we need some rethinking of how OSes work by default. Apple has taken some steps it seems the last 2 MacOS updates where they block access to certain folders for lots of executables until the user specifically gives that permission. Unfortunately for things like python the permission is granted to the Terminal app so once given, all programs running under the terminal inherit the permissions. Microsoft has started adding short life VMs. No idea if that's good. Both MS and Apple offer their App stores with more locked down experiences though I'm sad they conflate app security and app markets. Basically anytime I run any software, everytime I run "make" or "npm install" or "pip install" or download a game on Steam etc I'm having to trust 1000s of strangers they aren't downloading my keys, my photos, my docs, etc...I think you should be in control of your machine but IMO it's time to default to locked down instead of defaulting to open.” Introducing Spleeter, a Tensorflow based python library that extracts voice and sound from any music track SatPy 0.10.0, python library for manipulating meteorological remote sensing data, released Meet Pypeline, a simple python library for building concurrent data pipelines

Yesterday Wladimir Palant, the creator of AdBlock Plus, reported that Mozilla removed four Firefox extensions made by Avast and its subsidiary AVG. Palant also found credible reports about the extensions harvesting user data and browsing histories. The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons. Avast and AVG extensions were caught in October Mozilla removed the four extensions from its add-ons portal after receiving a report from Palant. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google. He published a blog post on October 28, detailing his findings, but in a blog post dated today, he says he found the same behavior in the Avast and AVG SafePrice extensions as well. On his original blog post Mozilla did not intervene to take down the extensions. Palant reported about it again to Mozilla developers yesterday and they removed all four add-ons within 24 hours. “The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks,” an Avast spokesperson told ZDNet. “It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user's identification.” “We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements,” the Avast spokesperson said. “These will be available as usual on the Mozilla store in the near future.” Extensions still available on Chrome browser The four extensions are still available on the Chrome Web Store according to Palant. "The only official way to report an extension here is the 'report abuse' link," he writes. "I used that one of course, but previous experience shows that it never has any effect. "Extensions have only ever been removed from the Chrome Web Store after considerable news coverage," he added. On Hacker News, users discussed Avast extensions creepily trick browsers to inspect tls/ssl packets. One on the users commented, “Avast even does some browser trickery to then be able to inspect tls/ssl packets. Not sure how I noticed that on a windows machine, but the owner was glad to uninstall it. As said on other comments, the built-in windows 10 defender AV is the least evil software to have enabled for somewhat a protected endpoint. The situation is desperate for AV publishers, they treat customers like sheep, the parallel with mafia ain't too far possible to make. It sorts of reminds me 20 years back when it was common discussion to have on how AV publishers first deployed a number of viruses to create a market. The war for a decent form of cyber security and privacy is being lost. It's getting worse every year. More money (billions) is poured into it. To no avail. I think we got to seriously show the example and reject closed source solutions all together, stay away from centralized providers, question everything we consume. The crowd will eventually follow.” Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2 Mozilla Thunderbird 78 will include OpenPGP support, expected to be released by Summer 2020 Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol

Last month, two security researchers, Noam Rotem and Ran Locar found an unprotected database managed by TrueDialog. The database exposed tens of millions of SMS text messages exchanged between businesses and their customers. TrueDialog is a US-based SMS text service provider for enterprise businesses and higher education. Its cloud-based texting platform enables users to send both one-to-one as well as bulk messages to customers. What data TrueDialog’s database exposed Along with millions of sent and received text messages, this database included phone numbers, marketing messages from businesses with discount codes, job alerts, and more. Some of the two-way messages had a unique conversation code using which anyone would be able to read the entire thread of conversations. What concerning is that there were also text messages with sensitive information. As per TechCrunch, the database included “two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts.” TechCrunch further shared that the database also included messages containing codes to access online medical services, password reset and login codes for sites including Facebook and Google, and usernames and passwords of TrueDialog’s customers. TrueDialog took the database offline shortly after being contacted by TechCrunch. However, the company’s chief executive John Wright did not acknowledge the breach or gave any clarity on whether TrueDialog will be informing this to its customers. This is another case of companies being negligent towards their customers’ data. In October this year, an Elasticsearch server, allegedly belonging to two data enrichment companies exposed the personal information of nearly 1.2 billion users. In another case, security researcher Oliver Hough discovered that printing company Vistaprint left an online database containing customer interactions unencrypted. Check out the report by Noam Rotem and Ran Locar to know more about TrueDialog data leak in detail. GDPR complaint in EU claim billions of personal data leaked via online advertising bids How to protect your VPN from Data Leaks DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants  

On November 26, the Kali Linux team announced its fourth and final release of 2019, Kali Linux 2019.4, which is readily available for download. A few features of Kali Linux 2019.4 include a new default desktop environment, Xfce; a new GTK3 theme (for Gnome and Xfce); Kali Undercover” mode, the kernel has been upgraded to version 5.3.9, and much more. Talking about ARM the team highlighted, “2019.4 is the last release that will support 8GB sdcards on ARM. Starting in 2020.1, a 16GB sdcard will be the minimum we support.” What’s new in Kali Linux 2019.4? New desktop environment, Xfce and GTK3 theme The much-awaited desktop environment update is here. The older versions had certain performance issues resulting in fractured user experience. To address this, they developed a new theme running on Xfce. Its lightweight design can run on all levels of Kali installs. The new theme can handle various needs of the average user with no changes. It uses standard UI concepts and there is no learning curve to it. It looks great with modern UI elements that make efficient use of screen space. Kali Undercover mode For pentesters doing their work in a public environment, the team has made a little script that will change the user’s Kali theme to look like a default Windows installation. This way, users can work a bit more incognito. “After you are done and in a more private place, run the script again and you switch back to your Kali theme. Like magic!”, the official blog post reads. BTRFS during setup Another significant new addition to the documentation is the use of BTRFS as a root file system. This gives users the ability to do file system rollbacks after upgrades. In cases when users are in a VM and about to try something new, they will often take a snapshot in case things go wrong. However, running Kali bare metal is not easy. There is also a manual clean up included. With BTRFS, users can have a similar snapshot capability on a bare metal install! NetHunter Kex – Full Kali Desktop on Android phones With NetHunter Kex, users can attach their Android devices to an HDMI output along with Bluetooth keyboard and mouse and get a full, no compromise, Kali desktop from their phones. To get a full breakdown on how to use NetHunter Kex, check out its official documents on the Kali Linux website. Kali Linux users are excited about this release and look forward to trying the newly added features. https://twitter.com/firefart/status/1199372224026861568 https://twitter.com/azelhajjar/status/1199648846470615040 To know more about other features in detail, read the Kali Linux 2019.4  official release on Kali Linux website. Glen Singh on why Kali Linux is an arsenal for any cybersecurity professional [Interview] Kali Linux 2019.1 released with support for Metasploit 5.0 Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview]

Last month, Vinny Troia, the founder of Data Viper and Bob Diachenko, an independent cybersecurity consultant discovered a “wide-open” Elasticsearch server. The server exposed the personal information of about 1.2 billion unique users including their names, email addresses, phone numbers, LinkedIn and Facebook profile information. The Elasticsearch server did not have any kind of authentication whatsoever and was accessible via a web browser. "No password or authentication of any kind was needed to access or download all of the data," the report adds. What the investigation on the Elasticsearch server revealed Troia and Diachenko came across the Elasticsearch server while looking for exposures on the web scanning services BinaryEdge and Shodan. Upon further investigation, the researchers speculated that the data originated from two different data enrichment companies: People Data Labs and  OxyData.io. Data enrichment, as the name suggests, is a process of enhancing the existing raw data to make it useful for businesses. Data enrichment companies can provide access to large stores of data merged from multiple third-party sources, which enables businesses to gain deeper insights into their current and potential customers. Elasticsearch stores its data in an index, which is similar to a ‘database’ in a relational database. The researchers found that the majority of the data spanned four separate data indexes, labeled “PDL” and “OXY”. Also, each user record was labeled with a “source” field that matched either PDL or Oxy, respectively. After the researchers de-duplicated the nearly 3 billion user records with the PDL index, they found roughly 1.2 billion unique people and 650 million unique email addresses. These numbers matched with the statistics provided by the company on their website. The data within the three PDL indexes included slightly varied information. While some focused on scraped LinkedIn information, email addresses and phone numbers, others included information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. After analyzing the data under the OXY index, the researchers found scrape of LinkedIn data, including recruiter information. What made the case confusing was that the Elasticsearch server was hosted on Google Cloud Services, while People Data Labs appears to be using Amazon Web Services. When contacted about the Elasticsearch server, both the companies denied that the server belonged to them. In an interview with Wired, PDL co-founder Sean Thorne said, “The owner of this server likely used one of our enrichment products, along with a number of other data-enrichment or licensing services. Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility. We perform free security audits, consultations, and workshops with the majority of our customers." This news sparked a discussion on Hacker News. While some users were stunned by the sheer negligence of leaving the Elasticsearch server wide-open, others were questioning the core business model of these companies. A user commented, “It has to exist on a private network behind a firewall with ports open to application servers and other es nodes only. Running things on a public IP address is a choice that should not be taken lightly. Clustering over the public internet is not a thing with Elasticsearch (or similar products).” “It's a tragedy that all of this data was available to anyone in a public database instead of.... checks notes... available to anyone who was willing to sign up for a free account that allowed them 1,000 queries. It seems like PDL's core business model is irresponsible regarding their stewardship of the data they've harvested,” another user added. Read the full report on Data Viper’s official website. Adobe confirms security vulnerability in one of their Elasticsearch servers that exposed 7.5 million Creative Cloud accounts Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

Yesterday, Maddie Stone, a Security Researcher in the Google Project Zero team shared a detailed analysis of the use-after-free Android Binder vulnerability. The vulnerability, tracked under CVE-2019-2215 was being exploited in-the-wild affecting most Android devices manufactured before fall last year. Stone's post goes into detail about how they discovered this Android Binder vulnerability, its technical details, how it can be exploited, and its fix. Along with these details, she also shared that the Project Zero team is working on improving their approach of handling "in-the-wild" zero-day exploits under the mission "make zero-day hard." Their current approach is to hunt for bugs based on rumors or leads and patch the bug, perform variant analysis to find similar vulnerabilities and patch them. Finally, sharing the complete detailed analysis of the exploit with the community. The use-after-free Android Binder vulnerability The use-after-free Android Binder vulnerability is a local privilege escalation vulnerability that gives the attacker full read and write access to a vulnerable device. It is not new though. Back in 2017, Szybot, a syzkaller system reported it to both the Linux kernel and syzkaller-bugs mailing lists. In February 2018, it was patched in the Linux 4.14, Android 3.18, Android 4.4, and Android 4.9 kernels. The patch, however, never made it to the Android monthly security bulletin leaving many already released devices such as Pixel and Pixel 2 vulnerable to an exploit. Then in late summer 2019, the NSO Group, an Israel-based technology firm known for its Pegasus spyware, informed Project Zero about an Android zero-day exploit that was part of an attack chain that installed Pegasus spyware on target devices. Based on the details shared by the NSO Group Stone was able to track down the bug in Android Binder. Project Zero reported the Android Binder vulnerability to Android on September 27. In the report Stone has shared a list of devices that appear to be vulnerable: “Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated): 1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/) 2) Huawei P20 3) Xiaomi Redmi 5A 4) Xiaomi Redmi Note 5 5) Xiaomi A1 6) Oppo A3 7) Moto Z3 8) Oreo LG phones (run the same kernel according to the website) 9) Samsung S7, S8, S9 “ After reporting the Android Binder vulnerability to Android, the team publicly disclosed it on October 3 and three days later Android added updates to the October Android Security Bulletin. In a statement to the Project Zero team, Android shared, "Android partners were notified of the bug and provided updates to address it within 24 hours. Android also assigned CVE-2019-2215 to explicitly indicate that it represents a security vulnerability as the original report from syzkaller and the corresponding Linux 4.14 patch did not highlight any security implications.” The statement further reads, “Pixel 3 and 3a were already protected against these issues. Updates for affected Pixel devices were available to users as early as October 7th, 2019.” To read more about the exploit, check out Stone’s blog post: Bad Binder: Android In-The-Wild Exploit. Also, check out the proof-of-concept exploit that Stone wrote together with Jann Horn, a fellow team member. The PoC demonstrates how this vulnerability can be used to gain arbitrary read and write permissions when run locally. StackRox Kubernetes Security Platform 3.0 releases with advanced configuration and vulnerability management capabilities An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems 10 times ethical hackers spotted a software vulnerability and averted a crisis  

On Tuesday, SaltStack, the creators of intelligent automation for IT operations and security teams, announced the general availability of SaltStack Protect. SaltStack Protect is for automated discovery and remediation of security vulnerabilities across web-scale infrastructure. It is a new product available in the SaltStack SecOps family of products and is an addition to SaltStack Comply. SaltStack Comply automates the work of continuous compliance and has been updated with new CIS Benchmark content and a new SDK for the creation of custom security checks. The SaltStack SecOps products provides a collaborative platform for both security and IT operations teams to help customers break down organizational silos, offset security and IT skills gaps and talent shortages. “The massive amount of coordination and work required to actually fix thousands of infrastructure security vulnerabilities as quickly as possible is daunting. Vulnerability assessment and management tools require integrated and automated remediation to close the loop on IT security. SaltStack Protect gives security operations teams the power to control, optimize, and secure the entirety of their IT infrastructure while helping teams collaborate to mitigate risk.” said Marc Chenn, SaltStack CEO. Key features in SaltStack Protect As per the team, SaltStack Protect automates the remediation of vulnerabilities by delivering closed-loop workflows to scan, detect, prioritize, and fix critical security threats. Other capabilities include: Native CVE scanning – SaltStack Protect scans for both on-premise and cloud systems to detect threats based on more than 12,000 CVEs across operating systems and infrastructure. Intelligent vulnerability prioritization – To assess and prioritize threats for remediation, SaltStack collects real-time data on the configuration state of every asset in an environment and combines it with vulnerability information from SaltStack Protect to accurately differentiate vulnerabilities that are exploitable from those that are not. Automated remediation – SaltStack Protect brings the power of automation to SecOps teams with an API-first solution that scans IT systems for vulnerabilities and then provides out-of-the-box automation workflows to remediate them. As per the company, SaltStack SecOps products are built on SaltStack enterprise delivering a single platform for frictionless collaboration between security and IT teams. This resulted in users having a 95% decrease in the time required to find and fix critical vulnerabilities. While traditional security scanning tools report vulnerabilities that operations teams must investigate, prioritize, test, fix, and then report back to security. SaltStack eliminates nearly all the manual steps associated with vulnerability remediation, potentially saving time, resources, and redundant tools to protect against critical vulnerabilities. SaltStack is used by many IT operations, DevOps and site reliability engineering organizations around the world such as IBM Cloud, eBay, and TD Bank. If you are interested to know more about this news, check out their official blog post. Additionally SaltStack Comply and SaltStack Protect are also available via subscription and you can schedule a trial demo too. DevSecOps and the shift left in security: how Semmle is supporting software developers [Podcast] Why do IT teams need to transition from DevOps to DevSecOps? 5 reasons poor communication can sink DevSecOps 2019 Deloitte tech trends predictions: AI-fueled firms, NoOps, DevSecOps, intelligent interfaces, and more Can DevOps promote empathy in software engineering?

Israel-based open source security and license compliance management company, WhiteSource, today announced its acquisition of Renovate, an open-source project for dependency updates. Renovate’s offerings will now be available for free under its new name, WhiteSource Renovate. WhiteSource Renovate will be integrated into the WhiteSource product portfolio, which includes WhiteSource Core and WhiteSource for Developers. More importantly, WhiteSource will now offer the existing paid offerings of Renovate for free: a GitHub app, a GitLab app, and a self-hosted solution, all under the WhiteSource Renovate umbrella. Why WhiteSource collaborated with Renovate? Renovate basically provides automatic dependency updates. Many third-party modules can introduce bugs and vulnerabilities in a product.  The only reliable risk mitigation strategy is to keep dependencies continuously patched. In such scenarios, Renovate runs continuously to detect the latest available versions. You receive automated Pull Requests whenever dependencies need updating. It can also define schedules to avoid unnecessary noise in projects (e.g. for weekends or outside of working hours, or weekly updates, etc). Multiple languages and file types are supported in order to detect dependencies wherever you use them. Acquiring a company like Renovate makes sense as it resonates with what WhiteSource already does. WhiteSource basically tracks vulnerabilities in open source packages. With Whitesource, organizations can track open source components in their code, identifying when there are vulnerabilities, and provide routes to fix them. Last month, WhiteSource announced that it has raised $35 million to expand the scope of its work. “We’re excited to add Renovate’s technology to the WhiteSource product line, and we’re looking forward to getting it into the hands of as many developers as possible,” said Rami Sass, CEO of WhiteSource. “ We’re proud that a tool for updating dependencies is itself open source and will ensure the project continues to extend its leadership in multi-platform and language support. Developers can now hopefully spend more time innovating and less time manually resolving security vulnerabilities or dependency updates.” GitHub acquires Semmle to secure open-source supply chain; attains CVE Numbering Authority status VMware signs definitive agreement to acquire Pivotal Software and Carbon Black MongoDB is going to acquire Realm, the mobile database management system, for $39 million

On Tuesday, at the ongoing Microsoft Ignite, Yubico, the leading provider of authentication and encryption hardware, announced the long-awaited YubiKey Bio. YubiKey Bio is the first YubiKey to support fingerprint recognition for secure and seamless passwordless logins. As per the team this feature has been a top requested feature from many of their YubiKey users. Key features in YubiKey Bio The YubiKey Bio delivers the convenience of biometric login with the added benefits of Yubico’s hallmark security, reliability and durability assurances. Biometric fingerprint credentials are stored in the secure element that helps protect them against physical attacks. As a result, a single, trusted hardware-backed root of trust delivers a seamless login experience across different devices, operating systems, and applications. With support for both biometric- and PIN-based login, the YubiKey Bio leverages the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications. In keeping with Yubico’s design philosophy, the YubiKey Bio will not require any batteries, drivers, or associated software. The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow. “As a result of close collaboration between our engineering teams, Yubico is bringing strong hardware-backed biometric authentication to market to provide a seamless experience for our customers,” said Joy Chik, Corporate VP of Identity, Microsoft. “This new innovation will help drive adoption of safer passwordless sign-in so everyone can be more secure and productive.” The Yubico team has worked with Microsoft in the past few years to help drive the future of passwordless authentication through the creation of the FIDO2 and WebAuthn open authentication standards. Additionally they have built YubiKey integrations with the full suite of Microsoft products including Windows 10 with Azure Active Directory and Microsoft Edge with Microsoft Accounts. Microsoft Ignite attendees saw a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts using the YubiKey Bio. The team also promises that by early next year, enterprise users will be able to authenticate to on-premises Active Directory integrated applications and resources. And provide seamless Single Sign-On (SSO) to cloud- and SAML-based applications. To take advantage of strong YubiKey authentication in Azure Active Directory environments, users can refer to this page for more information. On Hacker News, this news has received mixed reactions while some are in favour of the biometric authentication, others believe that keeping stronger passwords is still a better choice. One of them commented, “1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone. 2) The computer/OS doesn't have to support anything for this added feature.” Another user responds, “A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else. I don't think this product is as useful as it seems at first glance. Using stronger passwords is probably just as safe.” Google updates biometric authentication for Android P, introduces BiometricPrompt API GitHub now supports two-factor authentication with security keys using the WebAuthn API You can now use fingerprint or screen lock instead of passwords when visiting certain Google services thanks to FIDO2 based authentication Microsoft and Cisco propose ideas for a Biometric privacy law after the state of Illinois passed one SafeMessage: An AI-based biometric authentication solution for messaging platforms

Researchers from the University of Electro-Communications in Tokyo and the University of Michigan released a paper on Monday, that gives alarming cues about the security of voice-control devices. In the research paper the researchers presented ways in which they were able to manipulate Siri, Alexa, and other devices using “Light Commands”, a vulnerability in in MEMS (microelectro-mechanical systems) microphones. Light Commands was discovered this year in May. It allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. This vulnerability can become more dangerous as voice-control devices gain more popularity. How Light Commands work Consumers use voice-control devices for many applications, for example to unlock doors, make online purchases, and more with simple voice commands. The research team tested a handful of such devices, and found that Light Commands can work on any smart speaker or phone that uses MEMS. These systems contain tiny components that convert audio signals into electrical signals. By shining a laser through the window at microphones inside smart speakers, tablets, or phones, a far away attacker can remotely send inaudible and potentially invisible commands which are then acted upon by Alexa, Portal, Google assistant or Siri. Many users do not enable voice authentication or passwords to protect devices from unauthorized use. Hence, an attacker can use light-injected voice commands to unlock the victim's smart-lock protected home doors, or even locate, unlock and start various vehicles. Further researchers also mentioned that Light Commands can be executed at long distances as well. To prove this they demonstrated the attack in a 110 meter hallway, the longest hallway available in the research phase. Below is the reference image where team demonstrates the attack, additionally they have captured few videos of the demonstration as well. Source: Light Commands research paper. Experimental setup for exploring attack range at the 110 m long corridor The Light Commands attack can be executed using a simple laser pointer, a laser driver, and a sound amplifier. A telephoto lens can be used to focus the laser for long range attacks. Detecting the Light Commands attacks Researchers also wrote how one can detect if the devices are attacked by Light Commands. They believe that command injection via light makes no sound, an attentive user can notice the attacker's light beam reflected on the target device. Alternatively, one can attempt to monitor the device's verbal response and light pattern changes, both of which serve as command confirmation. Additionally they also mention that so far they have not seen any such cases where the Light Command attack has been maliciously exploited. Limitations in executing the attack Light Commands do have some limitations in execution: Lasers must point directly at a specific component within the microphone to transmit audio information. Attackers need a direct line of sight and a clear pathway for lasers to travel. Most light signals are visible to the naked eye and would expose attackers. Also, voice-control devices respond out loud when activated, which could alert nearby people of foul play. Controlling advanced lasers with precision requires a certain degree of experience and equipment. There is a high barrier to entry when it comes to long-range attacks. How to mitigate such attacks Researchers in the paper suggested to add an additional layer of authentication in voice assistants to mitigate the attack. They also suggest that manufacturers can attempt to use sensor fusion techniques, such as acquiring audio from multiple microphones. When the attacker uses a single laser, only a single microphone receives a signal while the others receive nothing. Thus, manufacturers can attempt to detect such anomalies, ignoring the injected commands. Another approach proposed is reducing the amount of light reaching the microphone's diaphragm. This can be possible by using a barrier that physically blocks straight light beams to eliminate the line of sight to the diaphragm, or by implementing a non-transparent cover on top of the microphone hole to reduce the amount of light hitting the microphone. However, researchers also agreed that such physical barriers are only effective to a certain point, as an attacker can always increase the laser power in an attempt to pass through the barriers and create a new light path. Users discuss photoacoustic effect at play On Hacker News, this research has gained much attention as users find this interesting and applaud researchers for the demonstration. Some discuss the laser pointers and laser drivers price and features available to hack the voice assistants. Others discuss how such techniques come to play, one of them says, “I think the photoacoustic effect is at play here. Discovered by Alexander Graham Bell has a variety of applications. It can be used to detect trace gases in gas mixtures at the parts-per-trillion level among other things. An optical beam chopped at an audio frequency goes through a gas cell. If it is absorbed, there's a pressure wave at the chopping frequency proportional to the absorption. If not, there isn't. Synchronous detection (e.g. lock in amplifiers) knock out any signal not at the chopping frequency. You can see even tiny signals when there is no background. Hearing aid microphones make excellent and inexpensive detectors so I think that the mics in modern phones would be comparable. Contrast this with standard methods where one passes a light beam through a cell into a detector, looking for a small change in a large signal. https://chem.libretexts.org/Bookshelves/Physical_and_Theoret... Hats off to the Michigan team for this very clever (and unnerving) demonstration.” Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs How Chaos Engineering can help predict and prevent cyber-attacks preemptively An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack Intel’s DDIO and RDMA enabled microprocessors vulnerable to new NetCAT attack Wikipedia hit by massive DDoS (Distributed Denial of Service) attack; goes offline in many countries

Last week, Google notified its users that the ‘stable channel’ desktop Chrome browser is being updated to version 78.0.3904.87 for Windows, Mac, and Linux and will be rolled out in the coming weeks. This comes after some external researchers found two high severity vulnerabilities in the Chrome web browser. The first zero-day vulnerability, assigned CVE-2019-13720, was found by two malware researchers Anton Ivanov and Alexey Kulaev from Kaspersky, a private internet security solutions company. This vulnerability is present in Chrome’s PDFium library. Google has confirmed that this vulnerability still “exists in the wild.” The other vulnerability CVE-2019-13721 was found by banananapenguin and affects Chrome's audio component. No exploitation of this vulnerability has been reported so far. Google has not revealed the technical details of both vulnerabilities. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Both vulnerabilities are use-after-free vulnerabilities, which means that they have a type of memory flaw that can be leveraged by hackers to execute arbitrary code.  The Kaspersky researchers have named the CVE-2019-13720 vulnerability as Operation WizardOpium, as they have not been able to establish a definitive link of this vulnerability with any known threat actors.  According to Kaspersky, this vulnerability leverages a waterhole-style injection on a Korean-language news portal. This enabled a malicious JavaScript code to be inserted on the main page, which in turn, loads a profiling script from a remote site. The main index page then hosts a small JavaScript tag that loads the remote script. This JavaScript tag checks if the victim’s system can be infected by performing a comparison with the browser’s user agent.  The Kaspersky researchers say, “The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.” The attacker can use this vulnerability to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This technique is used by attackers to create a “special object that can be used with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.” You can read Kaspersky detailed report for more information on the zero-day vulnerability. Adobe confirms security vulnerability in one of their Elasticsearch servers that exposed 7.5 million Creative Cloud accounts Mobile-aware phishing campaign targets UNICEF, the UN, and many other humanitarian organizations NordVPN reveals it was affected by a data breach in 2018

Last week, Adobe admitted of being the victim of a serious security incident exposing the personal information of nearly 7.5 million users. The information belonged to the company’s popular Creative Cloud service. Adobe Creative Cloud service has approximately 15 million subscribers, providing them access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many others. The news was initially reported by security firm Comparitech. Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. They discovered that Adobe left an Elasticsearch server unsecured accessible on the web without any password or authentication required. The leak was plugged by Adobe after being alerted. The official statement from Adobe reads, “Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability”. The exposed database included details like: Email addresses Account creation date Which Adobe products they use Subscription status Whether the user is an Adobe employee Member IDs Country Time since last login Payment status Adobe also admitted that the data did not include passwords, payment or financial information. Although there were no such sensitive information in the database, the consequence of such exposure can be increased possibility of targeted phishing email and scams. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said. It’s therefore crucial that users turn on two-factor authentication to add a second layer of account protection. Adobe is no stranger to data privacy problems; in October 2013, company suffered a similar kind of data breach that impacted 38 million users. Additionally, 3 million encrypted customer credit cards and login credentials for an unknown number of users were exposed. The incident is not the only time instances of data breach headlines. In recent months, Ecuadorian, NordVPN, a popular Virtual Private Network and StockX, an online marketplace for buying and selling sneakers have had their users personal information left unprotected and exposed on the web. This clearly shows that tech companies still have a long way to go in order to achieve end to end secure networks and servers. Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images