Google Pays the Hackers, Facebook Shutting Down Facial Recognition, and Pegasus Banned
Friday, November 5th, 2021
Welcome to another edition of HN (Hacker News) Notes. Below you will find this week’s list of top articles that we felt needed to be shared.
There are no tools in this post for today… BUT next week we will be back at it!
Cheers!
William from Hacker News
General News for the Week
Google to Pay Hackers $31,337 for Exploiting Patched Linux Kernel Flaws
Google on Monday announced that it will pay security researchers to find exploits using vulnerabilities, previously remediated or otherwise, over the next three months as part of a new bug bounty program to improve the security of the Linux kernel.
To that end, the company is expected to issue rewards worth $31,337 for exploiting privilege escalation in a lab environment for each patched vulnerability, an amount that can climb up to $50,337 for working exploits that take advantage of zero-day flaws in the kernel and other undocumented attack techniques.
Specifically, the program aims to uncover attacks that could be launched against Kubernetes-based infrastructure to defeat process isolation barriers (via NSJail) and break out of the sandbox to leak secret information.
The program is expected to last until January 31, 2022.
Facebook to Shut Down Facial Recognition System and Delete Billions of Records
Facebook's newly-rebranded parent company Meta on Tuesday announced plans to discontinue its decade-old "Face Recognition" system and delete a massive trove of more than a billion users' facial recognition templates as part of a wider initiative to limit the use of the technology across its products.
The Menlo Park tech giant described the about-face as "one of the largest shifts in facial recognition usage in the technology's history."
The shutdown, which is expected to take place over the coming weeks, will mean users who have previously opted into the setting will no longer be automatically recognized in Memories, photos and videos or see suggested tags with their name in photos and videos they may appear in. Furthermore, the company's Automatic Alt Text (AAT) tool, which creates image descriptions for visually impaired people, will no longer include the names of people identified in photos.
Facebook's discontinuing of the program comes in the wake of sustained privacy and ethical concerns raised by the use of facial recognition that it could be abused to target marginalized communities, further racial bias, and normalize intrusive surveillance, leading to government bans across a number of cities in the U.S. such as Boston, San Francisco, New Orleans, and Minneapolis, among others. In May 2021, Amazon announced it would indefinitely extend a moratorium on law enforcement's use of its facial recognition systems.
US Blacklists Pegasus Spyware Maker
NSO Group plans to fight the trade ban, saying it’s “dismayed” and clinging to the mantra that its tools actually help to prevent terrorism and crime.
NSO Group – the Israeli-based maker of the notorious, military-grade Pegasus spyware that’s been linked to cyberattacks against dissidents, activists and NGOs (and murders of journalists) at the hands of repressive regimes – has been blacklisted by the United States.
NSO Group is one of four spyware developers or traffickers that the U.S. Commerce Department added to its “Entity List” on Wednesday, effectively banning trade with the company. The list is used to restrict those deemed to pose a risk to the country’s national security or foreign policy.
Breaches and Leakes of the Week
Squid Game Crypto Scammers Rip Off Investors for Millions
Anti-dumping code kept investors from selling SQUID while scammers cashed out with millions.
Players in the Squid Game cryptocurrency market have been eliminated — at least their investment has — by what cryptocurrency watchers have called a classic “rug-pull” scam.
When SQUID tokens were first released last week, they were valued at a paltry $0.01 but promised entry into a game with the same premise as the Squid Game series from Netflix — players in desperate financial straits compete in a ruthless, deadly series of games for a shot at winning millions.
On Nov. 1 the price started escalating dramatically, but investors were blocked from selling SQUID by a so-called “anti-dumping mechanism.” Meanwhile, scammers cashed out, according to complaints received by CoinMarketCap. SQUID’s value peaked at $2,861.80 and dropped to zero within hours.
The intoxicating combination of a get-rich-quick cryptocurrency investment and the Netflix wild smash hit show Squid Game was just too much for some investors to resist, and estimates from Gizmodo peg potential losses from the scam at around $3,38 million.
Pirate Sports Streamer Gets Busted, Pivots to MLB Extortion
An alleged sports content pirate is accused of not only hijacking leagues’ streams but also threatening to tell reporters how he accessed their systems.
Demanding payment in exchange for not publicly disclosing a vulnerability isn’t the same as a bug bounty program; it’s extortion.
A 30-year-old alleged sports content pirate in Minneapolis, Minn., has found himself on the receiving end of a criminal complaint alleging that he not only stole user account credentials and sold access to pirated sports content. According to the U.S. Department of Justice, once its site was shuttered, he also went on to demand $150,000 from Major League Baseball in exchange for not telling reporters how he accessed its systems.
The defendant, identified in a newly unsealed complaint (PDF) as Joshua Streit, allegedly operated a site called HeHeStreams that sold subscribers access to hijacked user accounts for Major League Baseball (MLB), the National Basketball Association (NBA), the National Football League (NFL) and National Hockey League (NHL) for about $129 a year, undercutting prices of legitimate sources.
FBI agent Joshua Williams said in the complaint that the pirate site operated from about 2017 to July 2021, drawing charges on two counts of computer intrusion, one count of wire fraud, and one count of illicit digital transmission.
Attacks of the Week
Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root Access
Cisco Systems has released security updates to address vulnerabilities in multiple Cisco products that could be exploited by an attacker to log in as a root user and take control of vulnerable systems.
Tracked as CVE-2021-40119, the vulnerability has been rated 9.8 in severity out of a maximum of 10 on the CVSS scoring system and stems from a weakness in the SSH authentication mechanism of Cisco Policy Suite.
"An attacker could exploit this vulnerability by connecting to an affected device through SSH," the networking major explained in an advisory, adding "A successful exploit could allow the attacker to log in to an affected system as the root user." Cisco said the bug was discovered during internal security testing.
The vulnerabilities impact the following devices —
Catalyst PON Switch CGP-ONT-1P
Catalyst PON Switch CGP-ONT-4P
Catalyst PON Switch CGP-ONT-4PV
Catalyst PON Switch CGP-ONT-4PVC
Catalyst PON Switch CGP-ONT-4TVCW
Marco Wiorek of Hotzone GmbH has been credited with reporting the three vulnerabilities that have been assigned the identifiers CVE-2021-34795 (CVSS score: 10.0), CVE-2021-40113 (CVSS score: 10.0), and CVE-2021-40112 (CVSS score: 8.6).
CVE-2021-34739 (CVSS score: 8.1) - Cisco Small Business Series Switches session credentials replay vulnerability
CVE-2021-34741 (CVSS score: 7.5) - Cisco Email Security Appliance (ESA) denial of service vulnerability
Researchers Uncover 'Pink' Botnet Malware That Infected Over 1.6 Million Devices
Cybersecurity researchers disclosed details of what they say is the "largest botnet" observed in the wild in the last six years, infecting over 1.6 million devices primarily located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users.
Qihoo 360's Netlab security team dubbed the botnet "Pink" based on a sample obtained on November 21, 2019, owing to a large number of function names starting with "pink."
Mainly targeting MIPS-based fiber routers, the botnet leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications, not to mention completely encrypting the transmission channels to prevent the victimized devices from being taken over.
"Pink raced with the vendor to retain control over the infected devices, while vendor made repeated attempts to fix the problem, the bot master noticed the vendor's action also in real time, and made multiple firmware updates on the fiber routers correspondingly," the researchers said in an analysis published last week following coordinated action taken by the unspecified vendor and China's Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC).
More than 96% of the zombie nodes part of the "super-large-scale bot network" were located in China, Beijing-based cybersecurity company NSFOCUS noted in an independent report, with the threat actor breaking into the devices to install malicious programs by taking advantage of zero-day vulnerabilities in the network gateway devices. Although a significant chunk of the infected devices has since been repaired and restored to their previous state as of July 2020, the botnet is still said to be active, comprising about 100,000 nodes.
Critical Flaws Uncovered in Pentaho Business Analytics Software
Multiple vulnerabilities have been disclosed in Hitachi Vantara's Pentaho Business Analytics software that could be abused by malicious actors to upload arbitrary data files and even execute arbitrary code on the underlying host system of the application.
The security weaknesses were reported by researchers Alberto Favero from German cybersecurity firm Hawsec and Altion Malka from Census Labs earlier this year, prompting the company to issue necessary patches to address the issues.
The list of flaws, which affect Pentaho Business Analytics versions 9.1 and lower, is as follows -
CVE-2021-31599 (CVSS score: 9.9) - Remote Code Execution through Pentaho Report Bundles
CVE-2021-31600 (CVSS score: 4.3) - Jackrabbit User Enumeration
CVE-2021-31601 (CVSS score: 7.1) - Insufficient Access Control of Data Source Management
CVE-2021-31602 (CVSS score: 5.3) - Authentication Bypass of Spring APIs
CVE-2021-34684 (CVSS score: 9.8) - Unauthenticated SQL Injection
CVE-2021-34685 (CVSS score: 2.7) - Bypass of Filename Extension Restrictions
Successful exploitation of the flaws could allow authenticated users with sufficient role permissions to upload and run Pentaho Report Bundles to run malicious code on the host server and exfiltrate sensitive application data, and circumvent filename extension restrictions enforced by the application and upload files of any type.
What's more, they could also be leveraged by a low-privilege authenticated attacker to retrieve credentials and connection details of all Pentaho data sources, permitting the party to harvest and transmit data, in addition to enabling an unauthenticated user to execute arbitrary SQL queries on the backend database and retrieve data.
Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild
A now-patched critical remote code execution (RCE) vulnerability in GitLab's web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks.
Threat actors are now actively exploiting the security flaw to co-opt unpatched GitLab servers into a botnet and launch distributed denial of service (DDoS) attacks, with some in excess of 1 terabits per second (Tbps), according to Google security reliability engineer Damian Menscher.
Tracked as CVE-2021-22205, the issue relates to an improper validation of user-provided images that results in arbitrary code execution. The vulnerability, which affects all versions starting from 11.9, has since been addressed by GitLab on April 14, 2021 in versions 13.8.8, 13.9.6, and 13.10.3.
** Please keep in mind that this is a curated list of links to articles, not posts created by HN. We claim no ownership to any article discussed above.