The Truth: Malicious Python Packages, Boeing Chief Engineer Steps Down, Elementary OS 5.1

Hi there and welcome to The Truth for Thursday, 5 December 2019! This will be the last newsletter for this week as I’m on the road all day tomorrow. You can expect the next issue on Monday. But let’s get into what we have for today:

There’s a new fileless trojan for macOS flying around out there. The Register ties it to a state-sponsored hacking group called Lazarus from North Korea.

As with other infections from the Lazarus group, the attack begins as a fake cryptocurrency application that uses social engineering to trick the user into installing and running what they think is a legitimate app. After the trojan is launched, however, the malware shows off its new trick: the secondary payload, the one where the actual spying or data theft would occur, can be performed in-memory without having to install further files on the hard drive.

Atlassian and IBM are working to fix a security vulnerability (CVE-2019-15006) that well-known infosec Twitter account @SwiftOnSecurity disclosed by accident. The Confluence companion app uses an URL with a downloadable private certificate that can be used for man-in-the-middle attacks. IBM’s Aspera plugin client was subsequently found to have a very similar issue.

Bug bounty platform HackerOne was notified about a security vulnerability in its website through its own bug bounty program. Very meta. HackerOne has now fixed the problem ("Account Takeover via Disclosed Session Cookie") and paid out a bounty of $20,000 to the guy who discovered it.

ZDNet is reporting on two malware packages that have been removed from the PyPI software library for the programming language Python.

The Python security team removed two trojanized Python libraries that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries were created by the same developer and mimicked other more popular libraries – using a technique called typosquatting to register similarly-looking names. The first is python3-dateutil, which imitated the popular dateutil library. The second is jeIlyfish (the first L is an I), which mimicked the jellyfish library.

The chief engineer for Boeing’s Commercial Airplanes group is stepping down. John Hamilton was, among other things, chief project engineer for the 757, 737 NG and P-8A projects. In March he was appointed to lead Boeing’s response to the two disastrous 737 MAX crashes (the 737 NG is the direct predecessor to the 737 MAX). “From April 2016 through March, Hamilton was vice president of engineering for Boeing Commercial Airplanes, responsible for all the company’s engineering design and airplane-certification work, including the final certification of the 737 MAX”, the Seattle Times is reporting.

The news was conveyed in an internal memo from the new head of Boeing Commercial Airplanes, Stan Deal, and Boeing’s chief engineer, Greg Hyslop. “John had planned to retire last year, but we asked him to stay on to help us with the 737 MAX investigations and return to service efforts,” they wrote. “We are immensely grateful to John for lending his expertise and leadership during a very challenging time.”

The latest version of the Linux distribution Elementary OS, version 5.1 “Hera”, now includes support for the packaging format Flatpack. They also tout “a brand new first-run experience” with a new greeter application.

Microsoft is financially doing very well lately, mostly driven by cloud and software subscriptions. But it is having some trouble with workers complaining about not getting paid enough and those pesky government contracts with agencies like Immigration Customs and Enforcement (ICE) and the Department of Defense (DoD). At the recent shareholder meeting, proposals aiming to put employee representation on the Microsoft board got very thoroughly squashed.

The proposal to prepare a report on employee representation on the board of directors – put forward by NorthStar Asset Management – received just 4.42 per cent of votes “For”. As it turned out, as well as an overwhelming “NO”, there were also more abstentions.

Pensions fund manager Northstar, as it turns out, has form at rousing rabble at the odd tech titan’s AGM. It treated Facebook to a grilling on privacy in 2018 and has asked Google to open up membership of the management insiders' share class to the rest of the (cash-flush) plebs. Spoiler alert: They said no.

Meanwhile, Carl Icahn is further threatening HP to accept an acquisition by Xerox. The Register has a recap of recent developments in the story.

And a former Oracle product manager is suing his old employer, saying “he was forced out for refusing to lie about the functionality of the company’s software.” The civil complaint alleges Oracle forced the manager to sell vaporware – ie. software the company could not deliver on. He says that, in firing him after he reported this to the US Securities and Exchange Commission (SEC), “Oracle violated whistleblower protections under the Sarbanes-Oxley Act and the Dodd-Frank Act, the RICO Act, and the California Labor Code.”

Surprise! “Two months after promising customers that its past practices of automatically registering, and charging, customers for .uk domains was all a big misunderstanding, pushy registrar 123-Reg is at it again”.

A Register reader noticed last month that he was now the unhappy owner of no less than five .uk domains that he never ordered and for which he had been charged £71.93. That is despite 123-Reg assuring us that it does not charge customers for domains they do not explicitly request.

More like 123-Ripoff.

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.