FOXTROT/ALFA: GoDaddy Breached, Inkscape 1.0 Released, The Old Russian Hacker Story Again

Good day to you! On this fine* Tuesday, I’m here, once again, delivering the tech news. Today is **Tuesday, 5 May 2020** and this is issue 114 of the _FOXTROT/ALFA_ newsletter.

*for any currently acceptable value of “fine”

Before I get into what’s been happening, there’s something I need to address. I had a reader contact me about the URLs in this newsletter. They are being rewritten by the provider I use to send the emails out, which is TinyLetter. I do not have any control over this. They’re doing it to provide info on how many people are actually clicking those links, but I don’t need that information. Moreover, this rewriting of the links is apparently causing some issues when the mails are read in a web mail client in a browser. It looks like some browsers aren’t happy with how TinyLetter handles TLS encryption of those connections. There is nothing I can do about this right away, but I was looking to switch to another provider anyway and might have found an alternative that works for me now. I will try to switch over and thereby get this link issue resolved as soon as possible. Until then, you can always get straight links in my newsletter archives a bit after the fact.

With that out of the way, let’s talk tech news.

Security Alerts

WordPress 5.4.1 is out and if you’re running WordPress sites, you should probably make sure they are updated.

Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated.

Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated.

Additionally, there’s a bunch of XSS holes that got plugged. Hey, that sounds dirty…

That Salt vulnerability I keep mentioning also keeps getting exploited.

DigiCert, slinger of SSL/TLS certificates, has warned that it too has suffered at the hands of Salty miscreants as a key used for Signed Certificate Timestamps (SCT) was potentially compromised. The company joins and LineageOS in being the target of ne’er do wells as attackers exploited a disclosed (and patched) vulnerability in the Salt configuration tool over the weekend, spraying exposed infrastructure with cryptocurrency mining software.

Salt, which as we reported, disclosed the bugs (CVE-2020-11651 and CVE-2020-11652) on Friday, is a system that allows a single host server to manage a cluster of other client servers, such as within a database or, in this case, a distributed log system.

In the case of DigiCert, it appears that attackers using the exploits could have gained access to a Certificate Transparency (CT) server’s signing key – had they not been so concerned with getting the mining software running. However, since the DigiCert team could not prove that keys had not been requested, the prudent decision was taken to assume that nefarious activities had occurred and act accordingly.

DigiCert told The Reg it was deactivating the Certificate Transparency (CT) 2 log server “after determining that the key used to sign SCTs may have been exposed via critical SALT vulnerabilities.”

“We do not believe the key was used to sign SCTs outside of the CT log’s normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 p.m. U.S. Mountain Daylight Time (MDT) should receive an SCT from another trusted log.” Three other DigiCert CT logs – CT1, Yeti and Nessie – run on different infrastructures and were not affected, the company said.

For its part, SaltStack SVP Alex Peay was keen to remind users that: “We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security.” The company added: “Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.”


Ouch indeed.

And then there’s the GoDaddy hack. More ouch.

Hosting biz GoDaddy has admitted a hacker tampered with an SSH file on its servers, leading to the theft of 28,000 users' SSH credentials. The intrusion, which took place last month, involved one or more malicious persons “alter” an SSH file on GoDaddy’s infrastructure, the US giant told The Register.

GoDaddy spokesman Nick Fuller sent us a statement: “On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment. This affected approximately 28,000 customers.” He continued: “We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers' credentials or modified any customer hosting accounts.”

The security breach was reported widely on other news websites as affecting 19 million customers, which appears to be the global total of GoDaddy’s customer base. Other reports also wrongly linked the break-in to an October 2019 incident that was reported to authorities in the US state of California in March. “To be clear,” said GoDaddy’s Fuller, “the threat actor did not have access to customers' main GoDaddy accounts.”

Nonetheless, a good thing for customers to do now would be to change the login credentials for their GoDaddy SSH accounts. A look at their main account to ensure all is as it should be wouldn’t hurt, either.

Man. High time I got off their infrastructure.

Inkscape 1.0

After what feels like decades, Inkscape 1.0 is finally out.

Beginning with version 1.0, Inkscape is offered as a native macOS application, which means you should notice better performance and increased reliability.

As for what’s new in this update, Inkscape introduces a new PowerPencil mode which allows the Pencil tool to be used with pressure-dependent width. You can also create closed path and vectorize line drawings. The PDF export tool has been improved with support for clickable links and metadata, while other notable improvements including variable font support, new templates, mesh gradients that work in the browser, and new line-height settings.

Inkscape version 1.0 comes with important changes to the extension system, as explained in the changelog. “Over the years, Inkscape users have become used to working with third-party extensions, such as various ones used for laser cutting and exporting to file formats which are not a native part of Inkscape. While outreach to extension developers was undertaken as Inkscape migrates towards Python 3 and a more logical and fully tested extensions API (now hosted in a separate repository), not all third-party extensions have been brought forward to be compatible yet. This will mean that 1.0 may not allow some users to continue with their normal extensions workflow.”

Good for them to finally reach that milestone, man. I bloody love Inkscape. Over the last 15 years, I have created so much art with it. I’ve used it to make logos and illustrations that got printed on t-shirts, banners and mugs. The Linux Outlaws art, OggCamp’s logos, the fox …all of that was made in Inkscape. I even designed two tattoos for my wife in it. I also made this Fallout-style avatar from scratch in Inkscape. It might actually be one of my favourite pieces of software.

Security Researchers Can Make Planes Go Up and Down at Will

Oh, good. More TCAS spoofing. At least nobody is flying right now.

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found. TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.

Building on earlier research into the bare-bones concept, PTP said it had figured out how to shape and control airliners' automatic TCAS responses so they moved up or down at precisely known points. In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”

The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely.

Still. We know what happens when a normally non-fatal problem like this gets paired with a crew that’s ill informed and stressed or distracted. Air France Flight 447, Lion Air Flight 610 and Ethiopian Airlines Flight 302 are just some recent examples.

Exfiltrating Data from a PC via the Power Supply’s Hum

Ok, here’s something you probably don’t know about me: I love the Israelis and their side channel attacks. They come up with a new one every couple of months. I must have written a dozen stories about stuff like this for heise online back in the day. It’s always Ben-Gurion, too. They’re a hotbed for this stuff. Here’s the latest one:

In previous work, Guri and colleagues have explored various ways to attack air-gapped systems. Two years ago, for example, he and several other researchers developed a technique dubbed MOSQUITO to exfiltrate data from air-gapped systems using ultrasonic transmissions between speakers.

An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping. But Guri’s latest research shows that’s not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.

He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.

“We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities,” a paper detailing the technique explained. “The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers.”

An evil maid attack is required to make the attack feasible. The attacker also needs a nearby receiver, which in this scenario would be a smartphone, compromised with malware to listen for data or knowingly operated by an insider. POWER-SUPPLaY alters power consumption by regulating the CPU workload, which causes the switch-mode power supplies (SMPS) in modern electronic devices to alter the switching frequency at which they operate, which is generally between 20 kHz and 20 MHz. Such shifts produce detectable noise in transformers and capacitors. Though most people cannot hear sounds in that frequency range, microphones can detect them.

I love this stuff. It’s so cool!

Germany’s Chief Prosecutor Indicts Bundestag Hacker – Guess What? Of Course It’s a Russian

Russian hackers. They are responsible for everything. They are. It’s a fact. Remember the hacker attack on the German parliament in 2015? The Chief Federal Prosecutor of Germany has just announced an indictment in the case . And, of course, they say it was a Russian national. Working for the GRU, no less.

I remember researching this and writing stories about it for Heise. Government officials announced the day after the hack that Putin personally had ordered the attack. At a time when there is no way they possibly could have known that from the technical evidence. They probably weren’t even close to finishing collecting it at that point. I didn’t buy it then and I’m not buying it now.

I remember I was on national TV a few days later and the anchor asked me who I thought did it. I said it’s impossible to say that for certain so soon and I tried to explain how attribution is hard. She then said “but the Home Secretary said it was the Russians…” I answered without thinking: “Then the Home Secretary is wrong.” I remember calling my mum after the interview and she laughed and said “well, you just pissed off the Home Secretary on national TV” and I was like “what did I do?” I couldn’t remember. Having been on live national TV over satellite link for the first time actually made me a bit excited and nervous for the cameras for the first time in years. You can see how pissed off the host was in this screenshot:

Ah, those were the good old times!

Still not buying that Russian malarky, though. I’ve been on this story literally for years. I’ve asked the police, the government and various intelligence services for technical data and hard evidence from this hack for years. They usually don’t even reply. Give us some fucking evidence or shut the fuck up. It’s been five years. There can’t possibly be a reason not to release this (redact sensitive stuff if you must) unless it shows that you’re full of crap.

Boots on the Moon!

Before I sign off for today, here’s another thing you might want to look at. There’s a new series coming to Netflix about Trump’s Space Force. It looks great and has Steve Carell and John Malkovich in it.

A decorated pilot with dreams of running the Air Force, four-star general Mark R. Naird (Steve Carell) is thrown for a loop when he finds himself tapped to lead the newly formed sixth branch of the US Armed Forces: Space Force. Skeptical but dedicated, Mark uproots his family and moves to a remote base in Colorado where he and a colorful team of scientists and “Spacemen” are tasked by the White House with getting American boots on the moon (again) in a hurry and achieving total space dominance.

Also Noteworthy

Some other stories I read today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.