//Week in review - 6 Jul 2018

AusCERT Week in Review for 6th July 2018

AusCERT Week in Review
06 July 2018


This week’s events have reminded us to be careful of the software we install. Between browser extensions gone rogue and a major software foundation’s GitHub account serving compromised content, consider whose code you might have run without knowing it.

The AusCERT bulletins service is nearly at number 2,000 by early July, making this the busiest year on record. If you want to change your subscription settings, your inbox may thank you. Log in to the member portal at https://www.auscert.org.au to make the change. If you get stuck or have any questions, contact us at auscert@auscert.org.au!

In the news this week:

‘Stylish’ browser extension steals all your internet history
Date: 02 July 2018
Author: Robert Heaton

Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit (EDIT – I am told that the Chrome version has had tracking since January 2017, but the Firefox version has only had it since March 2018).

Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie.

Stylish’s transition from visual Valhalla to privacy Chernobyl began when the original owner and creator of Stylish sold it in August 2016. In January 2017 the new owner sold it again, announcing that “Stylish is now part of the SimilarWeb family”. The SimilarWeb family’s promotional literature lists “Market Solutions To See All Your Competitors’ Traffic” amongst its interests.

[AusCERT adds: Recall also https://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ from last year.]

Gentoo GitHub Organization hacked
Date: 01 July 2018

An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content.

The entity attempted to wipe user content by adding “rm -rf” to various repositories; however this code was unlikely to be executed by end users due to various technical guards in place.

Iranian APT Poses As Israeli Cyber-Security Firm That Exposed Its Operations
Author: Catalin Cimpanu
Date: 03 July 2018

According to Israeli cyber-security firm ClearSky Security, the company says the Iranian APT copied its official website and hosted on a lookalike domain at clearskysecurity.net (the official ClearSky website is located at ClearSkySec.com).

“Charming Kitten built a phishing website impersonating our company,” ClearkSky said yesterday. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.”

“These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.”

Another day, another data breach. Do you even care any more?
Author: ABC News
Date: 05 July 2018

Dr Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.

After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.

In other words, Dr Chen said, “we can see that the public is gradually losing interest in reacting to this news”.

Here are this week’s noteworthy security bulletins (in no particular order):

1. ESB-2018.1949 – [Win][Linux] Drupal Universally Unique IDentifier: Create arbitrary files – Existing account

A major Drupal module had an arbitrary file upload vulnerability.

2. ESB-2018.1952 – [Debian] dokuwiki: Execute arbitrary code/commands – Remote with user interaction

Reflected file download vulnerability in DokuWiki allowed execution of arbitrary code.

3. ASB-2018.0145 – [Android] Google Android devices: Multiple vulnerabilities

Android’s July patch release fixed several critical bugs.

4. ESB-2018.1931 – [RedHat] python: Access confidential data – Remote/unauthenticated

Python2.7 disables the insecure 3DES cypher suites by default.


Stay safe, stay patched and have a good weekend,