TLDR Information Security 2024-04-17

PuTTY flaw leaks private keys 😱, OpenJS discovers takeover attempt πŸ›‘, FTC Fines Cerebral 🧠

Attacks & Vulnerabilities

Ivanti warns of critical flaws in its Avalanche MDM solution (2 minute read)

Ivanti fixed 27 vulnerabilities in its Avalanche MDM solution, including critical flaws that allowed remote attackers to execute commands. These security updates are crucial for protecting over 100,000 mobile devices from potential attacks. It is recommended that customers update to the latest Avalanche 6.4.3 version to stay secure.

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt (2 minute read)

Security researchers discovered a takeover attempt targeting the OpenJS Foundation similar to a recent incident with the XZ Utils project. Suspicious emails urged OpenJS to update a JavaScript project and designate new maintainers without proper involvement. Maintainers of open-source projects should be cautious of social engineering attacks targeting their sense of duty and community.

PuTTY SSH Client Flaw Allows Recovery of Cryptographic Private Keys (3 minute read)

A vulnerability in PuTTY 0.68-0.80 could allow attackers with access to 60 cryptographic signatures from a user to compute the private keys offline. These signatures could come from an attacker-controlled SSH server or signed git commits. The vulnerability arises from the way that PuTTY generates ECDSA nonces, which lacks robust cryptographic random number generators on specific Windows versions.
Strategies & Tactics

β€œAll Your Secrets Are Belong To Us” - A Delinea Secret Server AuthN/AuthZ Bypass (7 minute read)

Delinea Secret Server is a PAM that helps organizations secure, manage, and monitor privileged accounts. This post delves through the process of hunting for an AuthN/AuthZ bypass, decompiling the relevant code sections, and crafting the exploit. It includes detailed reproduction steps and a proof of concept for obtaining admin access.

Deploying Tailscale For a Remote Only Company (8 minute read)

This post describes the reasoning and process followed to deploy Tailscale for a fully remote company. It goes over the motivation for this deployment, its advantages, and some tips and potential pitfalls in this setup. The post concludes with some features that were introduced since the original deployment that would have been helpful for future deployments.

Unraveling SIEM Correlation Techniques (5 minute read)

This post provides an overview of SIEM correlation techniques. It begins by defining correlation, introducing the MITRE ATT&CK framework, and presenting an example of a simple correlation rule. The post then continues to work through an example of detecting a Brute Force Okta Login, while combining multiple TTPs and log sources.
Launches & Tools

Awesome-Secure-Defaults (GitHub Repo)

A repository of libraries in different languages that provide secure-by-default functions to eliminate bug classes.

cloud-key-rotator (GitHub Repo)

Cloud-Key-Rotator is a program written in Golang that helps manage cloud service account key rotation. Not only does it support many different services, the tool also attempts to verify its actions as much as possible and aborts immediately if it encounters an error.

CVENotifier (GitHub Repo)

CVENotifier is a customizable notifier for CVEs based on keywords. This tool scrapes the CVE feed from, filters it based on keywords, and notifies via Slack about the latest CVEs only for the technology or the products you have listed as keywords.

A quick post on Chen's algorithm (3 minute read)

Cryptographer and Professor Matthew Green addresses the new e-print authored by Yilei Chen, β€œQuantum Algorithms for Lattice Problems," which could potentially threaten current lattice-based encryption schemes. Despite the significance of this discovery, it may not immediately affect widely used schemes like Kyber or Dilithium. The cryptography community is closely monitoring this development for potential implications for future encryption security.

FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations (3 minute read)

The FTC fined Cerebral $7 million for sharing users' sensitive health data with third parties without consent. Cerebral misled consumers about its privacy practices and failed to protect their information. The company must now improve its privacy policies and delete unnecessary consumer data.

AWS Took 6 Months to Fix STS Bug - IAM Policy Inadequate (3 minute read)

Stedi discovered a vulnerability in AWS STS that arose from its usage of IAM role trust policies that relied upon resource tags and request tags. AWS first denied the issue, then found that the scope of the problem was larger than initially believed, but still took 6 months to deploy a fix. A major issue is that the AWS IAM Policy Simulator lacks many IAM features, which makes it difficult and time consuming to properly test IAM policies.
Quick Links

NSA Publishes Guidance for Strengthening AI System Security (2 minute read)

The NSA has released guidance aimed at national security and defense companies deploying AI systems for securing AI systems to prevent malicious activities.

Chirp Systems Vulnerability (3 minute read)

Chirp Systems' smart locks have a security flaw allowing remote access to 50,000 homes - the company hasn't fixed it despite being notified in 2021.

DDoS threat report for 2024 Q1 (11 minute read)

Cloudflare's DDOS Threat Report for 2024 Q1 contains interesting tidbits like how Sweden experienced a 466% surge in DDoS attacks following its acceptance to the NATO alliance.
Curated news πŸ“°, research πŸ§‘β€πŸ”¬, and tools πŸ”’ for information security professionals
Join 300,000 readers for