All posts in “Software”

Tainted, crypto-mining containers pulled from Docker Hub

Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.

“Of course, we can safely assume that these had not been deployed manually. In fact, the attack seems to be fully automated. Attackers have most probably developed a script to find misconfigured Docker and Kubernetes installations. Docker works as a client/server architecture, meaning the service can be fully managed remotely via the REST API,” wrote researcher David Maciejak.

The containers are now gone, but the hackers may have gotten away with up to $90,000 in cryptocurrency, a small but significant amount for such a hack.

“Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero,” said a writer of a report by Kromtech. “By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine 544.74 Monero, which is equal to $90,000.”

“As with public repositories like GitHub, Docker Hub is there for the service of the community. When dealing with open public repositories and open source code, we recommend that you follow a few best practices including: know the content author, scan images before running and use curated official images in Docker Hub and certified content in Docker Store whenever possible,” wrote Docker’s head of security David Lawrence in a Threatpost report.

Interestingly, of late hackers have moved from attacking AWS Elastic Compute servers on Amazon’s platform to Docker and other container-based systems. While there are security systems available to manage Docker and Kubernetes containers, users should remain vigilant and assess their vulnerabilities before hackers get more of an upper hand.

A friendly reminder: Don’t put passwords in Trello

A new bit of research from David Shear at security firm Flashpoint found that there are hundreds if not thousands of open Trello boards containing passwords, login credentials, and other potentially sensitive stuff including employee on-boarding documents. He and Brian Krebs reported the boards to Trello although some folks have already been notified by well-meaning hackers who wrote “Change your password” on some of these public boards.

“One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time,” wrote Krebs. “But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.”

Another Trello board made at Red Hat in 2017 offered passwords to a pair of online test servers.

Trello worked with the pair to take down the public boards they found and is working with Google to remove the cached sites.

“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board,” said a Trello spokesperson.

Missteps like these are sadly common. Another rich trove of user data, Github, has been used to find private passwords for years. Anecdotally, a project I was working on suffered a breach when the CTO put a Bitcoin private key into some public Github code. Yeah. Exactly.

So, again, keep your Trello boards private, don’t paste passwords willy-nilly, and maintain at least a basic level of operational security by not pasting passwords into any site that could make it public. It’s hard but definitely worth the effort.

The erosion of Web 2.0

How we lost our way… and found it again

It seems quaint to imagine now but the original vision for the web was not an information superhighway. Instead, it was a newspaper that fed us only the news we wanted. This was the central thesis brought forward in the late 1990s and prophesied by thinkers like Bill Gates – who expected a beautiful, customized “road ahead” – and Clifford Stoll who saw only snake oil. At the time, it was the most compelling use of the Internet those thinkers thought possible. This concept – that we were to be coddled by a hive brain designed to show us exactly what we needed to know when we needed to know it – continued apace until it was supplanted by the concept of User Generated Content – UGC – a related movement that tore down gatekeepers and all but destroyed propriety in the online world.

That was the arc of Web 2.0: the move from one-to-one conversations in Usenet or IRC and into the global newspaper. Further, this created a million one-to-many conversations targeted at tailor-made audiences of fans, supporters, and, more often, trolls. This change gave us what we have today: a broken prism that refracts humanity into none of the colors except black or white. UGC, that once-great idea that anyone could be as popular as a rock star, fell away to an unmonetizable free-for-all that forced brands and advertisers to rethink how they reached audiences. After all, on a UGC site it’s not a lot of fun for Procter & Gamble to have Downy Fabric Softener advertised next to someone’s racist rant against Muslims in a Starbucks .

Still the Valley took these concepts and built monetized cesspools of self-expression. Facebook, Instagram, YouTube, and Twitter are the biggest beneficiaries of outrage culture and the eyeballs brought in by its continuous refreshment feed their further growth. These sites are Web 2.0 at its darkest epitome, a quiver of arrows that strikes at our deepest, most cherished institutions and bleeds us of kindness and forethought.

So when advertisers faced either the direct monetization of random hate speech or the erosion of customer privacy, they choose the latter. Facebook created lookalike audiences that let advertisers sell to a certain subset of humanity on a deeply granular level, a move that delivered us the same shoe advertisement constantly, from site to site, until we were all sure we had gone mad. In the guise of saving our sanity further we invited always-on microphones into our homes that could watch our listening and browsing habits and sell to us against them. We gave up our very DNA to companies like Ancestry and 23andMe, a decision that mankind may soon regret. We shared everything with everyone in the grand hope that our evolution into homo ligarus – the networked man – would lead us to become homo deus.

This didn’t happen.

And so the pendulum swings back. The GDPR, as toothless as it is, is a wake up call to every spammer that ever slammed your email or followed you around the web. Further, Apple’s upcoming cookie control software in Safari should make those omnipresent ads disappear, forcing the advertiser to sell to an undifferentiated mob rather than a single person. This is obviously cold comfort in an era defined by both the reification of the Internet as a font for all knowledge (correct or incorrect) and the genesis of an web-based political cobra that whips back to bite its handlers with regularity. But it’s a start.

We are currently in an interstitial period of technology, a cake baked of the hearty camaraderie and “Fuck the system” punk rock Gen X but frosted with millennial pragmatism and desire for the artisanal. As we move out of the era of UGC and Web 2.0 we will see the old ways cast aside, the old models broken, and the old invasions of privacy inverted. While I won’t go as far to say that blockchain will save us all, pervasive encryption and full data control will pave the way toward true control of our personal lives as well as the beginnings of a research-based minimum income. We should be able to sell our opinions, our thoughts, and even our DNA to the highest bidder and once the rapacious Web 2.0 vultures are all shooed away, we will find ourselves in an interesting new world.

As a technoutopianist I’m sure that were are heading in the right direction. We are, however, taking turns that none of us could have imagined in the era of Clinton and the fax machine and there are still more turns to come. Luckily, however, we are coming out of our last major skid.

Photo by George Fitzmaurice on Unsplash

Some low-cost Android phones shipped with malware built in

Avast has found that many low-cost, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,’” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

The dropper is part of the system’s firmware and is not easily removed.

To summarize:

The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.
The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.
The user cannot remove the dropper, because it is a system application, part of the device’s firmware.

Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes that this vector is similar to the Lenovo “Superfish” exploit that shipped thousands of computers with malware built in.