Buckle up folks, if you're looking for a fantastic example of the need for sound vulnerability management programs, read on (this is about more than Drupal):
The day before Thanksgiving, Drupal released a patch for a critical vulnerability for which exploit code is available. 1/n
Oh, BTW this is a serialization vulnerability. This is bad. It allows for a local file overwrite. In most cases, this means it will result in an RCE.
Did your team notice the vulnerability notification on Wednesday? The day before Thanksgiving? 2/n
I hear the choirs of "we don't use Drupal because CMS are all vulnerable" but that's dumb. Your corp website probably uses a CMS of some variety. "Custom developed" means that nobody else is looking at the code. In most cases, this is security through obscurity. 3/n
But let's address the "CMS are okay, but Drupal is scary so we don't use it" crowd. Is the vulnerability *REALLY* in Drupal?
Oh snap, it isn't. It's in a PHP PEAR library that involves the handling of tar files. Drupal uses the library, noticed the issue, and moved to patch. 4/n
Now we're on to an SCA/SBOM discussion. Do you have applications that use the PEAR Archive_Tar library? If so, it needs an update.
But here's the rub: your vulnerability scanner probably won't find this for you. You need to know what open source libraries are in your apps. 5/n
Because while some in the security community (the few people who noticed anyway) said "another Drupal vulnerability, those clowns" the reality is that maybe instead of calling them clowns we should be calling them heroes. They did the needful. 6/n
Good vulnerability management program managers have been fighting to get SCA and SBOM in place. They're most likely to be ready to respond to this.
They probably saw the vulnerability report a week ago because they knew Archive_Tar mattered to them. 7/n
So here's the situation: a lot of projects make use of PEAR, many of them use Archive_Tar. You're now in a race against attackers to find other places where it's used.
Have a happy Friday and a great weekend. Your adversaries certainly will. /FIN
• • •
Missing some Tweet in this thread? You can try to
force a refresh
After further reflection I think Twitter has made a mistake censoring the NY Post article. It's garbage journalism, but that's not why they censored it.
Twitter is claiming that it contains hacked content and linking to it violates its policies. 1/n
First, let's note that Twitter has consistently penalized accounts for linking to hacked content. Their actions are at least consistent when viewed at face value.
The question for me then is this: does this constitute "hacked content?" I really don't think it does. 2/
If you take the story at face value, this is data recovered from abandoned property. Imagine you see a computer in a public trash can. You take it and extract data from the drive. Is that hacked data? More importantly, would Twitter censor a story with that data? 3/
This is also several degrees of bad. It's not "swastika might mean something else" (what???) when you are putting someone wearing a Jewish symbol in an oven. I don't think this has any place on the platform, but that's up to the platform and advertisers who support it. 2/
On the broader question of censorship, content platforms have a choice for what they wish to allow.
But they have a responsibility to not push offensive and radicalizing content to those who don't ask to see it. Driving dangerous content because people engage is unacceptable. 3/
Garmin is in a unique position with their ransomware incident. They are both a manufacturer AND hold regulated data. The value of their devices is directly tied to the availability of their apps and the personal data they hold.
I don't see that Garmin has a choice but to pay. 1/
The fact that a single incident seems to have taken down their data service AND their manufacturing indicates very loose trusts or very flat networks. Neither is good from a security perspective, but I'm also confident that either will be quickly corrected, no big deal to me. 2/
What IS a big deal to me is my personal data. Many ransomware groups exfiltrate data before encrypting and demand extortion payments from victims, lest they release this data. That's almost certainly the case here.
If Garmin refuses to pay, I don't see things going well. 3/
All right stop
Just intubate and listen
Ice is back with misguided intention
COVID grabs a hold of me tightly
Shortness of breath both daily and nightly
Will it ever stop?
Yo, I don't know
Turn off the lights, put a tag on my toe
To the extreme, I rock ICU like I'm comatose
Light up a room, I'm a chump, experiencing new lows
Cough
Heck yeah, the ventilator goes woosh
Hypoxia killing my brain like a I'm a selfish douche
Deadly, the EKG beeps a dope melody
Performing this concert should have been a felony
Large groups in public?
That's not okay
You better wear a mask
'cause COVID don't play
I'm creating a problem
But I won't solve it
Check out my vent while the respiratory therapist resolves it
Facebook paid a third party firm to develop an 0-day exploit customized for Tails and then gave it to the FBI to target a cyber criminal operating on their platform. I've been thinking about this all morning and I think I support the action. 1/ vice.com/en_us/article/…
But this one is really thorny to be sure. A critical point is that Tails was removing the vulnerable feature in a not-yet-released version, so that limited the time the vuln could be used by the FBI. There's no question this monster was targeting children and had to be stopped 2/
If Facebook used an OPSEC mistake and turned that data over to the FBI, this would be a non-story. The only reason we care is that Facebook subsidized the exploitation of another platform. Critically, FB notes they wouldn't have introduced risk for all users to aid the FBI. 3/
24 hours later and I've heard lots of "leaders" say they want to start community review boards and the like. Review/advisory boards are not what's needed.
At a minimum, these are needed:
State level registries of officer violence/complaints
Citizen recertification boards 1/
Funds from abuse lawsuit awards come from pension or department discretionary funds
Residency requirements for at least the majority of the force
Body cameras worn by all and on at all times during interface with the public, video and audio
Review of current officer's records
2/
Should the registry of abuse be national? Sure, that would be better. But governors can't do that. They CAN each do it at the state level. They could even share that data...
What about body cameras? Yeah, not having privacy sucks. But lots of people give up privacy for a job. 3/