Authentic8 Blog Category: Threat Intelligence

JavaScript: How NPM Maintainer Accounts Amplify Risk

20 compromised JavaScript package “maintainer” accounts - that’s all it takes to bring down the global digital supply chain through malicious code executed in the browser.

*

Attackers need to target only 20 specific maintainer accounts to reach more than half of the entire JavaScript npm ecosystem, security researchers warn. With regular browsers on the receiving end, ready to indiscriminately execute code from affected web pages, this can trigger a disastrous chain reaction.

More than 800,000 free and reusable software packages are available through the npm (“node package manager”) software package registry. Should an attacker breach one of these at-risk accounts, it could bring down the digital supply chain worldwide, the findings of the Technical University of Darmstadt (TU Darmstadt) in Germany indicate.

In their report for Usenix, Small World with High Risks: A Study of Security Threats in the npm Ecosystem, Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel shine a light on the widespread use of npm packages

How to REALLY Browse Anonymously

When anonymous web access becomes business-critical, the web's favorite home remedies won't help. Worse, they can harm you and our organization.

*

A few weeks ago, I was speaking with a regional bank in the Southwestern United States, where the lack of anonymity online had jeopardized a recent investigation. The bank was doing online research necessary for them to comply with Bank Secrecy Act and Anti Money Laundering (BSA/AML) regulations.

A financial fraud analyst found incriminating evidence on the web page of a business she was investigating. Imagine her frustration when she went back the next day to collect that evidence, only to find it had been removed in the meantime. What happened?

The bank suspects that the subject of its investigation was tipped off to the analyst's research because web traffic from the bank was hitting the website of the investigated business.

This happens more often than one would think, as I've learned in conversations with other financial services firms before.

What’s the ROI of Threat Hunting?

How can IT security threat hunters measure success? That is one of the core questions raised by the new SANS 2019 Threat Hunting Survey, which was co-sponsored by Authentic8.

*

The  answer may lie in a strategy and tool selection that avoids mission and  cost creep, and results in measurable effects - and savings - to prove  it.

That’s our main takeaway from this year’s Threat Hunting Survey. Co-authors Mathias Fuchs and Joshua Lemon capture the different  needs and challenges within organizations that are just starting their cyber threat hunting program, versus those who are honing their skills and programs.

Definitions of Threat Hunting

What is threat hunting? The SANS survey results document a wide variety of methodologies, spending  priorities, tools deployed, training needs - and opinions about what  constitutes effective threat hunting practices.

"Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts," says Mathias Fuchs, a SANS instructor and threat

Interview: HTTPS Interception, TLS Fingerprinting, and the Browser

Use HTTPS, they said. Make sure your browsers shows that green padlock, they said. You’ll be safe, nobody can eavesdrop, they said.

IT security teams and threat hunters, who are familiar with the inherent security weakness of the web’s underlying protocols, know better.

The problem with HTTPS internet connections is similar to the problem with VPN. Or, as Larry Loeb put it in his post HTTPS: Beware the False Sense of Security on this blog: “[U]sers think that it does more than it actually does.”

For starters, a basic HTTPS connection gets established when the browser (client) connects directly to an origin server to send requests and download content protected by TLS-based  encryption. Still, this communication is vulnerable to interception.

The reason is simple. Often, the browser doesn’t connect directly with the web server serving the website. Instead, data gets routed through a proxy or middlebox, a.k.a. "monster-in-the-middle" (MITM). HTTPS interception, for benign or malign reasons,

Interview: James Kettle Explains HTTP Desync Attacks (In Under 3 Minutes)

$70k - how's that for a bug bounty total netted from an almost forgotten web exploit?

At Black Hat USA 2019 in Las Vegas, James Kettle of Portswigger Web Security demonstrated how he pulled it off. The security researcher used an old (by internet standards) technique called HTTP Request Smuggling, which was first documented back in 2005.

It still works. Kettle's exploit schemes, dubbed Desync Attacks, leverage the HTTP protocol support for sending multiple HTTP  requests over a single underlying TCP or SSL/TLS socket.

HTTP requests are traditionally understood as isolated entities that are placed back to back. In his presentation of request smuggling attacks for cybersecurity researchers, Kettle showed how he was able to overcome this compartmentalization.

The British threat hunter's approach enabled him to splice requests into others, as he said, to "gain maximum privilege  access to internal APIs, poison web caches, and compromise what's possibly your most trusted login page."

How did he do it? And what does