#AxisOfEasy 174: Drupal Deploys Emergency Fix For Critical Vulnerability

Weekly Axis Of Easy #174

Last Week’s Quote was ”The best cure for overconfidence in your beliefs is to constantly remind yourself that you have experienced less than a tiny fraction of a percent of what has happened in the world. This experience, however, ends up representing nearly 100 percent of how you believe the world works”, was Gautam Baid, nobody got it, but he’s the author of The Joys of Compounding, one of the best books on investing I’ve read in awhile.    

This Week’s Quote: “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. ” By….???

THE RULES: No searching up the answer, must be posted to the blog. The place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.


In this issue:
  • Drupal deploys emergency fix for critical vulnerability
  • PHP8 is here already
  • Qantas to require vaccinations as IATA forms industry response
  • Hacker posts exploit for over 49K vulnerable Fortinet VPNs
  • Biden’s tech czar is a zealous tech regulator
  • FBI is latest victim of domain spoofing attacks
  • Ransomware attacks this week: Canon, Sopra Steria
  • Amazon AWS outage affects huge chunk of internet
  • Microsoft to deploy “productivity score” on workers using office suite
  • PowerDNS founder departs for even more interesting gig in civilian oversight
  • Second Swiss firm discovered selling encrypted devices with back doors
  • In Xi’s China there is no room for dissent
  • AxisOfEasy Salon #32: Demetri Kofinas of Hidden Forces

Drupal deploys emergency fix for critical vulnerability


A critical vulnerability in the Drupal Content Management System (CMS) has prompted an emergency update from the vendor. The fixes address CVE-2020-28948 and CVE-2020-28949 which affect the PEAR Archive Tar library. Any affected Drupal installation that is configured to allow uploading of .tar, .tar.gz, .bz2, or .tlz files is vulnerable to remote code execution.


The following versions should be upgraded as follows:


Drupal 9.0 users should update to Drupal 9.0.9
Drupal 8.9 users should update to Drupal 8.9.10
Drupal 8.8 or earlier users should update to Drupal 8.8.12
Drupal 7 users should update to Drupal 7.75


Drupal is the fourth largest CMS in terms of number of deployments across the internet.


Read: https://www.bleepingcomputer.com/news/security/drupal-issues-emergency-fix-for-critical-bug-with-known-exploits/


PHP8 is here already


It feels like it was only just yesterday when we finally finished porting the last vestiges of our edge case PHP5 stuff to PHP7 (fortunately we made sure to finish our server automations at the same time so we’ll never have to deal with that again).


Well now PHP7.1 is end-of-life and it’s time to get ready for PHP8.


The folks over at WordFence put out a primer of sorts describing the kinds of changes that are coming down the pipe:


“PHP 8 uses much stricter typing than previous versions. Many built-in functions are now pickier about the input they accept, and PHP 8 itself is more stringent about how input is passed to functions. Issues that previously resulted in notices now result in warnings, and issues that previously resulted in warnings now result in errors.”


Two places where this will make a difference is in WordPress and the aforementioned Drupal, which are both coded in PHP. Wordfence estimates that at least 5,500 WordPress plugins use create_function which will go away in version 8.


Read: https://www.wordfence.com/blog/2020/11/php-8-what-wordpress-users-need-to-know/


Qantas to require vaccinations as IATA forms industry response


Following on what now appears to be an emerging theme that forthcoming COVID-19 vaccines will not be made mandatory by national governments, but will be de facto mandatory by quasi-monopolies operating within the private sector.


We reported on how Ticketmaster plans to make vaccinations mandatory for event attendance, now the CEO of Australia’s Qantas airlines has made a similar declaration. Qantas CEO Allan Joyce told CNN in an interview that all international travelers will be required to be vaccinated before being permitted to fly once the vaccines are available.


Read: https://www.cnn.com/travel/article/qantas-coronavirus-vaccination-intl-hnk-scli/index.html


The International Air Transport Association has unveiled their plans for a digital platform that they say will enable international borders to re-open. The body says they are in the final testing phase for their IATA Travel Pass app which will incorporate four open-sourced modules which will:


“include a global registry that would enable airline passengers to find accurate information about travel, testing, and eventually vaccine requirements for their journey, as well as the location of testing and vaccination centres at their departure location, which meet the standards for vaccination requirements of their destination.


The pass would also feature a lab app to enable authorised labs and test centres to share and test vaccination certificates with passengers, and a contactless travel app so passengers are able to create a digital passport that would allow them to receive test and vaccination certificates to verify they can travel, which could then be shared with airlines and authorities.”


…and of course this app will also be used to digitally manage all of the documentation for the above. Digital immunity passports are on the way folks.


Read: https://www.zdnet.com/article/global-airline-body-claims-it-has-the-solution-that-will-allow-international-travel-to-resume/


Meanwhile, Delta recently announced a program offering quarantine-free flights from USA to Europe. Passengers will be tested three times over the course of the flight and will not be required to quarantine upon testing negative all three times.


Read: https://www.washingtonpost.com/world/2020/11/27/quarantine-free-flights-between-europe-and-us/


Hacker posts exploit for over 49K vulnerable Fortinet VPNs


A hacker nicknamed “Pumpedkicks” posted details of a path traversal flow in Fortinet VPN devices which enables attackers to grab system files and authentication details remotely from over the web.


The hack exploits CVE-2018-13379 and login credentials for 49,000 affected devices are now circulating on the Dark Web. Armed with the login details to the VPN devices, hackers can breach the networks behind these VPN points and further compromise the networks including the launch of ransomware attacks.


One security researcher did some DNS analysis on the listed names and found among them banks and government agencies.


Biden’s tech czar is a zealous tech regulator


The presumptive president Joe Biden looks to be tapping his top tech advisor Bruce Reed for a key role within his administration. Reed is an avid tech regulator who was behind new privacy regulations in California. This could have an effect on what happens around Section 230 of the US Communications Decency Act. Section 230 is what shields ISPs and tech platforms from liability arising from content posted, hosted or traversing their networks.


Reed has been a vocal critic of Section 230. He co-authored a chapter in Which Side of History? How Technology Is Reshaping Democracy and Our Lives, in which he called it “an enemy of children.”


The Trump administration threatened to rescind section 230 exemptions of the Big Tech platforms over their relentless alleged anti-Conservative bias, so a switch in regimes may not give them any relief from pressure on this front.


We’ll keep an eye on developments.


FBI is latest victim of domain spoofing attacks


The latest organization to come under attack via fake or spoofed domain names is none other than the US FBI. The agency issued a warning via its Internet Crime Complaint Center (IC3) that recently registered look-alike domain names are spoofing some of the FBI’s official web properties.


The domains have names like fbisusagov{.}online, fbireport{.}us, fbi-fraud{.}com, even fbigov{.}art and myriad others (the curly braces are inserted to defang the URLs from your mail readers).


The IC3 warning: https://www.ic3.gov/Media/Y2020/PSA201123


Remember, Domainsure detects these variants across all delegated TLDs in near-real-time.  If your organization is or could be a target of this kind of attack, reply to this email or visit Domainsure.com and take the free domain assessment.


Ransomware attacks this week: Canon, Sopra Steria


No shortage of ransomware attacks over the last week or so:


Canon: disclosed that the data breach suffered in August was, in fact the result of a ransomware attack


Read: https://www.bleepingcomputer.com/news/security/canon-publicly-confirms-august-ransomware-attack-data-theft/


French IT firm Sopra Steria with 46,000 employees across Europe were hit by the Ryuk ransomware strain and estimate that their losses will run to the 40 to 50 million euro range.


Read: https://www.bleepingcomputer.com/news/security/sopra-steria-expects-50-million-loss-after-ryuk-ransomware-attack/


A relatively recently formed fertility clinic that became one of the largest in the US after a merger earlier this year revealed that ransomware attackers managed to get into their systems for a month also stole patient data:


Read: https://techcrunch.com/2020/11/26/us-fertility-ransomware-attack/


And just as I was writing up this item I saw the news that schools in Baltimore County, Maryland will be closed Monday and Tuesday (I suppose that’s “were closed”, by the time you read this) after their computers systems had been hit with a ransomware attack:


Read: https://www.wbaltv.com/article/baltimore-county-public-schools-closed-monday-tuesday-ransomware-attack/34811334


Delaware County in Pennsylvania paid $500,000 USD to attackers after their systems were hit with Doppelpaymer ransomware last weekend:


Read: https://www.bleepingcomputer.com/news/security/pennsylvania-county-pays-500k-ransom-to-doppelpaymer-ransomware/


Amazon AWS outage affects huge chunk of internet


Earlier in the year,  the internet  saw how the larger Infrastructure-as-a-Service (SaaS) platforms are becoming Single-Point-of-Failures unto themselves when we saw a major Cloudflare outage seriously impact the internet (we also use Cloudflare for DDoS mitigation but were not impacted, and we wrote up the details here). It was not the first Cloudflare outage, it won’t be the last.


Last week it was Amazon’s turn with AWS suffering a significant outage that had far reaching effects as well. It was an issue with Kinesis Data Streams, which I will admit, I didn’t know what those were until this very moment when I looked it up. It’s a sub-system of AWS that facilitates the capture of metric from within huge data streams. According to Amazon it only affected 1 of their 23 geographical zones, but it caused enough problems to cascade through such services as 1password, Adobe Spark, Coinbase, Flickr, Vonage, Washington Post, the list goes on.


Microsoft to deploy “productivity score” on drone workers using office suite


With the remote work movement looking more secular than cyclical it will be no surprise to see workplace analytics taking a more prominent role in office collaboration suites. Microsoft introduced Workplace Analytics for its O365 suite over the summer. The system will make use of various metadata within your email, calendar to/from and subject lines of your email, timestamps, etc in order to “create a set of behavioural metrics” managers can use to figure out who’s doing (or not doing) what within the organization.


Out of all that,  the system will compute and assign you a “productivity score” between 1 and 800.


“Their particular concern is that Microsoft will make the micro-surveillance of employees mainstream and an accepted part of the work-life, on the basis of unproven and dubious benefits, which are likely to be hacked by workers doing nonsense “grinding” in place of real productive work, simply to increase their score.”


What is being referred to here is a phenomenon called Goodhart’s Law, which we once wrote about in the context of customer feedback surveys. The TL,TR is this “when a measure becomes a target, it becomes useless.” Meaning: it is ok to have data in order to garner insight into what’s going on. However, the moment you try to modify outcomes by specifically targeting the measure (like customer response performance quotas), behaviour shifts to target the score, not the underlying work from which the score would ostensibly be derived.


Read: https://newrepublic.com/article/160388/microsoft-productivity-score-workplace-analytics-employee-surveillance


For those keeping score at home, so far in this week’s issue we are getting inklings that:

  • Immunity passports are coming soon
  • Social credit scores for your job are coming soon thereafter

PowerDNS founder departs for even more interesting gig in civilian oversight


The original creator of the PowerDNS name server is calling it a career in the DNS biz and moving on to a new gig in civilian oversight. Bert Hubert posted to his blog that he will still keep a hand in PowerDNS as a minority shareholder but will be ending his role there.


Read: https://blog.powerdns.com/2020/11/27/goodbye-dns-goodbye-powerdns/


What he’ll be doing instead is the reason I wanted to include it here. Bert will be moving to a full time position as one of three members of the Netherlands’  Toetsingscommissie Inzet Bevoegdheden or TIB. It’s a citizen panel that oversees warrants of the Dutch intelligence and security services.


“If either of the civil or the military intelligence and security services of The Netherlands want to use their lawful intercept, SIGINT or hacking (& some other) legal powers, they have to first convince their own jurists, then their ministry and finally the TIB. The TIB then studies if the warrant is legal, and that decision is binding.”


I love this governance model and from the personal dealings I’ve had with Bert over the years I know he will be a bastion of rationality and technical cluefullness (Bert gave me a lot of advice on my DNS book, and his colleague Peter Van Dyk was instrumental in shaping same).


Second Swiss firm discovered selling encrypted devices with back doors


A second Swiss firm has been caught selling encryption devices with back door access for intelligence agencies. Back in AxisOfEasy #133 we reported how Crypto AG made encryption products which were sold to governments worldwide turned out to be an intelligence operation controlled by the CIA, who had access to those devices via software backdoors.


According to a report by Swiss public television, SRF, a second company called Omnisec were reported by a whistleblower to have sold  OC-500 series devices to the Swiss government and other agencies, as well as Swiss banks during a period of time in the mid 2000’s. Turns out those devices were also not secure and were tappable by US intelligence agencies.


In Xi’s China there is no room for dissent


This chilling expose by the Wall Street Journal follows the story of Lu Yuyu who is not a Chinese political dissident per se. Or at least he wasn’t. His crime was that he started covering the activities of Chinese political dissidents and enumerating them online: how many protests, when, where, how many participants. Just doing that made him a target of government censors and eventually the secret police.


One day he was snatched off the street and renditioned into a van, to be imprisoned for four years. Since his release government security services have been pressuring his landlord to kick him out of his apartment and harassed anybody thinking of employing him.


“After Mr. Lu was snatched off the street, he spent four years in custody, his girlfriend left him, and, since his release in June, he said he has been kept under close watch by police. He struggles to find steady work, he said, and suffers from depression. His landlord recently asked him to move, he said, citing pressure from authorities.”


While he was in prison he lived in a cell with 11 other inmates and worked 10 hour days sewing garments. Before his eventual release he was served “a judicial notice forbidding him from setting foot in Beijing, Shanghai or Xinjiang”.


Read: https://www.wsj.com/articles/their-goal-is-to-make-you-feel-helpless-in-xis-china-little-room-for-dissent-11606496176 (paywall)

AxisOfEasy Salon #32: Demetri Kofinas of Hidden Forces


Last week on the AxisOfEasy Salon Charles was out of action but Jesse and I had the good fortune to welcome Demetri Kofinas on the show. He’s the host of the HiddenForces.io podcast/interview series, and it really is a first rate show with amazing guests and incredibly detailed rundowns. We talked to Demetri about his origins and his process and it was quite a privilege to be able to talk with him.


Watch: https://axisofeasy.com/podcast/salon-32-the-hidden-forces-that-shape-demetri-kofinas/

2 thoughts on “#AxisOfEasy 174: Drupal Deploys Emergency Fix For Critical Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *