Cyberweekly #164 - Investing in your staff for a better future
Published on Sunday, August 29, 2021
The last 18 months has been a particularly rough time for lots of people.
A global pandemic has changed working patterns, and as many commentators have pointed out, accelerated a working from home concept, without the normal advantages of working from home, the ability to go out to coffee shops, restaurants or meet people in the middle of the day.
Meanwhile, many people in tech and government have had to turn their 5 year strategies upside down during this period, and deliver new remote friendly capabilities at pace and with less budget and less support.
This is somewhat depressingly articulated well here: https://twitter.com/Naii/status/1248395147529695244?s=20
It's no wonder that we're all feeling burnt out, down or a general malaise. The tyranny of video meetings means that I certainly tend to sit and doing 4 or 5 meetings non stop, just going from one to another, which makes work feel like a blur and it's difficult to focus.
We need to take the time out to invest in both ourselves, but also for those of us who manage others, we need to take time to invest in them.
We need to be careful, taking time for career conversations, to discuss someone's 5 year plan or vision might add to the burnout for some, but for others it will provide a valuable structured conversation and an opportunity to focus on goals, feel a sense of progress, and gives permission for them to take a break from endless video meetings and think about their career, the skills they want to learn and the next steps.
Other than reminding people to take breaks, take holidays, and take time, the next best thing to help people during this period is giving them a sense of progress, of tasks delivered and done, and of feeling like there is hope, a future they can care about.
- You’re annoying them. Maybe it’s your tone, words, timing, how they generally perceive you, how often you ask, etc. Regardless: you’re annoying them.
- They’re not experienced or adept at tackling this kind of issue. They’ve got expertise in other areas, but not this one.
- They’re overloaded. They’re burned out, they work 12-hour days, they’ve already got a pile of work they need to focus on.
- This isn’t a priority for them, the team, or the company.
- You’ve amygdala hijacked them. Beyond just annoying them, you’ve straight-up triggered their fight or flight response, and their logical/rational brain is on standby right now.
- What could we try?
- If you could wave a magic wand, what one thing would you change?
- What, deep-down, do you truly want?
- What do you need?
- What’s in the way?
- What’s holding you back?
- Execute my full exploit chain to take over Apple ID. This requires only one click from the user.
- Present the user with a ‘login with AppleID’ button by deleting all the content of the Apple ID login page and replacing it with the standard button
- Open a new window to the real, full Apple ID login page, same as apple would when the button is clicked
- With our control of idmsa.apple.com, take control over the real Apple ID login dialog and inject our own code which harvests the logins as they are typed
- Manipulate browser history to set the exploit page location to https://apple.com, and then delete the history record of being on the exploit page — if the user checks if they came from a legitimate Apple site, they’ll just see apple.com and be unable to go back.
I think I burnt out around November 2020.
Like everyone, I went through phases of the pandemic (and no, I have no desire to read another pandemic memoir, including my own. I’m sorry). I was thankfully employed - doing well at work, though adjusting to more loneliness and working from home, and keeping busy with exercise. I started really losing it around June 2020, drinking too much. I noticed, reigned it in, and continued. But by November, I was tired. Tired of another monotone day. Tired of my inability to control basic choices that I knew would improve my lifestyle, like my volume of meetings. Tired of 7 hours of Zoom a day, only to try to cram more work in in the evening, to no avail. Tired of unnecessary drama at work - drama for the sake of drama. I was floundering.
I was working longer and longer hours, and getting less and less done. And being asked to continue doing that. Or worse, being told I’m doing a great job with one crisis, and to move onto the next fire. I didn’t think I was doing a great job. I was doing a terrible job.
And I definitely wasn’t fulfilled. I never got to finish anything. I barely got to start things. I was always tired. Always in another meeting. Always pretending everything was fine, to myself and to others.
I don’t think I noticed I was burnt out until early February 2021, almost six months later. Honestly, realizing it was kind of a relief. I hadn’t noticed how bad it had gotten. A few weeks later, I quit my job. And then a new, different kind of struggle started. Not knowing what to do with myself, or how to recover.
This burnout felt different from before This experience was different from when I’ve burnt out in the past. A few jobs ago, I remember being really truly exhausted - going on weeks of working 80+ hours, staying up until 2am every night working to get back up at 7:30am - but I was still, shockingly, productive. (I blame my younger self, there’s no way I could sustain this for even days now.) One day, I was on a conference call (remember those? it’s like Zoom but you can mute to have side conversations with whoever is in the room!), and I just, uh, stopped. I couldn’t process what people were saying, I didn’t understand what was going on, I felt nothing. Like my brain shut down. I just stared off into space, looking outside at the sky. This lasted for a few minutes, and mellowed out over several hours, but it felt like something fundamental had just shifted. I could no longer will myself to work those long hours, or to go to the office, or to answer calls. And this feeling lasted for days. Each of those moments was a struggle. I took a month off work, and only returned for the time I needed to job hunt.
In retrospect, this might not have been a burnout. Or, it was on a vastly different scale, a 3 on a scale of 1 to pandemic (if you want an actual scale, check out the Buzzfeed-inspired Maslach Burnout Inventory). I guess I didn’t realize I was burnt out this time, because it was nothing like my prior experience - there was no singular event that felt like a step change. It was just the monotony of another exhausting day with 7 hours on Zoom, then trying to do real work, at 1am, with a glass of wine on the couch. It felt like I was making the best of a situation. I hated it. It hollowed me out. I had nothing to look forward to.
At the other end of the spectrum, is, uh, what I used to be like. “Oh, yeah, I hit a wall one time, I took a few weeks off and felt fine. You’ve been off for, what, two weeks now? You’ll feel fine next week. Let me introduce you to some people. Let’s have a call next week.” Other people did this to me; but the worst part is, I did this to myself. Just one more meeting to connect. Just read one more blog post. It’ll be fine. You’ll feel fine.
I didn’t. I needed to step back, and actually do nothing - or as close as I could possibly fathom. I needed to completely remove any feelings of pressure, or any external, and internal, obligations. “You decide what to watch on Netflix because I literally can’t.” I’ve eaten more takeout in the last few months, than the whole pandemic; I didn’t have the energy to shop for groceries, or cook. I desperately needed to enjoy things again - so I could remember what that was like - so I could get back to enjoying ‘productive’ things too. Remember that producing recovery, relaxation, or joy for yourself is still being productive.
Cyber security and systems administration jobs can be relentlessly harsh on us, and people working in this field burnout far too commonly.
This is worth reading if only to be able to sympathise and realise how important it is to take breaks, to get out and away from endless video meetings, and to feel like you have a purpose and reason to keep going.
This twitter thread has a good model for having regular career conversations with your staff. I particularly like the idea of identifying people you look up to and then working out what "super powers" you think they have, so you can then work out how to develop those powers yourself.
There are PLENTY of reasons why a leader can’t or won’t listen to you on this issue, or care about it. And the reasons can change for that leader, or overlap, at any given moment! For example:
What if you’re a leader and you desperately want to tell someone to “bring solutions, not problems”?
No matter the reason why you want to say this—you’re frustrated, you don’t care, you’re overloaded, you want them to change their approach—just ask an open question instead.
Steal one of these:
Any of these open questions will put the responsibility back on this person’s shoulders to do more work to address the issue. They also make it clear that you’re not shutting the conversation down; you’re open to listening, you just need them to actively participate in the work.
Our relationships in a work context, with our bosses and managers can sometimes descend into a parent-child relationship, which can be exceedingly unhealthy. We need to remember that each other are real humans, who experience their own feelings of frustration, of helplessness, and of overwork and burnout as well.
Working back to builder statements and other non-violent communication techniques can really help conversations to progress, and move from a transactional relationship that can be unbalanced to a clearer coworker relationship where the request and expected response is easier, and less burdensome for everyone.
So you can imagine our surprise when we were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies. Wiz’s security research team (that’s us) constantly looks for new attack surfaces in the cloud, and two weeks ago we discovered an unprecedented breach that affects Azure’s flagship database service, Cosmos DB.
Some of the world’s biggest businesses (see their website) use Cosmos DB to manage massive amounts of data from around the world in near real-time.As one of the simplest and most flexible ways for developers to store data, it powers critical business functions like processing millions of prescription transactions or managing customer order flows on e-commerce sites.
Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault.
Rather, a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.
We named this vulnerability #ChaosDB. Exploiting it was trivial and required no other credentials.
Ouch, that's about as severe a vulnerability as you can get!
Reading between the lines, it looks like this is a form of confused deputy, where one cloud tenants code can call another cloud tenants code, and the called code assumes that you are a legitimate caller in the victims tenant. This is the worry with increasing numbers of SaaS tools, the attack surface for this sort of bug is huge, and it's incredibly complex to fix tenancy issues.
Microsoft's response makes clear that their forensics indicated that this hasn't been exploited by any other actors.
Hole blasted in Guntrader: UK firearms sales website's CRM database breached, 111,000 users' info spilled online • The Register
The Guntrader breach earlier this week saw the theft of a SQL database powering both the Guntrader.uk buy-and-sell website and its electronic gun shop register product, comprising about 111,000 users and dating between 2016 and 17 July this year.
The database contains names, mobile phone numbers, email addresses, user geolocation data, and more including bcrypt-hashed passwords. It is a severe breach of privacy not only for Guntrader but for its users: members of the UK's licensed firearms community.
This has a lot of bad implications for these individuals. A typical breach, even a big one, poses only a low threat to the individuals whose data is breached. If it was a big complex breach, then the worst likely case is fraudulent transactions on stored credit cards, which the user should be insured for, or potentially identity theft, which is difficult to work out damages on a user for.
But this database is a list of personal data, including addresses of customers, which is likely where guns are kept within the UK. That information is almost certainly putting those individuals at risk. Guns are not common in the UK, and while they are required to be kept in a gunsafe or otherwise locked container, those are designed to resist casual curious children, not resist an determined burglar or intruder.
On April 7 2021, Thijs Alkemade and Daan Keuper demonstrated a zero-click remote code execution exploit in the Zoom video client during Pwn2Own 2021. Now that related bugs have been fixed for all users (see ZDI-21-971 and ZSB-22003) we can safely detail the bugs we exploited and how we found them. In this blog post, we wanted to not only explain the bugs and our exploit, but provide a log of our entire process. We hope that detailing our process helps others with similar research in the future. While we had profound experience with exploiting memory corruption vulnerabilities on many platforms, both of us had zero experience with this on Windows. So during this project we had a lot to learn about the Windows internals.
The last week before the contest was focused on getting it to an acceptable reliability level. As we mentioned in the info leak, this phase was very tricky. It took a lot of time to get it to having even a tiny chance to succeed. We had to overwrite a lot of data here, but the application had to remain stable enough that we could still perform the second phase without crashing.
There were a lot of things we did to improve the reliability and many more we tried and gave up. These can be summarized in two categories: decreasing the chance that we overwrote something we shouldn’t and decreasing the chance that the client would crash when we had overwritten something we didn’t intend to.
In the end, we estimated that our exploit had about a 50% chance of success in the 5 minutes. If, on the other hand, we could leak the address of libcrypto-1_1.ddl in one run and then skip the info leak in the next run (the locations of ASLR randomized dlls remain the same on Windows for some time), we could increase our reliability to around 75%. ZDI informed us during the contest that this would result in a partial win, but it never got to the point where we could do that. The first attempt failed in the first phase.
After we handed in our final exploit the nerve-wracking process of waiting started. Since we needed to hand in our final exploit two days before the event and the organizers would not run our exploit until our attempt, it was out of our hands. Even during the attempts we could not see the attacker’s screen, for example, so we had no idea if everything worked as planned. The enormous relief when calc.exe popped up made it worth it in the end.
In total we spend around 1.5 weeks from the start of our research until we had the main vulnerability of our exploit. Writing and testing the exploit itself took another 1.5 months, including the time we needed to read up on all Windows internals we needed for our exploit.
This is a marvelous writeup of a really quite technical bug that results in remote code execution of a contact over zoom without any user interaction needed, and worthy of the Pwn2Own win that it scored.
It's interesting to note that it's unlikely to be usable in the real world, as they set out, the bug is somewhat unreliable, and an actively used computer, the users actions would likely increase the failure rate. But it's good to see the timeline, that it took them only a few weeks to find the bug itself, but then multiple months to develop a reliable enough exploitation to pass the contest rules.
For my proof of concept, I:
Although I started this project before apple had its bug bounty program, I reported it just as the bug bounty program started and so I inadvertently made money out of it.
Apple paid me $10,000 for my bug and proof of concept, which, while I’m trying not to be a shit about it, is 2.5 times lower than the lowest bounty on their Example Payouts page, for creating an app that can access “a small amount of sensitive data”. Hopefully other researchers are paid more!
I also hope this was an interesting read! I took a really long time to write this with the pandemic kind of sapping my energy, and my sincere hope that despite the technical complexity here, I could write something accessible to those new to security.
An interesting read on how takeover of the apple iCloud login page could be achieved from a simple phishing email.
Hackers Leak Surveillance Camera Videos Purportedly Taken From Inside Iran's Evin Prison - by Kim Zetter - Zero Day
A hacking group calling itself Adalat Ali (Justice of Ali) claims it has broken into computer systems belonging to Iran’s notorious Evin prison, where Iranian and foreign political detainees are housed, and stolen hundreds of gigabytes of documents and images, including video taken from the prison’s CCTV cameras.
The images depict a police officer brutalizing a prisoner and also show a guard inside the prison’s CCTV control room as the live feed on a number of the monitors suddenly cuts out and is replaced by a message in Farsi that reads: “Cyber attack. Evin is a stain on the black turban and white beard of Iranian President Ibrahim Raisi – the nationwide protest [will continue] until the release of political prisoners.”
The leaks come weeks after a cyberattack struck Iran’s national railway system causing delays and cancellations of hundreds of trains. The attack struck Iranian Railways and the Ministry of Roads and Urban Development systems last month.
The hackers in that case posted a taunting note on the electronic boards at railway stations telling frustrated travelers to call a phone # for more information — the phone number listed in the messages went to the office of Iranian Supreme Leader Ayatollah Ali Khamenei. That attack, initially believed to be the handiwork of Israel, used a wiper to erase computer systems — making it more difficult for them to recover — and has been attributed to a “regime opposition group” called Indra. The Israeli security firm Checkpoint said the hackers behind the railway attacks had previously hacked into a number of Syrian companies beginning in 2019. It’s unclear if the same hackers are behind the intrusion into Evin prison.
The videos and still images purportedly leaked from Evin have 2020 and 2021 timestamps and were sent to a number of Persian media outlets, as well as to the Associated Press and Radio Farda (Radio Free Europe) — a media organization funded by the U.S. Congress. The AP says sources have confirmed that the detention facility in the images appear to match other images from Evin; former prisoners of Evin have also indicated that the images are similar to facilities they recall from their detainment.
An astonishing video to watch, seeing the screens crash one after another is particularly impressive. This is a hacking group that has a flair for the dramatic certainly.
Chinese espionage tool exploits vulnerabilities in 58 widely used websites - The Record by Recorded Future
A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.
Fifty-seven of the sites are popular Chinese portals, while the last is the site for US newspaper, the New York Times.
In addition, the tool also abused legitimate browser features in attempts to collect user keystrokes, a large swath of operating system details, geolocation data, and even webcam snapshots of a target’s face—although many of these capabilities weren’t as silent as the exploits targeting third-party websites, since they also tended to trigger a browser notification prompt.
Tetris is a complex web-based spying tool
Named Tetris, the tool was found secretly uploaded on two websites with a Chinese readership.
“The sites both appear to be independent newsblogs,” said a security researcher going online under the pseudonym of Imp0rtp3, who analyzed the Tetris attack framework for the first time in a blog post earlier this month.
“Both [sites] are focused on China, one site [is focused on China’s] actions against Taiwan and Hong-Kong written in Chinese and still updated and the other about general atrocities done by the Chinese government, written in Swedish and last updated [in] 2016,” the researcher said.
According to Imp0rtp3, users who landed on these two websites were first greeted by Jetriz, the first of Tetris’ two components, which would gather and read basic information about a visitor’s browser.
If the user had the browser set to use the Chinese language, the would-be victim would be redirected to the second Tetris component.
Eight of the plugins would abuse a technique called JSON hijacking to open connections to popular websites and retrieve public data about the user on those sites.
That's an interesting target list, and shows a clear determination by the attackers to target the Chinese speaking diaspora around the world.
There's a lot of technical competence in that toolkit as well, which speaks volumes itself