The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao.
Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP, said it discovered the artifact as part of a "recent" investigation into a compromised machine in Asia that was also infected with the BellaCiao malware.
BellaCiao was first

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Thousands of Postman workspaces leaked sensitive data like API keys and tokens. Learn best practices to secure your API development environment and protect your organization

****SUMMARY****

*   **30,000 Public Workspaces Exposed:** CloudSEK identifies massive data leaks from Postman workspaces.

*   **Sensitive Data at Risk:** Leaks include API keys, tokens, and administrator credentials.

*   **Major Platforms Affected:** GitHub, Slack, and Salesforce among the impacted services.

*   **Key Causes:** Misconfigured access, plaintext storage, and public sharing of collections.

*   **Mitigation Steps:** Use environment variables, rotate tokens, and adopt secret management tools.

On December 23, 2024, CloudSEK’s TRIAD team identified critical security vulnerabilities and risks from the misuse of **Postman Workspaces**, a popular cloud-based API development and testing platform.

In their year-long investigation, researchers found over 30,000 publicly accessible workspaces leaking sensitive information about third-party APIs, including access tokens, refresh tokens, and third-party API keys, posing severe risks to businesses and individuals alike.

Via CloudSec

According to the company’s **report** shared with Hackread.com, leaked data spanned organizations across various industries, from small businesses to large enterprises, impacting major platforms like **GitHub**, **Slack**, and **Salesforce**. Critical sectors affected included healthcare, athletic apparel, and financial services, exposing organizations to numerous threats and security risks.

Researchers noted that common practices leading to these data leaks include inadvertent sharing of Postman collections, misconfigured access controls, syncing with publicly accessible repositories, and storing sensitive data in plaintext without encryption.

These vulnerabilities can lead to severe consequences. The leaked data, which included administrator credentials, payment processing **API keys**, and access to internal systems, can lead to financial and reputational damage for the affected organizations. 

Sensitive data exposure within Postman can have significant consequences for both individual developers and entire organizations. Reportedly, top API services like api.github.com, slack.com, and hooks.slack.com have the most exposed secrets. High-profile services like Salesforce.com, login.microsoftonline.com, and graph.facebook.com have also been exposed.  

Leaked Credentials of ZenDesk and leaked Razorpay API key (Via CloudSec)

A leaked API key or access token can provide attackers with direct access to critical systems and data, potentially leading to data breaches, unauthorized system access, and increased phishing and social engineering attacks.

Postman often stores sensitive information like API keys, secrets, and PII for authentication and communication with APIs. To ensure data safety, organizations should use environment variables wisely, limit permissions, avoid long-lived tokens, use external secrets management, and double-check before sharing any collection or environment. 

**CloudSEK** responsibly reported most identified incidents to affected organizations, helping mitigate risks. To prevent such exposures, CloudSEK urges organizations to adopt more reliable security measures, such as using environment variables to avoid hardcoding sensitive data, limiting permissions, rotating tokens frequently, leveraging secrets management tools, and double-checking collections before sharing.

Moreover, Postman has **implemented** a secret-protection policy to prevent sensitive data from being exposed in public workspaces following the disclosure of these findings. The policy alerts users if secrets are detected, offers resolutions, and facilitates transitions to private or team workspaces.

**“**Starting this month, we are removing public workspaces with known exposed secrets from the Public API Network. As we roll out this policy change, owners of public workspaces containing secrets will be notified and have the opportunity to remove their exposed secrets before that workspace is removed from the network,” the company noted.

1.  **The Most Common API Vulnerabilities**
2.  **OwnCloud “graphapi” App Flaw Exposes Sensitive Data**
3.  **Urlscan.io API Inadvertently Leaked Sensitive Data and URLs**
4.  **Automotive Industry Exposed to Have Major API Vulnerabilities**
5.  **Millions impacted as payment API flaws exposed transaction keys**

Postman Workspaces Leak 30000 API Keys and Sensitive Tokens

Fortinet discovers two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, designed to steal data, capture keystrokes, and gain system control. Learn about their malicious behavior and how to protect yourself

****KEY SUMMARY POINTs from the article**  **

*   **Malicious Packages Identified**: Zebo-0.1.0 and Cometlogger-0.1 are malicious Python packages discovered on PyPI.

*   **Sensitive Data Theft**: These packages steal user data through keylogging, screenshot capturing, and information exfiltration.

*   **Persistence Mechanisms**: They establish long-term control by creating startup scripts to re-execute on system reboot.

*   **Obfuscation Techniques**: Advanced obfuscation methods help the packages evade detection and security systems.

*   **Wide Impact**: These threats compromise developers and platforms reliant on PyPI, posing major privacy and security risks.

On November 24, 2024, Fortinet FortiGuard Lab’s AI-based detection system identified **Python malware** in two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, targeting unsuspecting users for their data.

These packages can steal sensitive information, capture screenshots, log keystrokes, and establish unauthorized control over infected systems, researchers noted in the **blog post** shared with Hackread.com.

****What is Zebo-0.1.0?****

Zebo-0.1.0 exhibits typical malware characteristics, including functions designed for surveillance, data exfiltration, and unauthorized control, and utilizes libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent. 

The script employs obfuscation to hide its true functionality, making it harder for users or security systems to understand its actions. This obfuscation can bypass security measures, allowing the malware to run undetected. 

Zebo-0.1.0 leverages pynput to log every keystroke made by the user and also captures screenshots of the desktop, potentially violating their privacy. Furthermore, the script exfiltrates sensitive information, such as keystrokes and screenshots, to a remote server, compromising user privacy.

To ensure persistence, the malware creates a Python script and a batch file in the Windows Startup folder, ensuring its re-execution upon system startup, making it difficult to remove and increasing the risk of long-term damage.

****What is Cometlogger-0.1?****

Cometlogger-0.1 maintains a long-term presence on the victim’s system and uses advanced techniques like obfuscation, keylogging, screen capturing, and data exfiltration to compromise user data. It dynamically requests a “webhook” from the user and embeds it into Python files, allowing for potential manipulation by unauthorized users. This can redirect sensitive data to malicious servers or facilitate command-and-control operations. 

The script also targets various platforms like Discord, Steam, Instagram, and Twitter, stealing tokens, passwords, and account information. Additionally, it employs anti-VM detection techniques to evade analysis and incorporates dynamic file modification capabilities, enabling the injection of malicious code.

Both packages are a major threat to user privacy and security. Zebo-0.1.0 actively collects sensitive data and transmits it to remote servers. Cometlogger-0.1, on the other hand, focuses on information theft and maintaining a persistent presence on the victim’s system. The affected systems include all those platforms where PyPI packages can be installed with a High severity level, and threatens individuals or institutions whoever has installed these **malicious packages**.

Data stolen by the malware (Via Fortinet FortiGuard Lab)

The Python Package Index (PyPI) has become an invaluable resource for developers, offering a vast repository of reusable code. However, this convenience comes with inherent risks as malicious actors are increasingly exploiting it by publishing malicious packages that, when installed, can compromise systems. Socket Security researchers last month **discovered** another malicious Python package called “Fabrice” on PyPI downloaded over 37,000 times since its inception in 2021, harvesting AWS credentials from developers for three years.

To protect against these threats, it is crucial to disconnect from the internet, isolate the infected system, use reputable antivirus software, and reformat the system if necessary.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**
5.  **NTLM Credential Theft in Python Apps Threaten Windows Security**

Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS

Title: ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS  
Advisory ID: ZSL-2024-5886  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 24.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[24.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_xss4.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-6516  
\[3\] https://nvd.nist.gov/vuln/detail/CVE-2024-6516  
\[4\] https://packetstorm.news/files/id/183295/

**Changelog**

\[24.12.2024\] - Initial release  
\[25.12.2024\] - Added reference \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

"Zero trust" doesn't mean "zero testing."

Source: Alexander Yakimov via Alamy Stock Photo

COMMENTARY

Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated "trust but verify" cybersecurity strategy. This approach assumes that any user or device inside a company's network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.

There was a time when trust but verify made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.

**The User Example of Trust Without Ongoing Verification**

It's easy to see how this happens with users. A user typically goes through a background check when they join the company, but once onboarded, despite any number of changes in their lives that could affect their trustworthiness, we allow them to access our systems and data without further verification. 

In the majority of cases, the absence of further verification does not cause damage. However, if the user decides to act against the best interest of their employer, the results can be catastrophic. The more sensitive the information the individual has access to, the greater the risk. This is why individuals with security clearances are regularly re-vetted, and security personnel may conduct regular finance checks to identify any issues early and intervene to mitigate possible damage.

In organizations that follow a trust-but-verify approach, two personas stand out: those that have considered the risk of one-time asset verification acceptable; and — the minority — those that try to manage the risk with a re-verification program. A shift in persona from the former to the latter usually only occurs after a breach, a crisis in availability, or another "career limiting disaster."

The reality is that there are simply not enough hours in the day for security practitioners to do all of the things that must be done. Have security patches been correctly applied to all vulnerable devices? Are all third-party security assessments properly analyzed? Do all Internet of Things (IoT) devices really belong on the network? Are managed security services performing as expected? 

Compromising one of these trusted devices means being granted trust to move laterally across the network, accessing sensitive data and critical systems. Organizations likely will not know the extent of their exposure until something goes wrong. 

**The Costly Consequences of Insufficient Verification**

When these breaches are eventually discovered, the costs begin to mount. Companies face not only the direct costs of incident response, but potentially also regulatory fines, class-action lawsuits, lost customers, and lasting damage to their brand reputation. Relatively small incidents can cost millions of dollars, while large incidents regularly cost billions.

In addition to these direct costs, insufficient verification also leads to more frequent and expensive compliance audits. Regulators and industry bodies are increasingly demanding that companies demonstrate robust identity and access management controls, for example under the European Union's upcoming Digital Operational Resilience Act (DORA), as well as continuous monitoring and validation of user and device activity. Certifications and accreditations can no longer be accepted at face value. 

**The Path Forward: Adopt a Zero-Trust Approach**

Instead of trusting after verification, businesses should instead allow only what the business needs, for as long as it needs it. Never trust, always verify. This is how a zero-trust architecture operates.

Every user, device, and application that attempts to make a connection, regardless of its location, is scrutinized and validated, dramatically limiting the potential damage from a successful compromise. A zero-trust architecture replaces firewalls and VPNs, so there are fewer devices to maintain, and a reduced attack surface means fewer opportunities for attackers to gain a foothold.

Zero trust doesn't mean zero testing; testing should form an integral part of any IT and cybersecurity strategy. However, it does mean the likelihood of a major failure stemming from trust being extended to users, devices, or applications that do not deserve it, is a thing of the past. 

**About the Authors**

Vice President, Cybersecurity Advocacy, Zscaler

Rob Sloan is vice president, cybersecurity advocacy, for Zscalera. He is a cybersecurity, risk, and technology expert with broad business skills and management responsibility. Prior to joining Zscaler, he served as research director at Dow Jones and The Wall Street Journal, where he led a research team focused on cybersecurity, AI, and sustainability issues, and wrote a weekly column to help board directors navigate cyber-risk. Before the WSJ, Rob worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating, and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob began his career working for the UK government in defense and foreign affairs, looking at some of the earliest state sponsored cyberattacks against the government, military, and critical national infrastructure networks.

VP & CISO in Residence, Zscaler

Sam Curry is VP and chief information security officer (CISO) in residence at Zscaler. He began his career in signals and cryptanalysis and was the first employee at Signal 9 Solutions, a small start-up that invented the personal firewall, executed the first commercial implementation of Blowfish, and devised early symmetric key VPN technology. Sam served as chief security architect there and as head of product for McAfee before holding several positions at RSA (the Security Division of EMC), including head of RSA labs at MIT and chief technology officer (CTO) and Distinguished Engineer for EMC. After seven years with RSA, Curry acted as SVP and CISO at Microstrategy, CSO and CTO for Arbor Networks, and as chief security officer (CSO) for Cyberreason. Sam holds 17 active patents in cybersecurity and a master’s degree in counterterrorism, and sits on two boards of directors. In addition, he teaches courses at Harvard (online), Wentworth Technology Institute, and Nichols College. He is also a Fellow at the National Security Institute at George Mason University.

Too Much 'Trust,' Not Enough 'Verify'

Changes at CISA and promises of more public-private partnerships and deregulation are just a few ways the incoming administration could upend the feds' role in cybersecurity.

Abaca Press via Alamy Stock Photo

Before it was subsumed by political commentary, the Cybersecurity and Infrastructure Security Agency (CISA) was a Trump accomplishment — signed into existence in 2018 during his first administration. But that was before accusations of dirty politics and free speech shenanigans turned CISA into a conservative pariah.

Now, CISA is facing an existential political clash with the incoming Trump administration, threatening to take much of the US federal government's involvement in cybersecurity along with it. The result could potentially increase cyber-risk, but also open up business, investment, and innovation opportunities. A lot of things can be true at once.

CISA's original mandate couldn't have seemed more apolitical: coordinate defending US infrastructure against cyberattacks, and then help share critical information among US enterprises to increase the nation's overall posture in the bargain. But then came the 2020 election, CISA's efforts to combat what the agency deemed "misinformation," and the subsequent conservative backlash.

**Trump and the Politics of CISA**

Chis Krebs, then the agency's director, was very publicly fired just weeks after the 2020 election for rejecting claims of fraud from the Trump administration, and has remained a high-profile political player ever since. Krebs is a regular on the cable news circuit, and in July 2023, he confirmed to CNN that he was interviewed by special counsel Jack Smith in the investigation into Trump and the 2020 election. In the runup to the 2024 election, Krebs appeared on outlets including Face the Nation to once again push back on Trump campaign claims of election fraud.

His replacement, Jen Easterly, took a more low-key approach. Her accessibility, deep military ties, and cybersecurity expertise — sprinkled with a dash of aspirational cool-girl charm — made her a hit among the cyber rank-and-file. She also mostly stayed away from politics, leading the fledgling agency through a crucial four years. But that effort, however disciplined and well intentioned, hardly spared Easterly or CISA from widespread conservative ire. In January 2024, Easterly was even targeted at home in a swatting incident.

"I think Jen Easterly had a tremendous challenge solidifying the role of a very young agency, and one mired in allegations from Republican politicians," cybersecurity expert Jake Williams tells Dark Reading. "Given those very real challenges, she did an outstanding job. I can only imagine what could have been with bipartisan support for CISA's many missions."

Following the 2024 election, Easterly said she will resign on Inauguration Day. But the agency is still at work, publishing a draft of an updated National Cyber Incident Response Plan for federal agencies and industry to work together during major cyber events, which is open for comments until January 2025.

That kind of coordination between CISA and the private sector was exactly what the agency was built to become under the Biden administration. It took a proactive role in developing cybersecurity standards, and offering cybersecurity grants to states to invest in their own cyber operations, led largely by the efforts of Easterly. During his administration, President Biden allocated billions to strengthen the US cybersecurity infrastructure, and signed a flurry of executive orders on everything from AI to zero trust in an effort to raise the country's level of cyber preparedness.

Some of the agency's notable accomplishments during the past four years included establishment of the joint cyber defense collaborative (JCDC) and the Known Exploited Vulnerabilities (KEV) program, according to Casey Ellis, Bugcrowd founder. Ellis also worked with CISA on the federal CEB vulnerability disclosure program, where CISA serves as a repository for researchers who discover flaws in government systems so they can be reported and mitigated more quickly.

There have been setbacks as well. While the KEV list has been credited with speeding up remediation, it can take months to make the list. Much of that new cyber infrastructure and rulemaking also came with regulation and compliance headaches that some criticized as a barrier to innovation, particularly by Congress. Others defended the agency's moves as necessary to drive security investment.

"Under Jen Easterly, CISA's proactive initiatives such as Secure by Design and faster reporting of attacks by companies were positive for both the sell and buy side of the cybersecurity industry," says Jason Soroko, senior fellow at Sectigo. "What could be seen as regulatory burden was actually a positive call to arms to do the right thing."

Accomplishments and accolades aside, Easterly and CISA haven't been able to convince key conservatives like Sen. Rand Paul, who is about to chair the Senate Homeland Security and Governmental Affairs Committee, which oversees CISA, that the agency is doing any good. After acknowledging he probably won't be able to eliminate CISA altogether, last month Paul vowed to inflict strict limits for actions he said the agency took to target conservative voices as part of its work in combatting foreign influence operations. At a minimum, CISA will likely be stripped of its mandate to investigate misinformation.

Williams also expects the agency will have a diminished role in overseeing election security, the very issue that catapulted the cyber agency into the national headlines in 2020.

**Cybersecurity Opportunities Under Trump 2.0**

A shrinking CISA footprint and the Trump administration's expressed distaste for regulation and interest in opening government operations to more public-private partnerships mean there are going to be potential opportunities in the next few months for the private sector that hadn't existed before.

"I expect we'll see a more direct set of conversations around cyber offense and deterrence, especially as it relates to countering Russia, Iran, and in particular, China," Ellis predicts. "This could include changes to the structure of \[the National Security Agency\] and Cyber Command, and the inclusion of the private sector in defend-forward and disruption operations."

Beyond new opportunities to work with government, Ellis adds cybersecurity deregulation is on the way.

"In general, I think we can expect a more overt and domestically deregulated approach to cyberspace, reflecting the general policy approach of the Trump administration and a more open acknowledgement that Cold War 2 is already underway."

The new administration also likely signals a change in federal enforcement of Securities and Exchange Commission (SEC) regulations against chief information security officers (CISOs), like what security executives from SolarWinds and Uber experienced, according to expert John Bambenek.

"Regulatory enforcement on companies will lessen, for instance, \[and\] it is doubtful CISOs will see any government attempts to make them liable for breaches," Bambenek says. "I'm not sure any more antitrust action will commence against large tech companies either, which will fuel further consolidation of technology and security companies."

There is cautious optimism this more hands-off approach from the Trump administration will include maintaining a basic role for the federal government in cybersecurity. It's particularly necessary in terms of resources, according to Roselle Safran, the director of the White Office of the President security operations center under Barack Obama, and currently president of cybersecurity company KeyCaliber.

"While there are certainly plenty of other issues that appear to be top priorities for the next administration, it is my hope that cybersecurity will not be relegated to the back burner," Safran says. "It's important that there is recognition that cybersecurity needs significant and sustained resources."

Trump takes office against the backdrop of unprecedented numbers of cyberattacks, the rise of artificial intelligence, and cyber-military conflicts across the globe. Keeping politics out of the conversation is the best way for CISA to continue its work beyond the next election, experts advise. However, that might be an impossible challenge.

"I'm concerned about some of the negative sentiment around CISA impacting progress that has been made since 2018," Ellis adds. "However, I am cautiously optimistic that the priorities Trump had in mind when he formed the agency will see its overall defensive mission carry forward."

Trump 2.0 Portends Big Shift in Cybersecurity Policies

The security extensions for the Domain Name System aimed to make the Internet more reliable, but instead the technology has exchanged one set of problems for another.

Source: Artistdesign.13 via Shutterstock

A pair of attacks revealed by researchers this year underscored the fragility of the Domain Name System (DNS) and the security extensions (DNSSEC) that were adopted to help secure the world's internet infrastructure.

For the past year, Internet infrastructure firms and software makers have worked to patch DNS servers for a critical set of flaws in DNSSEC. Originally discovered more than a year ago by four researchers at Goethe-Universität Frankfurt and Technische Universität Darmstadt, the so-called KeyTrap denial-of-service (DoS) attack could trick DNS servers into spending hours attempting to validate signatures on specially created DNSSEC packets, according to their presentation at the Black Hat Europe 2024 conference earlier this month.

The researchers notified major Internet providers of the issues late last year and worked with them to produce patches earlier this year, but the flaws in DNSSEC are systematic, says Haya Schulmann, a professor of computer science at Goethe-Universität Frankfurt and one of the researchers involved in the work.

"I would not say that the core of the problem has been resolved," she says. "There are patches which mitigate the most severe problems, but the core issue is yet to be addressed."

The KeyTrap security weaknesses were not the only DNS attacks to surface in 2024. In May, a team of Chinese researchers revealed that they had discovered three logic vulnerabilities in DNS that allowed three types of attacks: DNS cache poisoning, DoS, and resource consumption. Dubbed TuDoor, the attack affected some 24 different DNS software codebases, the researchers stated in a summary of their work.

Related:Millions of Pen Tests Show Companies' Security Postures Are Getting Worse

The discovery of the two classes of DNS and DNSSEC flaws highlight that security and availability are often at odds with each other, and that the Internet as a whole still has areas of fragility.

"The Internet was an experimental research project which gradually evolved, and it started with very few networks and gradually evolved to support this huge commercial platform — of course, it's fragile," Schulmann says. "It's a wonder that it works."

**'Accept Liberally, Send Conservatively' Falls Down**

The design philosophy of much of the Internet boils down to a principle espoused by computer scientist Jonathan Postel, which the German researchers paraphrased as: "Be liberal in what you accept and conservative in what you send." The principle aims to improve robustness by calling for software to be "written to deal with every conceivable error, no matter how unlikely; sooner or later a packet will come in with that particular combination of errors and attributes, and unless the software is prepared, chaos can ensue," according to RFC 1122, "Requirements for Internet Hosts -- Communications Layers."

Related:Time to Get Strict With DMARC

However, other critiques have found that tolerating the unexpected often leads to harmful consequences. Rigorous standards can slowly decay and suffer feature creep when software is too liberally accepting, especially when the protocols are not adequately maintained, software engineers Martin Thomson and David Schninazi argue in RFC 9413.

"Careless implementations, lax interpretations of specifications, and uncoordinated extrapolation of requirements to cover gaps in specification can result in security problems," they wrote. "Hiding the consequences of protocol variations encourages the hiding of issues, which can conceal bugs and make them difficult to discover."

The German university researchers exploited the expansion of DNSSEC's acceptance of various cryptographic algorithms to developed an attack vector that allowed them to create an off-path attack — in other words, they did not need to control a router or DNS server that processed a DNSSEC transaction. By sending DNSEC packets containing hundreds of cryptographic signatures and hundreds of keys, they forced DNS servers to try to validate all the combinations — all because the servers supported a wide variety of cryptographic methods.

"When you have cryptography, there are challenges and complexity that start when you need to deploy multiple algorithms," Schulmann says. "You have to sign using all these algorithms, and every resolver has to validate the algorithms and identify which ones were sent ... and validate the signature, and that is the problem."

**DNSSEC Pushes Its Limits**

Fixing the DNSSEC weakness required the digital equivalent of chewing gum and baling wire. Cloudflare, for example, placed limits on the maximum numbers of keys its servers will accept when requests cross zones, such as .com delegating a response to cloudflare.com, the firm stated.

Yet, there is no simple fix, so Internet infrastructure companies have had to be agile as well.

"Even with this limit already in place and various other protections built for our platform, we realized that it would still be computationally costly to process a malicious DNS answer from an authoritative DNS server," Cloudflare stated in its analysis and response memo on the issue. "We added metrics which will allow us to detect attacks attempting to exploit this vulnerability." The company also placed additional limits on requests.

There are currently more than 30 RFCs related to DNSSEC, underscoring the need for defenders to repeatedly patch the standard to adapt to attackers' tactics. Developers have to be closely involved with the infrastructure operators and researchers in the community to make sure that they are building their software to the highest standard.

"In our research, we see that the more functionality you have, the more features you add, then the more bugs and the more problems you have — and all of those can be exploited to launch attacks," she says. "Routing networks, DNS, and other systems — they are no different."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

DNSSEC Denial-of-Service Attacks Show Technology's Fragility

Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs.
The packages, named zebo and cometlogger, attracted 118 and 164 downloads each, prior to them being taken down.

Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server.

This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0.

Users are recommended to upgrade to version 1.5.0, which fixes the issue.

**Apache HugeGraph-Server: Fixed JWT Token (Secret)**

Moderate severity GitHub Reviewed Published Dec 24, 2024 to the GitHub Advisory Database • Updated Dec 26, 2024

Latest News