A US court ruled against NSO Group, an Israeli spyware maker, finding them liable for hacking WhatsApp users. The ruling has major implications for the surveillance technology industry."

****SUMMARY****

*   **NSO Group Held Accountable:** A U.S. court ruled against NSO Group for hacking WhatsApp accounts, violating U.S. law and its terms of service.

*   **Pegasus Spyware Abuse:** NSO exploited a WhatsApp flaw to install Pegasus spyware on 1,400 devices, targeting activists, journalists, and officials.

*   **WhatsApp Lawsuit Victory:** WhatsApp sued NSO in 2019 after discovering the spyware attack, marking a major win for privacy rights.

*   **Court Rejects NSO’s Defense:** The court dismissed NSO’s claims of immunity, holding it liable despite its stated anti-terrorism purpose.

*   **Spyware Industry Implications:** The ruling sets a precedent for accountability, boosting privacy advocacy efforts against invasive technologies.

The Israeli spyware company NSO Group has been held liable for compromising the accounts of hundreds of WhatsApp users, marking a significant legal victory for Meta Platforms.

****The Ruling****

In a landmark ruling, U.S. District Judge Phyllis Hamilton found the NSO Group responsible for hacking and breaching the world’s leading messaging app WhatsApp’s terms of service, compromising the accounts of hundreds of its users. 

According to court documents (PDF), the NSO Group exploited a vulnerability in the messaging app to install its powerful Pegasus spyware on at least 1,400 devices. This spyware, known for its ability to infiltrate phones and extract sensitive data, was allegedly used to target journalists, human rights activists, political dissidents, and government officials, raising serious concerns about privacy and human rights.

****Background Details****

For your information, WhatsApp filed the lawsuit in 2019, accusing NSO Group of accessing its servers without authorization to deploy Pegasus. It was reported by Hackread.com that the NSO Group was suspected of exploiting a new “MMS Fingerprint” attack on WhatsApp, exposing device information without user interaction. 

Hackread.com also reported earlier this year that WhatsApp discovered the vulnerability in May 2019, which let attackers install Pegasus spyware on users’ devices. The flaw was then used to target government officials and activists globally. WhatsApp sued NSO Group for the exploitation 

The Israeli firm, which claims its technology is used to combat terrorism and crime, argued that its actions were justified and that it should be shielded from liability. However, the court rejected these arguments, finding that it was responsible for the breach and that its actions violated US law.

This ruling has major implications for the spyware industry, which operates in a legal gray area. It establishes a precedent that companies like NSO Group can be held accountable for the misuse of their technology, even if they claim to be providing services to legitimate government agencies. The decision is also a major victory for privacy advocates, who have long warned about the dangers of invasive surveillance technologies.

WhatsApp hailed the ruling as a “huge win for privacy,” emphasizing that it would continue to work to protect user communications from such attacks. 

“We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions,” Will Cathcart, the head of WhatsApp stated.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Apple loses lawsuit against cyber security startup Corellium**
3.  **Amazon Files Lawsuits Against Fraudsters Over Fake Reviews**
4.  **YouTube MP3 Converter Site Shut Down After Labels Win Lawsuit**
5.  **Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data**

WhatsApp Wins Lawsuit Against Israeli Spyware Maker NSO Group

AI voice cloning and deepfakes are supercharging scams. One method to protect your loved ones and yourself is to create secret code words to verify someone’s identity in real time.

Scammers are out of control. Every year, fraudsters and cybercriminals make billions by tricking people into parting with their cash. Romance fraud, business email compromise, investment scams, sextortion—the list of ways criminals prey on people is virtually endless and constantly changing.

Add to that impersonation scams, where a criminal pretends to be someone known to their target and extracts money. There have been increasing calls for people, and particularly families, to create passphrases or passwords with each other. At the start of December, the FBI issued a recommendation that people create a “secret word or phrase with your family to verify their identity,” and British bank Starling has also published guidelines on creating safe phrases with others.

It’s a simple, if not new, approach—one that can potentially be effective. For instance, if you receive a message or call from your “son” or “daughter,” and they’re urgently asking for money to get out of a jam, asking them to provide a pre-agreed passphrase can reveal whether it’s really them.

“Fraudsters will use manipulation tactics to put the victim in a vulnerable state where they act out of panic, urgency, or a strong desire,” says Erin Englund, a director of threat analytics at fraud-detection firm BioCatch. “Having a passphrase or similarly prepared strategy enables victims to quickly validate legitimacy of an unusual interaction and take control.”

The calls to create family passwords or passphrases have come because scammers are increasingly adopting AI. Machine learning has allowed criminals to create deepfake videos impersonating people and to clone voices with only a few seconds of audio. Scammers have used these voice clones to pretend family members have been kidnapped and demand ransom payments for their release.

“AI is creating a large amount of risk for businesses and families,” says Rachel Tobac, CEO of SocialProof Security. Tobac says companies she has worked with have been on the receiving end of AI voice-cloned calls, which also use spoofed phone numbers, that try to impersonate business executives.

“I also hear about a few families every day who have received AI phone-call attacks voice-cloning a nephew, grandchild, or sibling in hysterics about being kidnapped or being involved in a car accident where they hit someone pregnant and need money for legal fees and bail,” Tobac says.

**Making a Good Family Password**

As with your online passwords, there are things you should and shouldn’t do when it comes to creating a shared passphrase. For starters, you shouldn’t make a passphrase the same as any of your passwords, and they shouldn’t be things a scammer could easily find—such as street names, birthdays, pets, or other personal information that may be shared online.

“Consider anything that you or your loved ones post online as data available to scammers,” Englund says. “Even if you keep all social media private, your data is available to your connections and followers who can be hacked.”

A good family passphrase, according to Starling Bank’s advice, could be anything that is unique, easy to remember, and can ideally be “shared with friends and family in person.” The guidelines give some hypothetical examples, such as a short phrase like “cheese puffs” or “rainbows and dragons,” or a mnemonic like ABC, which stands for “ants bake cakes.”

“Avoid joking about your code word in your text messages, social media posts, et cetera,” Tobac says. “We see folks make a family code word and then it’s hashtagged in their Instagram post. That's not a great idea—it’s got to be kept private.”

Tobac says that while family passwords can be useful, it’s crucial to be aware of their potential limitations. “We have to remember how human beings actually act in an emergency,” she says. For instance, if someone has really been in a car accident, Tobac says, it’s likely adrenaline would kick in and they may not remember a passphrase.

Tobac recommends using a method she calls “Being Politely Paranoid,” which at its simplest is trying to verify the identity of the person who is contacting you by a second method. “If you receive a call from a nephew who says they are in an accident and need money for legal fees, you can say, ‘100 percent I can help you. I just texted you a word, go ahead and read that out to me.’”

Ultimately, nobody is infallible to scamming, even if they know the steps they should take when receiving a potentially suspicious call or message. “If you do fall victim to a scam, report it to your bank or the authorities,” Englund says. “Often victims feel shame and fault and do not report scams. There are options available to protect yourself and get resolution.”

You Need to Create a Secret Password With Your Family

Thousands of Postman workspaces leaked sensitive data like API keys and tokens. Learn best practices to secure your API development environment and protect your organization

****SUMMARY****

*   **30,000 Public Workspaces Exposed:** CloudSEK identifies massive data leaks from Postman workspaces.

*   **Sensitive Data at Risk:** Leaks include API keys, tokens, and administrator credentials.

*   **Major Platforms Affected:** GitHub, Slack, and Salesforce among the impacted services.

*   **Key Causes:** Misconfigured access, plaintext storage, and public sharing of collections.

*   **Mitigation Steps:** Use environment variables, rotate tokens, and adopt secret management tools.

On December 23, 2024, CloudSEK’s TRIAD team identified critical security vulnerabilities and risks from the misuse of **Postman Workspaces**, a popular cloud-based API development and testing platform.

In their year-long investigation, researchers found over 30,000 publicly accessible workspaces leaking sensitive information about third-party APIs, including access tokens, refresh tokens, and third-party API keys, posing severe risks to businesses and individuals alike.

Via CloudSec

According to the company’s **report** shared with Hackread.com, leaked data spanned organizations across various industries, from small businesses to large enterprises, impacting major platforms like **GitHub**, **Slack**, and **Salesforce**. Critical sectors affected included healthcare, athletic apparel, and financial services, exposing organizations to numerous threats and security risks.

Researchers noted that common practices leading to these data leaks include inadvertent sharing of Postman collections, misconfigured access controls, syncing with publicly accessible repositories, and storing sensitive data in plaintext without encryption.

These vulnerabilities can lead to severe consequences. The leaked data, which included administrator credentials, payment processing **API keys**, and access to internal systems, can lead to financial and reputational damage for the affected organizations. 

Sensitive data exposure within Postman can have significant consequences for both individual developers and entire organizations. Reportedly, top API services like api.github.com, slack.com, and hooks.slack.com have the most exposed secrets. High-profile services like Salesforce.com, login.microsoftonline.com, and graph.facebook.com have also been exposed.  

Leaked Credentials of ZenDesk and leaked Razorpay API key (Via CloudSec)

A leaked API key or access token can provide attackers with direct access to critical systems and data, potentially leading to data breaches, unauthorized system access, and increased phishing and social engineering attacks.

Postman often stores sensitive information like API keys, secrets, and PII for authentication and communication with APIs. To ensure data safety, organizations should use environment variables wisely, limit permissions, avoid long-lived tokens, use external secrets management, and double-check before sharing any collection or environment. 

**CloudSEK** responsibly reported most identified incidents to affected organizations, helping mitigate risks. To prevent such exposures, CloudSEK urges organizations to adopt more reliable security measures, such as using environment variables to avoid hardcoding sensitive data, limiting permissions, rotating tokens frequently, leveraging secrets management tools, and double-checking collections before sharing.

Moreover, Postman has **implemented** a secret-protection policy to prevent sensitive data from being exposed in public workspaces following the disclosure of these findings. The policy alerts users if secrets are detected, offers resolutions, and facilitates transitions to private or team workspaces.

**“**Starting this month, we are removing public workspaces with known exposed secrets from the Public API Network. As we roll out this policy change, owners of public workspaces containing secrets will be notified and have the opportunity to remove their exposed secrets before that workspace is removed from the network,” the company noted.

1.  **The Most Common API Vulnerabilities**
2.  **OwnCloud “graphapi” App Flaw Exposes Sensitive Data**
3.  **Urlscan.io API Inadvertently Leaked Sensitive Data and URLs**
4.  **Automotive Industry Exposed to Have Major API Vulnerabilities**
5.  **Millions impacted as payment API flaws exposed transaction keys**

Postman Workspaces Leak 30000 API Keys and Sensitive Tokens

Fortinet discovers two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, designed to steal data, capture keystrokes, and gain system control. Learn about their malicious behavior and how to protect yourself

****KEY SUMMARY POINTs from the article**  **

*   **Malicious Packages Identified**: Zebo-0.1.0 and Cometlogger-0.1 are malicious Python packages discovered on PyPI.

*   **Sensitive Data Theft**: These packages steal user data through keylogging, screenshot capturing, and information exfiltration.

*   **Persistence Mechanisms**: They establish long-term control by creating startup scripts to re-execute on system reboot.

*   **Obfuscation Techniques**: Advanced obfuscation methods help the packages evade detection and security systems.

*   **Wide Impact**: These threats compromise developers and platforms reliant on PyPI, posing major privacy and security risks.

On November 24, 2024, Fortinet FortiGuard Lab’s AI-based detection system identified **Python malware** in two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, targeting unsuspecting users for their data.

These packages can steal sensitive information, capture screenshots, log keystrokes, and establish unauthorized control over infected systems, researchers noted in the **blog post** shared with Hackread.com.

****What is Zebo-0.1.0?****

Zebo-0.1.0 exhibits typical malware characteristics, including functions designed for surveillance, data exfiltration, and unauthorized control, and utilizes libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent. 

The script employs obfuscation to hide its true functionality, making it harder for users or security systems to understand its actions. This obfuscation can bypass security measures, allowing the malware to run undetected. 

Zebo-0.1.0 leverages pynput to log every keystroke made by the user and also captures screenshots of the desktop, potentially violating their privacy. Furthermore, the script exfiltrates sensitive information, such as keystrokes and screenshots, to a remote server, compromising user privacy.

To ensure persistence, the malware creates a Python script and a batch file in the Windows Startup folder, ensuring its re-execution upon system startup, making it difficult to remove and increasing the risk of long-term damage.

****What is Cometlogger-0.1?****

Cometlogger-0.1 maintains a long-term presence on the victim’s system and uses advanced techniques like obfuscation, keylogging, screen capturing, and data exfiltration to compromise user data. It dynamically requests a “webhook” from the user and embeds it into Python files, allowing for potential manipulation by unauthorized users. This can redirect sensitive data to malicious servers or facilitate command-and-control operations. 

The script also targets various platforms like Discord, Steam, Instagram, and Twitter, stealing tokens, passwords, and account information. Additionally, it employs anti-VM detection techniques to evade analysis and incorporates dynamic file modification capabilities, enabling the injection of malicious code.

Both packages are a major threat to user privacy and security. Zebo-0.1.0 actively collects sensitive data and transmits it to remote servers. Cometlogger-0.1, on the other hand, focuses on information theft and maintaining a persistent presence on the victim’s system. The affected systems include all those platforms where PyPI packages can be installed with a High severity level, and threatens individuals or institutions whoever has installed these **malicious packages**.

Data stolen by the malware (Via Fortinet FortiGuard Lab)

The Python Package Index (PyPI) has become an invaluable resource for developers, offering a vast repository of reusable code. However, this convenience comes with inherent risks as malicious actors are increasingly exploiting it by publishing malicious packages that, when installed, can compromise systems. Socket Security researchers last month **discovered** another malicious Python package called “Fabrice” on PyPI downloaded over 37,000 times since its inception in 2021, harvesting AWS credentials from developers for three years.

To protect against these threats, it is crucial to disconnect from the internet, isolate the infected system, use reputable antivirus software, and reformat the system if necessary.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**
5.  **NTLM Credential Theft in Python Apps Threaten Windows Security**

Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS

Title: ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS  
Advisory ID: ZSL-2024-5886  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 24.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[24.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_xss4.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-6516  
\[3\] https://nvd.nist.gov/vuln/detail/CVE-2024-6516  
\[4\] https://packetstorm.news/files/id/183295/

**Changelog**

\[24.12.2024\] - Initial release  
\[25.12.2024\] - Added reference \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

"Zero trust" doesn't mean "zero testing."

Source: Alexander Yakimov via Alamy Stock Photo

COMMENTARY

Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated "trust but verify" cybersecurity strategy. This approach assumes that any user or device inside a company's network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.

There was a time when trust but verify made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.

**The User Example of Trust Without Ongoing Verification**

It's easy to see how this happens with users. A user typically goes through a background check when they join the company, but once onboarded, despite any number of changes in their lives that could affect their trustworthiness, we allow them to access our systems and data without further verification. 

In the majority of cases, the absence of further verification does not cause damage. However, if the user decides to act against the best interest of their employer, the results can be catastrophic. The more sensitive the information the individual has access to, the greater the risk. This is why individuals with security clearances are regularly re-vetted, and security personnel may conduct regular finance checks to identify any issues early and intervene to mitigate possible damage.

In organizations that follow a trust-but-verify approach, two personas stand out: those that have considered the risk of one-time asset verification acceptable; and — the minority — those that try to manage the risk with a re-verification program. A shift in persona from the former to the latter usually only occurs after a breach, a crisis in availability, or another "career limiting disaster."

The reality is that there are simply not enough hours in the day for security practitioners to do all of the things that must be done. Have security patches been correctly applied to all vulnerable devices? Are all third-party security assessments properly analyzed? Do all Internet of Things (IoT) devices really belong on the network? Are managed security services performing as expected? 

Compromising one of these trusted devices means being granted trust to move laterally across the network, accessing sensitive data and critical systems. Organizations likely will not know the extent of their exposure until something goes wrong. 

**The Costly Consequences of Insufficient Verification**

When these breaches are eventually discovered, the costs begin to mount. Companies face not only the direct costs of incident response, but potentially also regulatory fines, class-action lawsuits, lost customers, and lasting damage to their brand reputation. Relatively small incidents can cost millions of dollars, while large incidents regularly cost billions.

In addition to these direct costs, insufficient verification also leads to more frequent and expensive compliance audits. Regulators and industry bodies are increasingly demanding that companies demonstrate robust identity and access management controls, for example under the European Union's upcoming Digital Operational Resilience Act (DORA), as well as continuous monitoring and validation of user and device activity. Certifications and accreditations can no longer be accepted at face value. 

**The Path Forward: Adopt a Zero-Trust Approach**

Instead of trusting after verification, businesses should instead allow only what the business needs, for as long as it needs it. Never trust, always verify. This is how a zero-trust architecture operates.

Every user, device, and application that attempts to make a connection, regardless of its location, is scrutinized and validated, dramatically limiting the potential damage from a successful compromise. A zero-trust architecture replaces firewalls and VPNs, so there are fewer devices to maintain, and a reduced attack surface means fewer opportunities for attackers to gain a foothold.

Zero trust doesn't mean zero testing; testing should form an integral part of any IT and cybersecurity strategy. However, it does mean the likelihood of a major failure stemming from trust being extended to users, devices, or applications that do not deserve it, is a thing of the past. 

**About the Authors**

Vice President, Cybersecurity Advocacy, Zscaler

Rob Sloan is vice president, cybersecurity advocacy, for Zscalera. He is a cybersecurity, risk, and technology expert with broad business skills and management responsibility. Prior to joining Zscaler, he served as research director at Dow Jones and The Wall Street Journal, where he led a research team focused on cybersecurity, AI, and sustainability issues, and wrote a weekly column to help board directors navigate cyber-risk. Before the WSJ, Rob worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating, and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob began his career working for the UK government in defense and foreign affairs, looking at some of the earliest state sponsored cyberattacks against the government, military, and critical national infrastructure networks.

VP & CISO in Residence, Zscaler

Sam Curry is VP and chief information security officer (CISO) in residence at Zscaler. He began his career in signals and cryptanalysis and was the first employee at Signal 9 Solutions, a small start-up that invented the personal firewall, executed the first commercial implementation of Blowfish, and devised early symmetric key VPN technology. Sam served as chief security architect there and as head of product for McAfee before holding several positions at RSA (the Security Division of EMC), including head of RSA labs at MIT and chief technology officer (CTO) and Distinguished Engineer for EMC. After seven years with RSA, Curry acted as SVP and CISO at Microstrategy, CSO and CTO for Arbor Networks, and as chief security officer (CSO) for Cyberreason. Sam holds 17 active patents in cybersecurity and a master’s degree in counterterrorism, and sits on two boards of directors. In addition, he teaches courses at Harvard (online), Wentworth Technology Institute, and Nichols College. He is also a Fellow at the National Security Institute at George Mason University.

Too Much 'Trust,' Not Enough 'Verify'

The security extensions for the Domain Name System aimed to make the Internet more reliable, but instead the technology has exchanged one set of problems for another.

Source: Artistdesign.13 via Shutterstock

A pair of attacks revealed by researchers this year underscored the fragility of the Domain Name System (DNS) and the security extensions (DNSSEC) that were adopted to help secure the world's internet infrastructure.

For the past year, Internet infrastructure firms and software makers have worked to patch DNS servers for a critical set of flaws in DNSSEC. Originally discovered more than a year ago by four researchers at Goethe-Universität Frankfurt and Technische Universität Darmstadt, the so-called KeyTrap denial-of-service (DoS) attack could trick DNS servers into spending hours attempting to validate signatures on specially created DNSSEC packets, according to their presentation at the Black Hat Europe 2024 conference earlier this month.

The researchers notified major Internet providers of the issues late last year and worked with them to produce patches earlier this year, but the flaws in DNSSEC are systematic, says Haya Schulmann, a professor of computer science at Goethe-Universität Frankfurt and one of the researchers involved in the work.

"I would not say that the core of the problem has been resolved," she says. "There are patches which mitigate the most severe problems, but the core issue is yet to be addressed."

The KeyTrap security weaknesses were not the only DNS attacks to surface in 2024. In May, a team of Chinese researchers revealed that they had discovered three logic vulnerabilities in DNS that allowed three types of attacks: DNS cache poisoning, DoS, and resource consumption. Dubbed TuDoor, the attack affected some 24 different DNS software codebases, the researchers stated in a summary of their work.

Related:Millions of Pen Tests Show Companies' Security Postures Are Getting Worse

The discovery of the two classes of DNS and DNSSEC flaws highlight that security and availability are often at odds with each other, and that the Internet as a whole still has areas of fragility.

"The Internet was an experimental research project which gradually evolved, and it started with very few networks and gradually evolved to support this huge commercial platform — of course, it's fragile," Schulmann says. "It's a wonder that it works."

**'Accept Liberally, Send Conservatively' Falls Down**

The design philosophy of much of the Internet boils down to a principle espoused by computer scientist Jonathan Postel, which the German researchers paraphrased as: "Be liberal in what you accept and conservative in what you send." The principle aims to improve robustness by calling for software to be "written to deal with every conceivable error, no matter how unlikely; sooner or later a packet will come in with that particular combination of errors and attributes, and unless the software is prepared, chaos can ensue," according to RFC 1122, "Requirements for Internet Hosts -- Communications Layers."

Related:Time to Get Strict With DMARC

However, other critiques have found that tolerating the unexpected often leads to harmful consequences. Rigorous standards can slowly decay and suffer feature creep when software is too liberally accepting, especially when the protocols are not adequately maintained, software engineers Martin Thomson and David Schninazi argue in RFC 9413.

"Careless implementations, lax interpretations of specifications, and uncoordinated extrapolation of requirements to cover gaps in specification can result in security problems," they wrote. "Hiding the consequences of protocol variations encourages the hiding of issues, which can conceal bugs and make them difficult to discover."

The German university researchers exploited the expansion of DNSSEC's acceptance of various cryptographic algorithms to developed an attack vector that allowed them to create an off-path attack — in other words, they did not need to control a router or DNS server that processed a DNSSEC transaction. By sending DNSEC packets containing hundreds of cryptographic signatures and hundreds of keys, they forced DNS servers to try to validate all the combinations — all because the servers supported a wide variety of cryptographic methods.

"When you have cryptography, there are challenges and complexity that start when you need to deploy multiple algorithms," Schulmann says. "You have to sign using all these algorithms, and every resolver has to validate the algorithms and identify which ones were sent ... and validate the signature, and that is the problem."

**DNSSEC Pushes Its Limits**

Fixing the DNSSEC weakness required the digital equivalent of chewing gum and baling wire. Cloudflare, for example, placed limits on the maximum numbers of keys its servers will accept when requests cross zones, such as .com delegating a response to cloudflare.com, the firm stated.

Yet, there is no simple fix, so Internet infrastructure companies have had to be agile as well.

"Even with this limit already in place and various other protections built for our platform, we realized that it would still be computationally costly to process a malicious DNS answer from an authoritative DNS server," Cloudflare stated in its analysis and response memo on the issue. "We added metrics which will allow us to detect attacks attempting to exploit this vulnerability." The company also placed additional limits on requests.

There are currently more than 30 RFCs related to DNSSEC, underscoring the need for defenders to repeatedly patch the standard to adapt to attackers' tactics. Developers have to be closely involved with the infrastructure operators and researchers in the community to make sure that they are building their software to the highest standard.

"In our research, we see that the more functionality you have, the more features you add, then the more bugs and the more problems you have — and all of those can be exploited to launch attacks," she says. "Routing networks, DNS, and other systems — they are no different."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

DNSSEC Denial-of-Service Attacks Show Technology's Fragility

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server.

This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0.

Users are recommended to upgrade to version 1.5.0, which fixes the issue.

**Apache HugeGraph-Server: Fixed JWT Token (Secret)**

Moderate severity GitHub Reviewed Published Dec 24, 2024 to the GitHub Advisory Database • Updated Dec 26, 2024

GHSA-f697-gm3h-xrf9: Apache HugeGraph-Server: Fixed JWT Token (Secret)

Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.
"The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said. "TraderTraitor activity is often characterized by targeted social

Tag

#auth