Semgrep non-drama, Facebook hates Linux – Vulns in Cars, Cell Towers, M365, and more – ESW #392

A few funding announcements worth chatting about:

• Eclypsium Raises $45M to Lock Down Supply Chain Security
• Mitiga Announces $30 Million Series B and Adds New Executive Chairman and Board Director. These guys have a lot of products and services going on for a company that's just raising Series B. Trying to wrap my head around all of it.
• Luxembourg’s password management software firm Passbolt bags €7.6M. Yet another password manager, BUT, this one is from Europe, and is fully open-sourced!

In 2022, the Finnish cybersecurity company, F-Secure split into two companies. The consumer business continued with the F-Secure brand, while the enterprise business rebranded as WithSecure.

Now, a few years later, WithSecure is selling off its consulting business to Neqst for EUR 22.5M.

Confusion for sure! TL;DR:

1. it's not as big a deal as most folks are making out of it
2. the response feels mostly like a marketing/sales grab from competitors (including OpenGrep)

I don't need a ton of additional reasons to not use Facebook, but thanks for this one!

Roughly a BAJILLION YEARS after L0pht testified to Congress that they could take down the public Internet in about 30 minutes, the curiously named Florida Institute for Cybersecurity Research released information claiming it is possible to persistently DoS cell service to large areas with just a few packets.

Paper here: https://nathanielbennett.com/publications/ransacked.pdf

9.5 years ago, Charlie Miller and Chris Valasek messed with Andy Greenburg by remotely killing the engine of the Jeep Cherokee he was actively driving.

9 years ago, Troy Hunt reported that the Nissan Leaf app allowed control over the cars with nothing more than the VIN number.

In November 2024, Sam Curry and Shubham Shah discovered a similar issue in Subaru's STARLINK service. Using just publicly available information about a vehicle's owner:

• any car could be remotely started, stopped, or locked/unlocked
• The vehicle's location history was available
• The customer's PII was available

The car industry has had 10 years to search for these sorts of issues and squash them. It wasn't easy to do per se, but still seems a basic enough issue for a security review to have spotted and flagged.

The disturbing trend of researchers finding very basic, easy to exploit vulnerabilities in popular, publicly accessible services managed by huge multi-billion dollar companies continues.

Microsoft again makes this list with an attack that's just plain brute force. The researchers had to get a little clever with how to manipulate the sessions to avoid lockouts, but the fact that it was still ultimately brute forcing six digit codes seems like the kind of problems we shouldn't be finding in the world's largest tech company's primary authentication mechanism.

Here's the main PDF from the research: https://pages.oasis.security/rs/106-PZV-596/images/oasis-security-authquake-mfa-bypass.pdf?version=0

Both hilarious and concerning

Even giants can fatfinger things. Not sure what's worse here, the misconfiguration not being noticed for YEARS or the way they responded to this researcher. We are quite lucky this was not exploited.

A plethora of vulnerabilities were found in LTE and 5G networks. Mostly resulting in DOS attacks, including unauthenticated attacks that didn't require a SIM card!

Capable of running apps and services inside isolated compartments, Qubes OS claims to provide a secure environment for your computing workloads

How to turn rejection around without a fight. The best method to get someone to do something is if they are intrinsically motivated to do a thing. Any parent knows this well. Persuade with finesse, not force