Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. More Salt Typhoon victims: Telcos with Cisco bugs
(Stephen Loosley)
2. DOGE?s Coders Launch Website So Full Of Holes, Anyone Can
Write To It (Stephen Loosley)
----------------------------------------------------------------------
Message: 1
Date: Sun, 16 Feb 2025 00:37:39 +1030
From: Stephen Loosley <[email protected]>
To: "link" <[email protected]>
Subject: [LINK] More Salt Typhoon victims: Telcos with Cisco bugs
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco
bugs
Networks in US and beyond compromised by Beijing's super-snoops pulling off
priv-esc attacks
By Jessica Lyons Thu 13 Feb 2025
https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/
China's Salt Typhoon spy crew exploited vulnerabilities in Cisco devices to
compromise at least seven devices linked to global telecom providers and other
orgs, in addition to its previous victim count.
The intrusions happened between December 2024 and January 2025 with the Chinese
government snoops attempting to exploit more than 1,000 internet-facing
Cisco-made boxes before successfully breaking into at least seven that were
unpatched, according to Recorded Future's Insikt Group.
Salt Typhoon previously compromised at least nine US telecommunications
companies and government networks, giving President Xi's agents real-time
access to people's communications and whereabouts.
In its latest espionage campaign, the crew infiltrated Cisco-supplied gear
associated with a US internet service and telecommunications provider, a US
affiliate of a "significant" UK-based telecom provider, an Italian ISP, and two
other telecommunications firms, one in South Africa and a "large" one in
Thailand, Insikt's report [PDF] states.
https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0213.pdf
Again, that would give China intimate access to people's internet activities,
movements, and comms.
"The group likely compiled a list of target devices based on their association
with telecommunications providers' networks," according to the write-up.
Additionally, the snoops "possibly targeted" more than a dozen universities
including University of California, Los Angeles to access research related to
telecommunications, engineering, and technology, according to the infosec
house, which tracks Salt Typhoon as RedMike.
Plus, in mid-December, Salt Typhoon also conducted a reconnaissance operation
involving "multiple" IP addresses owned by Mytel, a Myanmar-based telecom firm.
To compromise the targeted Cisco devices, Beijing's spies combined two critical
privilege escalation vulnerabilities in Cisco's tech: CVE-2023-20198 and
CVE-2023-20273. The networking giant issued patches for both in 2023, and at
the time warned the bugs had already been exploited as zero-days.
CVE-2023-20198 is a privilege escalation vulnerability in Cisco IOS XE
software's web user interface.
The snoops exploited this one for initial access, and then issued a privilege
15 command to create a local user and password.
Then, they used the new local account to exploit another privilege escalation
flaw, CVE-2023-20273, to gain root privileges on the device. This allowed Salt
Typhoon to add a generic routing encapsulation (GRE) tunnel for persistent
access to the victim's network.
China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss
says
Charter, Consolidated, Windstream reportedly join China's Salt Typhoon victim
list
FCC to telcos: By law you must secure your networks from foreign spies. Get on
it
Trump admin's purge of US cyber advisory boards was 'foolish,' says ex-Navy
admiral
More than half of the targeted devices, in terms of attempts, were in the US,
South America, and India, with the rest spanning over 100 countries. Most of
these were linked to telecom providers, while 12 universities were possibly
targeted to access research related to technology.
Basically, China wanted to pwn the world's telecommunications networks.
These colleges included, in the US: University of California, Los Angeles
(UCLA); California State University, Office of the Chancellor; Loyola Marymount
University; and Utah Tech University. Plus Argentina (Universidad de La Punta)
and Bangladesh (Islamic University of Technology IUT). Two were in Indonesia:
Universitas Sebelas Maret and Universitas Negeri Malang.
Other attempted targets were in, at least, Malaysia (University of Malaya),
Mexico (Universidad Nacional Autonoma), the Netherlands (Technische
Universiteit Delft), Thailand (Sripatum University), and Vietnam (University of
Medicine and Pharmacy at Ho Chi Minh City).
After it emerged last year that Salt Typhoon had struck Verizon, AT&T, Lumen
Technologies, and others, and thus China was in a position to monitor millions
of people's calls, texts, locations, and internet activities, Uncle Sam urged
IT departments to tighten up their network security and netizens to start using
strong end-to-end encryption for their online chatter.
The kicker in all of this is that, in that previous campaign, Beijing abused
equipment that provides surveillance backdoors intended for US law enforcement
to track suspects in American networks to pull off these intrusions.
In January, the US issued sanctions on a Salt Typhoon affiliated cyberscurity
company, Sichuan Juxinhe Network Technology, which is based in Sichuan, China.
But while the sanctions "signal a more assertive and commendable stance against
state-backed cyber espionage in critical infrastructure," according to the
threat hunters, "robust international cooperation is crucial for effectively
countering these persistent threats."
We strongly advise customers to patch known vulnerabilities that have been
disclosed
A spokesperson for Cisco told us today that what it knows for certain is that
the flaws highlighted by Insikt were fixed a few years ago, as we noted.
"We are aware of new reports that claim Salt Typhoon threat actors are
exploiting two known vulnerabilities in Cisco devices relating to IOS XE," the
spinner said.
"To date, we have not been able to validate these claims but continue to review
available data.
"In 2023, we issued a security advisory disclosing these vulnerabilities along
with guidance for customers to urgently apply the available software fix. We
strongly advise customers to patch known vulnerabilities that have been
disclosed and follow industry best practices for securing management
protocols."
------------------------------
Message: 2
Date: Sun, 16 Feb 2025 01:07:46 +1030
From: Stephen Loosley <[email protected]>
To: "link" <[email protected]>
Subject: [LINK] DOGE?s Coders Launch Website So Full Of Holes, Anyone
Can Write To It
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
DOGE?s ?Genius? Coders Launch Website So Full Of Holes, Anyone Can Write To It
(Mis)Uses of Technology
from the this-would-get-an-intern-at-a-coffee-shop-fired dept
Fri, Feb 14th 2025 09:25am - by Mike Masnick
https://www.techdirt.com/2025/02/14/doges-genius-coders-launch-website-so-full-of-holes-anyone-can-write-to-it/
If you want to write something on the U.S. government?s official DOGE website,
apparently you can just? do that. Not in the usual way of submitting comments
through a form, mind you, but by directly injecting content into their
database. This seems suboptimal.
The story here is that DOGE ? Elon Musk?s collection of supposed coding
?geniuses? brought in to ?disrupt? government inefficiency ? finally launched
their official website. And what they delivered is a masterclass in how not to
build government infrastructure.
One possibility is that they?re brilliant disruptors breaking all the rules to
make things better. Another possibility is that they have no idea what they?re
doing.
The latter seems a lot more likely.
Last week, it was reported that the proud racist 25-year-old Marko Elez had
been given admin access and was pushing untested code to the US government?s $6
trillion/year payment system. While the Treasury Department initially claimed
(including in court filings!) that Elez had ?read-only? access, others reported
he had write access.
After those reports came out, the Treasury Dept. ?corrected? itself and said
Elez had been ?accidentally? given write privileges for the payments database,
but only for the data, not the code.
Still, they admitted that while they had put in place some security
protections, it?s possible that Elez did copy some private data which ?may have
occasionally included screenshots of payment systems data or records.?
Yikes?
Now, you might think that having a racist twenty-something with admin access to
trillion-dollar payment systems would concern people. But Musk?s defenders had
a compelling counterargument: he must be a genius! Because? well, because Musk
hired him, and Musk only hires geniuses. Or so we?re told.
The DOGE team?s actual coding prowess is turning out to be quite something.
First, they decided that government transparency meant hiding everything from
FOIA requests. When questioned about this interesting interpretation of
?transparency,? Musk explained that actually DOGE was being super transparent
by putting everything on their website and ExTwitter account.
There was just one small problem with this explanation. At the time he said it,
the DOGE website looked like this:
Black website saying: An official website of the United States Government.
Then it shows a $ logo and "Department of Government Efficiency." "The people
voted for major reform."
That was it. That was the whole website.
On Thursday, they finally launched a real website. Sort of. If by ?real
website? you mean ?a collection of already-public information presented in
misleading ways by people who don?t seem to understand what they?re looking
at.? But that?s not even the interesting part.
These supposed technical geniuses managed to build what might be the least
secure government website in history. Let?s start with something basic: where
does the website actually live? According to Wired, the source code actually
tells search engines that ExTwitter, not DOGE.gov, is the real home of this
government information:
A WIRED review of the page?s source code shows that the promotion of Musk?s own
platform went deeper than replicating the posts on the homepage. The source
code shows that the site?s canonical tags direct search engines to x.com rather
than DOGE.gov.
A canonical tag is a snippet of code that tells search engines what the
authoritative version of a website is. It is typically used by sites with
multiple pages as a search engine optimization tactic, to avoid their search
ranking being diluted.
In DOGE?s case, however, the code is informing search engines that when people
search for content found on DOGE.gov, they should not show those pages in
search results, but should instead display the posts on X.
?It is promoting the X account as the main source, with the website secondary,?
Declan Chidlow, a web developer, tells WIRED. ?This isn?t usually how things
are handled, and it indicates that the X account is taking priority over the
actual website itself.?
If you?re not a web developer, here?s what that means: When you build a
website, you can tell search engines ?hey, if you find copies of this content
elsewhere, this version here is the real one.? It?s like telling Google ?if
someone copied my site, mine is the original.?
But DOGE did the opposite. They told search engines ?actually, ExTwitter has
the real version of this government information. Our government website is just
a copy.? Which is? an interesting choice for a federal agency? It?s a bit like
the Treasury Department saying ?don?t look at our official reports, just check
Elon?s tweets.?
You might think that a government agency directing people away from its
official website and toward the private company of its leader would raise some
conflict-of-interest concerns. And you?d be right!
But wait, it gets better. Or worse. Actually, yeah, it?s worse.
Who built this government website? Through some sloppy coding, security
researcher Sam Curry figured out it was DOGE employee Kyle Shutt. The same Kyle
Shutt who, according to Drop Site News, has admin access to the FEMA payments
system. The same Kyle Shutt who used the exact same Cloudflare ID to build
Musk?s America PAC Trump campaign website. Because why maintain separate secure
credentials for government systems and political campaigns when you can just?
not do that?
But the real cherry on top came Thursday when people discovered something
amazing about the DOGE site database: anyone can write to it. Not ?anyone with
proper credentials.? Not ?anyone who passes security checks.? Just? anyone. As
404 Media reported, if you know basic database operations, you too can be a
government website administrator:
The doge.gov website that was spun up to track Elon Musk?s cuts to the federal
government is insecure and pulls from a database that can be edited by anyone,
according to two separate people who found the vulnerability and shared it with
404 Media. One coder added at least two database entries that are visible on
the live site and say ?this is a joke of a .gov site? and ?THESE ?EXPERTS? LEFT
THEIR DATABASE OPEN -roro.?
While I imagine those will be taken down shortly, for now, the insertions are
absolutely visible:
A page on the DOGE website showing inserted text in a box reading: "THESE
EXPERTS LEFT THEIR DATABASE OPEN - roro
A page on the DOGE website showing inserted text in a box reading: "This is a
joke of a .gov site"
Look, there?s a reason we called this whole thing a cyberattack. When someone
takes over your computer systems and leaves them wide open to anyone who wants
to mess with them, we usually don?t call that ?disruption? or ?innovation.? We
call it a cybersecurity breach.
?Feels like it was completely slapped together,? they added. ?Tons of errors
and details leaked in the page source code.?
Both sources said that the way the site is set up suggests that it is not
running on government servers.
?Basically, doge.gov has its codebase, probably through GitHub or something,?
the other developer who noticed the insecurity said. ?They?re deploying the
website on Cloudflare Pages from their codebase, and doge.gov is a custom
domain that their pages.dev URL is set to. So rather than having a physical
server or even something like Amazon Web Services, they?re deploying using
Cloudflare Pages which supports custom domains.?
Here?s the thing about government computer systems: They?re under constant
attack from foreign adversaries. Yes, they can be inefficient. Yes, they can be
bloated. But you know what else they usually are? Not completely exposed to the
entire internet. It turns out that some of that inefficient ?bureaucracy?
involves basic things like ?security? and ?not letting random people write
whatever they want in federal databases.?
This isn?t some startup where ?move fast and break things? is a viable
strategy. This is the United States government. And it?s been handed over to
people whose main qualification appears to be ?posts spicy memes on 4chan.? The
implications go far beyond embarrassing database injections ? this level of
technical negligence in federal systems creates genuine national security
concerns. When your ?disruption? involves ignoring decades of hard-learned
lessons about government systems security, you?re not innovating ? you?re
inviting disaster.
Filed Under: cyberattack, doge, doge website, elon musk, kyle shutt, security
holes, transparency
Companies: twitter, x
49 Comments Leave a Comment
If you liked this post, you may also be interested in...
No Personal Liability For DOGE Yet, But With Two More Lawsuits We Get Closer
Democrats And The Price Of Protection
At Last, DOGE And Musk Are Finally Named In A Lawsuit, Albeit "Officially"
Some Follow Up Questions For Elon Musk, After He Admits He Gets Stuff Wrong
Sometimes
DOGE May Now Be Aware Of The CFAA But It's Still Violating It, Along With Lots
Of Other Laws
Comments on ?DOGE?s ?Genius? Coders Launch Website So Full Of Holes, Anyone Can
Write To It?
Subscribe: RSS
Leave a comment
https://www.techdirt.com/2025/02/14/doges-genius-coders-launch-website-so-full-of-holes-anyone-can-write-to-it/
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 387, Issue 8
************************************
