Security Week 32: A spy got into the npm repository, Disney banned from watching children, Juniper patched a one-year bug

JS developers sometimes do terrible things to each other. There would be no peace to code and enjoy every commit! But the villain who threw a pack of malicious packets into the npm repository was joining the ranks of herbivorous peace programmers. npm is the standard package manager in Node.js, and has a cloud repository full of all sorts of useful packages.

The scoundrel hiding his dishonest name under the nickname HuskTask judged that people tend to make mistakes, and there is nothing more natural than, for example, to miss a hyphen in the cross-env. And I uploaded my package crossenv to the repository. And a few more, named for the same principle. As a result, a certain number of users have loaded packages from HuskTask into their projects, without knowing what the code is inside.

One of the users still looked at crossenv and ran to twitter to sound the alarm . As it turned out, this package contains a script that extracts important information from environment variables (for example, credentials from npm), encodes it into a string, and sends a POST request to npm.hacktask.net.


')
Total villain package downloaded 700 times, but most of these downloads - sprawling mirrors. The npm company believes that there were no more than 50 real installations. But this is only for one, the most popular package, just the smart HuskTask flooded much more:


It is strongly recommended that all victims of typos who have connected packages from the list change their passwords from npm. HuskTusk is banned, all its packages from the repository are cleaned. For the rest of the packages, Adam Baldwin from LiftSecurity quickly ran through, and did not find anything like a villainous script. Why it was necessary for the attacker - we can only guess. On acts of meaningless vandalism in node.js-projects is not reported.

Disney accused of illegally collecting personal information about children

News We have long been accustomed to the fact that our data, all services and applications boldly sell to the side. And we, in principle, agree, since this indirectly leads to a reduction in the cost for us. In the end, no matter what exactly banner advertising gives us.

But children are a completely different question, our children should not be watched. And the great Disney company, a great friend of all the children of the world, had the chance to learn this lesson on the basis of a lawsuit from one of the indignant parents.

The root of evil, according to Amanda Rushing, lies in mobile applications like Disney Priness Palace Pets (there were about 50 items in the lawsuit). In this cute toy you need to bathe, cut, dress up and in every possible way entertain virtual pets. Well, the rest are about the same.

No, Disney is still not spying on children through the cameras of smartphones and not listening. But in all these applications, there are tracking modules that constantly form and update user profiles, collecting information such as geographical coordinates accurate to a particular house, sites a child goes to, time to start a game, etc.

Everything is relatively innocent, but COPPA is in force in the United States, specifically against it.
Children's Online Privacy Protection Act (COPPA) postulates a simple thing - before collecting any information about a child under 13, you should first get permission from your parents. According to the letter of the law, impersonal information also applies. In practice, the adoption of COPPA has led to the prohibition of children of this age to register on most websites - no one needs extra problems. Well, advertising targeting becomes, to put it mildly, difficult.

Disney, for its part, states that they have a strong COPPA compliance program, and the claimant does not specifically understand the principles of this law. In general, the office is not going to give up targeting advertisements for kids without a fight.

In the equipment juniper found serious vulnerabilities

News Seeing how researchers spread rot to Cisco , racing to find holes in their devices, Juniper played an early game , notifying the world of a serious bug in their products. There, it turns out, there is a serious vulnerability in the GD library from PHP version 4.3 and higher. The library is graphical, but the bug is critical, because it allows you to command a device without authentication.

The problem is incorrect work with signed integers in libgd 2.1.1, which can lead to overflow of the dynamic area when processing compressed gd2 data. As a result, the attacker will be able to execute arbitrary commands, or cause a denial of service condition.

In fact, the bug is very stale, a problem in libgd 2.1.1 was discovered a year ago, and HP Enterprise , Red Hat , Fedora , Debian were patched long ago. That Juniper caught up. Better, of course, late than never.

Users of vulnerable devices, and these are T-series and MAX-series routers, as well as switches of four models, are advised to update the software. Or you can disable all services that use PHP scripts, such as J-Web and XNM-SSL. And also use access lists (use access lists in any incomprehensible situation).

Antiquities

"Kuku-448"

Non-resident very dangerous virus, infects .COM-files when you run an infected file, registering at their beginning. Depending on the time (with a probability of 1/8), it "kills" files. The "killed" file at start decodes and in a large number displays on the screen the multi-colored inscriptions "Kuku!", At the same time the computer does not respond to the keyboard.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 73.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.