The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”
Not only do the DOGEbags lack forensic accountants, it seems that they’re short on people with even the most basic cybersecurity chops.
In all my years, I’ve failed it only once. But I’m certain that actually experiencing that failure ensured that the lesson would “stick.”
I happened a few years back. I was being diligent and getting all my tax stuff ready to send to my accountant in early February, around the time when my then-employer was sending employees their primary tax document, the dreaded Form W-2. (For those of you outside the U.S., it’s the wage and tax document provided by your employer; for example, the Canadian equivalent is the “T4 Slip”.)
I was doing a search through my company inbox to find the download location for my W-2 information, having forgotten that it was available through Workday. One of the search results was one of those phishing email tests, disguised to look like an official email with a link to my tax info. Since I was reading the email as search results and not as email, I was not in my usual email security mindset, clicked the link in the email, and boom:
I got the usual “Your manager will be notified and you’ll have to undergo mandatory security re-education” message afterward. Surprisingly, my manager never brought it up, and I was never scheduled for the “Don’t do it again, dumbass” remedial course, but believe me: I learned my lesson that day.
Here it is — the video of my presentation, xz made EZ, which covers the security incident with the xz utils utility on Unix-y systems, which I gave at BSides Tampa 2024 on April 6th:
The details of the xz vulnerability were made public mere days before the BSides Tampa 2024 cybersecurity conference, and on a whim, I emailed the organizers and asked if I could do a lightning talk on the topic.
They quickly got back to me and let me know that they’d had a last-minute speaker cancellation and gave me a full slot in which to do my presentation.
The moral of the story? It never hurts to ask, and it can lead to opportunities!
What’s this xz thing, anyway?
Let me answer with this slide from my presentation:
xz is short for xz Utils, a compression utility that you’ll find in Unix-y operating systems, including:
Linux distributions
macOS
It’s usually used by Unix greybeards who generally use it in combination with tar.
What happened with xz?
xz was one of those open source projects that had a vulnerability best illustrated by this xkcd comic:
xz was like that project pointed out in the comic, except that the “random person” doing the maintaining was Lass Collin, a developer based in Finland, who was experiencing burnout. As a result, xz was languishing.
In what appeared to be a stroke of good fortune, a developer who went by the handle of “Jia Tan” on GitHub came to the rescue and started submitting patches to xz.
At about the same time, there were a number of complaints about xz’s lack of apparent maintenance. In hindsight, it looks like a clever two-pronged campaign:
A group of people loudly clamoring for someone else to take the reins of the xz project, and
A friendly developer who swoops in at the right time, making patches to the xz project…
…all while a burned-out Lasse Collin was facing a lot of stress.
On November 30, 2022, Lasse changed the email address for xz bug reports to an alias that redirected to both his email address as well as Jia Tan’s. At that point, Jia Tan, the apparently helpful developer who appeared at just the right time, was now an official co-maintainer.
Not long after, Lasse releases his last version of xz, and soon after Jia Tan, now the sole maintainer of the project, releases their own version.
With full control of the project, Jia Tan starts making changes — all the while, carefully disguising them — that create a “back door” within the xz application.
On any system that had Jia Tan’s tainted version of xz installed, an unauthorized user with the right private key could SSH into that system with root-level access. By becoming the maintainer of a trusted application used by many Linux versions, Jia Tan managed to create a vulnerability by what could have been one of the most devastating supply-chain attacks ever.
It’s back! The 11th edition of BSides Tampa, Tampa Bay’s community-led cybersercurity conference, happens Saturday, April 6th at Marshall Student Center at USF.
You’ll want to attend BSides if:
You work in cybersecurity, because your peers — some of whom you might not know — will be there.
You’re looking for a cybersecurity job. You’ll get to network with people in the field, and you’ll find the conference’s Career track helpful.
You’re curious about cybersecurity. What do cybersecurity people do? They test systems for vulnerabilities (go to the talks in the Offense / Red Team track), they protect systems from attackers (go to the talks in the Defense / Blue Team track), and they create processes to enhance security (go to the talks in the Governance track).
You’re into intelligence — human and artificial. There’s an AI / Defense track that covers these topics.
You want to learn. I can’t think of a BSides where I didn’t learn at least three important things.
You want to know what the Tampa security scene is like. Tampa has an underappreciated security scene, and you’ll get to see what it’s like at BSides Tampa!
BSides Tampa is sponsored by the Tampa Bay chapter of (ISC)², which is clever and mathematically-correct shorthand for “International Information System Security Certification Consortium”. (ISC)² is a non-profit specializing in training and certifying information security professionals.
BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content.
Here’s the origin story: When the 2009 Black Hat conference in Las Vegas received more presentation submissions than they could take on. There were many presenters whose talks weren’t accepted, but were still very good — there just wasn’t enough room for them at Balck Hat.
So they banded together and made their own parallel conference that ran in parallel to Black Hat — it’s from that event that we get BSides.
BSides conferences are community events, and unlike a lot of tech conferences, they’re inexpensive. BSides Tampa 2024 costs $45 to attend — the same price as last year — and that gets you:
Access to all conference tracks
Access to Discord server
Access to the exhibition area, villages, and sponsorship area
Last year’s CyberX Tampa Bay event was a big hit, and it was only natural that there’d be another one this year. Like the first one, this year’s event was packed.
The moment I walked into the venue, I saw so many people and had so many conversations that I never got the chance to take pictures until the start of the “welcome” session in the large room:
…after which we had the choice of two breakout sessions:
Chronicles of an Entry-level Cybersecurity Professional
The Wheel of Misfortune
I went to the Wheel of Misfortune, where audience members got the chance to answer cybersecurity questions for Google swag. Anyone in the audience could volunteer to come up to the front, spin the wheel of topics and answer a question based on that topic.
Hosts Jason Allen and Jonas Kelley were pretty relaxed about audience assistance. At one point, I yelled out the acronym for remebering the 7 layers of the OSI network model — “Please Do Not Take Sausage Pizza Away!” — and no one was penalized.
The room, where every seat and available spot to stand was occupied, was lively, with people enjoying themselves. The audience participation, aided by two engaging hosts, kept the room lively until the very end.
It was then time to recognize CyberX Tampa Bay’s 2023 honoree — someone nominated by attendees as being the person who made the biggest positive impact on Tampa Bay’s cybersecurity scene. This year’s honoree was Jeremy Rasmussen!
And to close the evening, there was the keynote panel on cybersecurity myths. It featured…
Photo by Kasandra Perez. Tap to view at full size.
