Monday, March 29, 2021

PHP Backdoors - the official PHP Git repository suffers software supply chain attack


















From PHP's Git server hacked to add backdoors to PHP source code (bleepingcomputer.com)

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with.

Yesterday, two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server.

The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf  and Nikita Popov.

Open source is has serious trust issues.


Friday, March 26, 2021

C# .NET - How to get the proper length of a Unicode string

That's Italian for ruler 

Here's how to get the proper length of a Unicode string, which is not the same a standard string length. 

A couple of ways are shown.



Source Code
using System;
using System.Globalization;
using System.Diagnostics;
                    
public class Program
{
    public static void Main()
    {
        // 140字以下かどうかのチェックを行い超えている場合はconfigに従って動作する
        //🎶🔥é- is standard length of 6, but there are ONLY 4 characters! Why not len=4?
        //🎶🔥 are double byte UNICODE characters (> \u10000) of width or len 2 each 
        //🎶🔥é- below will replace space after lasting character '-' (position 4) with a sub using most common techniques seen online
        
        string s = "𠇰😈🎶🔥é-"; 
		string s2 = "𠇰😈🎶🔥é-"; 
        Stopwatch sw = new Stopwatch();
        
        sw.Start();
        int typicalen = s.Length;
        sw.Stop();
        Console.WriteLine("Normal String {0} len = {1} in {2} ticks.",s, typicalen, sw.ElapsedTicks.ToString("N0"));
        
        StringInfo stringInfoThrowAway = new StringInfo("Preload this function"); //Results vary if you move this before or after below implementations
        
        sw.Reset();
        sw.Start();
        StringInfo stringInfo = new StringInfo(s2);
        int stringInfoLength = stringInfo.LengthInTextElements;
        sw.Stop();
        Console.WriteLine("new StringInfo {0} len = {1} in {2} ticks.",s,stringInfoLength, sw.ElapsedTicks.ToString("N0"));
        
        
        sw.Reset();
        sw.Start();
        int[] textElemIndex = StringInfo.ParseCombiningCharacters(s);
        int tEILength = textElemIndex.Length; 
        sw.Stop();
        Console.WriteLine("ParseCombiningCharacters String {0} len = {1} in {2} ticks.",s,tEILength, sw.ElapsedTicks.ToString("N0"));
        
        sw.Reset();
        sw.Start();
        // Use the enumerator returned from GetTextElementEnumerator 
        // method to examine each real character.
        TextElementEnumerator charEnum = StringInfo.GetTextElementEnumerator(s);
        int i = 0;
        while (charEnum.MoveNext())
            {
                i++;   
            }
        sw.Stop();
		
		Console.WriteLine("GetTextElementEnumerator String {0} len = {1} in {2} ticks.",s,i, sw.ElapsedTicks.ToString("N0"));
		
		sw.Reset();
        sw.Start();
        char[] charsInString = s.ToCharArray();
        int charLength = s.Length; 
        sw.Stop();
		
        Console.WriteLine("ToCharArray {0} len = {1} in {2} ticks.",s,charLength, sw.ElapsedTicks.ToString("N0"));
        
    }
}

Thursday, March 25, 2021

Amazon Phishing Email with subject RE: Noreply_Notification: [Service Billing Notification] [Review Your Orders]: Your billing information did not match with the card on file. Invoice Transaction Number

For the record, this is an Amazon phishing email attempt that is recently going around, with subject "RE: Noreply_Notification: [Service Billing Notification] [Review Your Orders]: Your billing information did not match with the card on file. Wednesday, xx March 2021 - Invoice Transaction Number"

What to do?  Report them, goto bottom of page. 


From : Amazon Service <xxxxx@thillconsinc.onmicrosoft.com>
Subject : 
RE: No reply_Notification: [Service Billing Notification] [Review Your Orders]: Your billing information did not match with the card on file. Wednesday, xx March 2021 - Invoice Transaction Number


Message from customer service







PHISHING LINKs;

1. https://l.wl.co/l?u=https://gopagesan-tibo.tant.c3hn0d.com/xxxxxx

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Monday, March 15, 2021

Blogger - How to add a URL to your own website in Blogger Attribution

If you concerned with SEO for your blogger site, you may have noticed that if you include a Profile widget, the profile info gets listed on Google.com as the summary rather than my content. Not very happy with that result. So I had to pull the profile down and replace it with a redirection to my profile on my website.

Blogger Attribution although not obvious, does accept HTML code, so you can redirect to your website for more information. See in image below.






Sunday, March 14, 2021

Tuesday, March 9, 2021

An alternative Blogger Editor to edit your posts

Sometimes when you are editing HTML in Blogger you run across errors that turn a HTML tag red, and you have no reason why this is the case. For long pages or post this is very hard. 

Would not be great to be able to test this HTML first in a editor first? Well now you can HTMLLint - The HTML Validator and Formatter (html-lint.com) has the same HTML validation engine as Blogger's editor. 

So now you can test you HTML, and if you can't locate the error cut into smaller parts, and paste into the editor.



If you can't understand the error, some times it's great to reduce the noise and duplicate tags and you can do that with HTML Tidy. 

The command line version is well known, and is online as well at HTML Tidy - Online Markup Corrector


















This generates the following reduced HTML. 

<blockquote>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s450/WorldWideFirstWreath.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s320/WorldWideFirstWreath.png" width="320" border="0" data-original-height="410" data-original-width="450" /></a></p>
</blockquote>



Here's the original HTML that causes errors in the Blogger Editor.

<blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;">
    <p dir="ltr" style="text-align: left;" trbidi="on">
        <p class="separator" style="clear: both; text-align: center;">
            <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s450/WorldWideFirstWreath.png" 
               style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;">
              <img border="0" data-original-height="410" data-original-width="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s320/WorldWideFirstWreath.png" width="320">
            </a>
        </p>
    </p>
</blockquote>

Monday, March 8, 2021

Validating Blogger HTML in outside online editor

Sometimes when you are editing HTML in Blogger you run across errors that turn a HTML tag red, and you have no reason why this is the case. For long pages or post this is very hard. 

Would not be great to be able to test this HTML first in a editor first? Well now you can HTMLLint - The HTML Validator and Formatter (html-lint.com) has the same HTML validation engine as Blogger's editor. 

So now you can test you HTML, and if you can't locate the error cut into smaller parts, and paste into the editor.



If you can't understand the error, some times it's great to reduce the noise and duplicate tags and you can do that with HTML Tidy. 

The command line version is well known, and is online as well at HTML Tidy - Online Markup Corrector


















This generates the following reduced HTML. 

<blockquote>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s450/WorldWideFirstWreath.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s320/WorldWideFirstWreath.png" width="320" border="0" data-original-height="410" data-original-width="450" /></a></p>
</blockquote>



Here's the original HTML that causes errors in the Blogger Editor.

<blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;">
    <p dir="ltr" style="text-align: left;" trbidi="on">
        <p class="separator" style="clear: both; text-align: center;">
            <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s450/WorldWideFirstWreath.png" 
               style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;">
              <img border="0" data-original-height="410" data-original-width="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxrUpnkHyJjAuZSQUywKNesmgwIJ7UIJwKsChZkG2NApkQazCpghvPFByagXhjm6j-tePHfcc30UfCd5PlEHyUXvarVXwSKLZylEn50J0e2Ww1Bl3VYrSFTB1utn0bClxMagSFuBre0k4m/s320/WorldWideFirstWreath.png" width="320">
            </a>
        </p>
    </p>
</blockquote>

Sunday, March 7, 2021

Python Poison - Python open source library gets hit with backdoors and malware




From Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

The ease with which trusting users download and install new Python (and Node.js, and Ruby, etc.) components has led to a range of cybercriminal attacks against package managers.

Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.

Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.

Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.

The public version of the package is given a higher version number that the internal version, and if the company hasn’t secured its auto-updating processes correctly, the attacker may be able to trick a company’s whole development team, or even the organisation’s official software build system, into updating private code from an untrusted (and malicious) external source.

Cybersecurity researcher Alex Birsan famously made well over $100,000 in bug bounties recently by feeding external versions of supposedly internal software packages into dozens of IT giants including Apple, PayPal, Microsoft and Shopify.

This sort of trick is known as a supply chain attack, for obvious reasons.

Opinion: 

This is same attack that happened to Microsoft with Solarwinds. It's staining all open source projects. 

Note:  This report reports what was found, but calls into question all the minor backdoors that might be still there and/or introduced at any time.

Who's gonna check all these libs for security? Open source usually means built by non-paid enthusiastic newbies with allot of spare time,  not experts. What should happen is top talented security firms to be hire to examine these libs. So far there are reviews as one-offs for bragging rights. Who's gonna pay for security reviews? This means you have to personally review every open source library for security, before using. 

Therefore I say, open source is dead.


Friday, March 5, 2021

.NET Conf 2021 - Focus on Windows Desktop Development Videos now available

 .NET Conf Videos Now available - .NET Conf: Focus on Windows - YouTube

.NET Conf  2021 has a  focus on Windows is a free, one-day livestream event that features speakers from the community and Microsoft teams working on Windows desktop apps and making them fantastic on the latest .NET 5.