Hello, welcome to the Thursday, April 8, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today I wrote a quick post about how Wi-Fi IDss are affected by recent changes in Android and iOS that are randomizing Mac addresses.

And I used Enzyme, which is an open source Wi-Fi IDS that I kind of like for its neat

sort of dashboard and such it presents to show some of the problems that are coming up. As these devices

are creating these random Mac addresses, and that of course then triggers some false positives

if you're trying to track legit or not legit devices in your environment. And remember, it was about a week or so ago that the

PHP Git repository was compromised and the attacker added a couple of malicious commits that

intended to inject a backdoor into the Git source code. At the time,

the assumption was that this particular server that housed git.php.net was compromised. The repository

was moved to GitHub in order to essentially just move away from this possible, vulnerable and compromised server.

But as so often, well, it looks like whatever you find out in the first 24 hours is often wrong.

We now have an update from Nikita at php.net with additional details.

They no longer think that the server was compromised.

They actually now have some evidence that the attacker did manage to log in using the administrator's username and password.

This was initially not clear that it's even possible

because commits were supposed to use ZH,

but apparently there is still an HTTP path open

in order to send commits and that apparently was used by the attacker.

Now what's a little bit odd here is that the attacker used a couple of attempts in order to log in.

Now Nikita here writes that they believe that a database that they call master.p.net was compromised because this ran on a very old system,

apparently not even supporting TLS 1.2. But if an attacker has access to the password database,

...