Security Bits – HP Keylogger, Mailsploit

Security Medium 1 — HP’s Accidental Keylogger

Some HP laptops shipped with a keyboard driver from Synaptics in which a developer debugging feature was accidentally left enabled. The effect of this mistake is that the driver has built-in support for logging all keystrokes via WPP (a debugging tool that’s built into Windows).

This sounds bad, really bad, but thankfully it’s not actually as bad as it sounds.

The driver did not log keystrokes by default, it merely has the ability to do so. To enable the ‘feature’ (for want of a better word), you need to set a registry key, and only users with administrator access can do that. If you have administrator access, you have the power to install a keyboard logger anyway, so all this does is give malicious admins, (or malware that gets admin access) another alternative to do something they already had the power to do anyway.

It’s important to note that there’s absolutely no evidence of malice of any kind here. This really does look like a simply case of human error. IMO, Hanlon’s Razor applies.

The security researcher who found this issue reported it to HP responsibly, and HP have released driver updates for affected models.

While owners of affected laptops shouldn’t set their proverbial hair on fire, it’s definitely not a good thing to have a pre-installed keylogger on your laptop, so definitely do update your drivers if you own an affected laptop!

Links

• HP’s support article with links to the updated drivers — support.hp.com/…
• HP leaves accidental keylogger in laptop keyboard driver — nakedsecurity.sophos.com/…

Security Medium 2 — MailSploit

This isn’t so much a single bug as a collection of similar bugs relating to the same spec.

The Simple Mail Transfer Protocol (SMTP) is the protocol used to transport our emails around the world. SMTP is old, very old — in fact, it dates back to 1982, which is 7 years before Tim Berners Lee invented the world wide web.

Because SMTP is old, the spec only allows for the use of ASCII characters in the from mail header. That’s a problem, because lots of people have names that contain non-ASCII characters (Irish names like Gráinne, German surnames like Müller, etc.). To square that circle, an encoding scheme was developed to allow non-ASCII characters to be represented with ASCII strings. This scheme goes by the highly forgettable moniker RFC–1342, and was released way back in 1992. For example, you can use RFC–1342 to encode Gráinne as Gr=C3=A1inne, and Müller as M=C3=BCller.

You might imagine that a specification so old would be well implemented by now, but that’s where you’d be wrong. What security researchers discovered is that lots of mail apps and web mail services have code that does a really bad job of processing RFC–1342-encoded mail headers. The mistakes, and their consequences, vary from app to app and from webmail service to webmail service, but in general, the most common problem is from-address spoofing leading to spam filter bypasses, but in a few cases, the result is cross site scripting or arbitrary code execution.

Sabri Haddouche, the security researcher behind this work, is maintaining a Google Docs spreadsheet outlining the current status of a whole load of common mail clients and webmail services — docs.google.com/…

Thankfully, for most people the only effect here will be spam filter bypasses, and they’ll get fixed over time with server and software updates. To figure out how you’re affected, check the Google doc for your mail software, and/or webmail provider. Even if there’s no patch yet, if you’re only affected by spoofing, don’t panic, it’s not ideal, but it’s not a calamity.

Links

• The bug’s home page (because that’s a thing these days) — www.mailsploit.com/…
• Mailsploit: using emails to attack mail software — nakedsecurity.sophos.com/…
• Online RFC–1342 encoder & decoder — www.webatic.com/…

Notable Security Updates

• December’s Patch Tuesday has been and gone with critical security updates for Windows, Edge, Office, Exchange, and Flash — krebsonsecurity.com/…
• Apple surprises everyone with updated firmware for their apparently abandoned Airport line of routers. The update includes a fix for the KRACK WiFi vulnerability — tidbits.com/… & www.macobserver.com/…
• As promised, Apple released iOS & tvOS updates to address the HomeKit vulnerability we talked about in the previous Security Bits — tidbits.com/… & www.intego.com/…
• Google have released their December Android update — nakedsecurity.sophos.com/…

Notable News

• 🇺🇸 As expected, the FCC have voted to effectively end net neutrality — nakedsecurity.sophos.com/…
• FCC Chairman Ajit Pai explains what you can still do after net neutrality is gone – in the most insulting video Allison has ever seen – youtube.com/…
  • A clear, simple, and understandable explanation of the back-story behind this controversial decision from the people behind the NPR Planet Money podcast — www.npr.org/…
  • An interactive map showing how many broadband providers are available at each US address — www.mapbox.com/…
• 🇫🇷 France’s government privacy watch dog CNIL has ordered that sharing of WhatsApp data with Facebook stop, and the company has been given one month to comply before fines start being levied — www.bloomberg.com/… & nakedsecurity.sophos.com/…

Suggested Reading

• PSAs, Tips & Advice
  • ⭐️ Buyers Beware of Tampered Gift Cards — krebsonsecurity.com/…
  • Apple Security: Touch ID vs. Face ID — www.intego.com/…
  • 10 things about website code everyone should know — www.imore.com/…
  • 15 Terminal commands that every Mac user should know — www.imore.com/…
  • Missed Hour of Code? Learn to program with these helpful guides! — www.imore.com/…
• Notable Breaches & Privacy Violations
  • Hacked Password Database Found to Contain 1.4 Billion Credentials — www.macobserver.com/…
• News
  • 🇺🇸 American Express is getting rid of signatures for credit card purchases — www.theverge.com/…
  • A bad few weeks for Uber:
    • Massive Uber data scraping and secret servers exposed in Waymo suit — nakedsecurity.sophos.com/…
    • DOJ confirms Uber is under criminal investigation — nakedsecurity.sophos.com/…
  • Spies are watching… on LinkedIn — nakedsecurity.sophos.com/…
  • Mirai IoT Botnet Co-Authors Plead Guilty — krebsonsecurity.com/…
• Opinion & Analysis
  • ⭐️ The Market for Stolen Account Credentials — krebsonsecurity.com/… (recommended by Allison)
  • ⭐️ Are VPN app developers selling your personal information to the highest bidder? — www.imore.com/…
  • Former Facebook exec says social media is ripping apart society — www.theverge.com/…
• Propellor Beanie Teritory
  • Details emerge on recently-fixed HomeKit vulnerability — www.imore.com/…
  • iOS jailbreak exploit published by Google — nakedsecurity.sophos.com/… & Google just released a tool that helps security researchers hack iPhones — www.imore.com/…
  • Simple research tool detects 19 unknown data breaches — nakedsecurity.sophos.com/…
  • Microsoft Word slams the door on DDEAUTO malware attacks — nakedsecurity.sophos.com/…
  • GPS is off so you can’t be tracked, right? Wrong — nakedsecurity.sophos.com/…

Palate Cleansers — Bumper Christmas Edition

• 🎧The New York Public Library Podcast : Neil Gaiman Reads “A Christmas Carol” (Rebroadcast) — newyorkpubliclibrary.libsyn.com/…
• 🎞 How Encryption Keys Work – with Chris Bishop — www.youtube.com/… (suggested by Allison)
• 🎞 How Do Machines Learn? — www.cgpgrey.com/…