Security Bits – SESTA/FOSTA, CLOUD Act, Apple’s HSTS Clever Fix

Followups

Security Medium 1 — 🇺🇸 SESTA/FOSTA & CLOUD

In the past two weeks US legislators have been busy when it comes to regulating the internet, managing to pass two rather controversial laws with little or no debate, and without much public scrutiny.

What these bills have in common is that they appear to be well intentioned, and appear to attempt to solve real problems, but are being harshly and strongly criticised by public interest groups like the ACLU and the EFF.

The CLOUD Act

On March 21st the CLOUD (Clarifying Lawful Overseas Use of Data) Act was signed into law. Not directly, and not after a robust debate, but as an addendum to a must-pass-or-the-government-shuts-down spending bill.

This Microsoft’s lead lawyer’s short description of bill’s aims:

[The CLOUD Act] creates a modern legal framework for how law enforcement agencies can access data across borders

What that means is that it provides a mechanism for the US government to enter into agreements with foreign governments (that meet some loosely defined standards when it comes to civil liberties) which allow American law enforcement access data stored in those countries, and law enforcement agencies from those countries data stored in America.

Some sort of international mechanism for cooperation between law enforcement is clearly needed, so the well reasoned criticisms I’ve read are not of the intent, but of the implementation. Basically, not enough safe-guards, too much discretion for the US DOJ, and potential breaches of the the 4th Amendment to the US Constitution.

A factor which could affect the future of this law is the current Microsoft -v- DOJ case about data in Ireland that’s currently before the supreme court. When the court rules, it could impact this law, but we can’t know if or how until the ruling is released some time within the next few months.

Something you may find surprising is that many large US tech companies, including Apple & Microsoft, are in favour of the CLOUD act. The best explanation of this I’ve heard is that it boils down to “it could be so much worse, let’s accept this while it’s on offer”.

Links
  • The EFF’s criticisms of the law — www.eff.org/…
  • A superb article from Rene Ritchie summarising the act, the criticisms of it, the tech industry’s position on it, and the act’s impact on Apple and Apple users — www.imore.com/…

FOSTA/SESTA

Also on March 21st, the US Senate passed FOSTA (the Fight Online Sex Trafficking Act), this final senate bill is the result of merging a previous version of FOSTA with the US House of Representatives’ SESTA (Stop Enabling Sex Traffickers Act). As I write this on the 30th of March 2018 the bill is not yet a law because while it has passed both houses of congress, it hasn’t been signed into law by the President yet. Since this is a bi-partisan bill that’s almost certainly just a formality at this stage.

In this case it’s even more obvious that this is very well intentioned legislation — who could be in favour of sex trafficking? But again, the criticism is of the execution of that good idea. The argument being made is that this law will actually have the inverse effect, making things worse for the victims of sex trafficking.

The controversy swirls around the fact that the law re-balances so-called safe-harbour provisions for platform providers, removing many of their protections, and hence, forcing them to shut down legitimate discussions and speech out of fear of being held liable for in any way un-knowingly facilitating sex trafficking.

Like I said, this isn’t even a law yet, but it’s already having an impact, with tech companies like Reddit and Craig’s List already starting to pro-actively censor their users.

Links

Security Medium 2 — Apple Implements Clever Fix for the HSTS ‘Super Cookie’

HSTS (HTTP Strict Transport Security) was designed to make the internet more secure, but, it came with an un-expected sting in its tail — it can be abused to track users without the use of cookies, or anything else the user can easily clear in their browser. Tracking technologies that can’t be easily cleared by users are referred to as super cookies, because they allow tracking like cookies do, but they have extra stickiness.

The idea is simple, the first time you visit a given website, that website can send a special HTTP header in its response that tells that browser to always user HTTPS when talking to it, even if the user enters an HTTP URL. For this to work, browsers need to store all the domains that have requested they only be accessed securely, and that storage is not under the easy control over browser users. Clearing your cache or your cookies won’t make your browser forget that your bank should only be talked to securely! That seems like a feature, not a bug, right!?

Unfortunately, once you make some information sticky, you’ve made abuse possible. Because HSTS works to an arbitrarily deep level of sub-domain nesting, attackers can get clever and set up a collection of many sub-domains, and then include links to a 1px image or something like that on each of those sub-domains in web page, add, or other kind of embed. When a browser is seen for the first time it can be randomly sent or not sent an HSTS header for each sub-domain, creating a unique pattern that the browser then stores. The pattern can be read back by seeing which HTTP URLs do and don’t get transformed into HTTPS URLs. As long as the browser remembers its HSTS data, the pattern remains, and the super cookie remains in place.

Initially this abuse of HSTS was purely hypothetical, but the WebKit team (WebKit is the open-source core of Apple’s Safari browser) have now seen it used in the real world.

The general consensus in the industry was that this was an un-solvable problem. Either we can have the security offered by HSTS and accept the super-cookies, or we can’t have the extra security offered by HSTS. But, some smart engineers at Apple thought differently, and they found a very cool and clever fix!

Apple’s fix comes in two parts:

  1. HSTS headers are only accepted on the pages you are actually visiting, not on the domains used to load images etc. into those pages. I.e. if you go to www.podfeet.com and Allison’s server sends an HSTS header, the browser will accept it, but if Allison included an image from www.bartb.ie in the page you browsed to and I configured my server to send an HSTS header, Safari would ignore it. There is one small caveat to this rule, headers can be set on parent domains that are not top-level domains, so a page on www.podfeet.com could set the HSTS header for podfeet.com, but not for .com, and not for subdomain.www.podfeet.com.
  2. If a website is blocked from setting regular cookies due to Safari’s existing Intelligent Tracking Prevention feature, any HSTS headers it sends will be ignored. So, sites that are already in the dog house don’t get to use HSTS on Safari.

These two simple steps preserve just about all the security benefits offered by HSTS, but they completely destroy attackers ability to abuse HSTS for tracking purposes.

Hopefully other browser vendors follow suite, and soon!

Links:

Notable Security Updates

  • Drupal have released a ‘highly critical’ update to versions 7 & 8 of their popular CMS. The bug allows an attacker take control of an un-patched site, and is so critical the project gave the exact time the patch would be released and told admins to stand by to patch immediately in the expectation that in-the-wild attacks would begin within hours of the patch being released. Drupal also released patches for some officially un-supported orders versions of the CMS. — www.us-cert.gov/…
  • Apple Patches just about everything:
  • Microsoft has released a patch for its January Meltdown patch for Windows 7 & Windows Server 2018. The original patch set incorrect default permissions, actually making the OS much less secure than before it was ‘patched’ — www.kb.cert.org/…

Notable News

  • In preparation for the EU’s new GDPR (General Data Protection Regulation) which comes into force on May 25th this year, Apple have announced a number of privacy improvements: www.macobserver.com/… & www.imore.com/…
    • A new icon which will be displayed each time Apple is asking your permission to use your personal data (introduced as part of this week’s Apple OS updates)
    • Data management tools to allow users to download all the personal data Apple has on them (Google & Facebook have allowed this for many years now), request a correction to the personal data Apple stores on them, request your account be deactivated, and request your account be deleted. These tools are coming to EU users in May, with a world-wide roll-out later.
  • Security researchers find yet another lock screen bypass in iOS, Apple say a fix is on the way. (Editorial I continue to advise turning off Siri on the lock screen a lock should actually lock things IMO!) — nakedsecurity.sophos.com/…
  • Security researchers have found a bug in the URL parser in the QR Code reader built into Apple’s iOS 11 camera app. The bug allows an attacker to craft QR codes such that the app displays one URL, but when clicked, navigates to a different URL. This kind of bug could help make a phishing attack more convincing — www.intego.com/…, www.macobserver.com/… & www.imore.com/…
  • A bug in MacOS 10.13.3 writes passwords to external encrypted APFS drives to a system log file in plain text (Editorial if your disk is encrypted this is not a catastrophic bug, and there is a very simple work around, clear the log!) — www.intego.com/… & nakedsecurity.sophos.com/…
  • A security researcher has revealed that 9 years are first being informed of shortcomings in the encryption of saved passwords, FireFox still have not fixed the problem. (Editorial: I’d advise against using FireFox’s native password manager, at least until this is finally fixed, better to use a plugin to connect the browser to a trusted third-party password manager like OnePassword or LastPass) — nakedsecurity.sophos.com/…
  • 🇺🇸 It’s come to light that US police forces are asking Google for lists of everyone who entered a given area at a given time in an attempt to narrow down their list of suspects. This has raised serious privacy concerns, and may not be legal — nypost.com/… & nakedsecurity.sophos.com/…
  • The FBI renews it’s push for mandatory back doors — www.nytimes.com/… & nakedsecurity.sophos.com/…

Suggested Reading

Leave a Reply

Your email address will not be published.

Scroll to top