Security Bits – VPNFilter, CallKit Removal in China, No Telegram Updates in App Store, End of Flash & Silverlight, Papua New Guinea Turns Off Facebook

Followups

• Spectre & Meltdown
  • Details have been released of a new Spectre variant named Speculative Store Bypass, or SSB. The vulnerability affects AMD, ARM & Intel chips. Thankfully it can be mitigated quite easily, so it’s just a matter of applying software, OS, firmware, and microcode updates as they are released — arstechnica.com/…
• GDPR Updates — as we discussed in CCATP 534, the new European General Data Protection Regulation, or GDPR came info force on the 25th of May, and there has been some fallout
  • Instapaper Temporarily Shutting Down in European Union for GDPR — www.macobserver.com/…
  • The people behind the privacy-oriented browser plugin Ghostery made a spectacular privacy gaff when they used the to-field instead of the BCC field when bulk-sending GDPR emails to hundreds of users at a time — nakedsecurity.sophos.com/…
  • It turns out that not tracking people without their consent really speeds up the web!
    • Daring Fireball: USA Today Serves Different Site to EU Visitors That Is Way Faster Than Regular Site — daringfireball.net/…
    • Daring Fireball: Tracking Scripts Make The Verge 6 Times Slower — daringfireball.net/…
• A report in the British newspaper The Telegraph caused some confusion and a lock outrage/mocking when it claimed the European Commission would not be complying with the GDPR, a regulation of its own making. As Sophos point out on their Naked Security blog, the article in the Telegraph omits some key points. Firstly, from a practical point of view, a pan-European body can’t practically work under the GDPR because who would be the regulator? The commission itself is the only real option, and self-policing seems a bit odd. Would the EC really levy fines on the EC? Instead, the commission plans to subject it self to rules that are very similar to the GDPR in effect, but are structured in a practical way — nakedsecurity.sophos.com/…
• Apple’s new data export function can show you how much you’ve spent with Apple (something you might not want to know 🙂) — www.macobserver.com/…
  • Related: How to use Apple’s new data and privacy portal — www.imore.com/…
• The effect of the GDPR on the WHOIS database of domain name owners remains unclear as a German court finds against ICANN — www.circleid.com/…

Security Medium — VPNFilter

The FBI made headlines this week by requesting internet users around the world to re-boot their routers so as to neuter a massive botnet consisting of hacked routers around the work apparently controlled by the Russian government.

The malware powering this botnet has been given the name VPNFilter. It has been found to be able to infect many routers and NAS devices by popular vendors Netgear, Linksys, TP-Link, QNAP, and MikroTik. The malware contains a network sniffer, and more importantly, the ability to phone-home for software updates, allowing it to be dynamically re-purposed at any time. As well as that it also has a very power self-destruct mechanism built in — it can completely wipe a device’s flash memory, leaving it genuinely bricked — as in permanently and irreversibly disabled. Just imagine the harm you could do to a nation if you simultaneously knocked a significant percentage of the population off the internet! What’s really scary is that in court filings, the FBI claimed to have evidence that the botnet was about to be used to attack the country of Ukraine.

The malware was discovered by Cisco’s Talos security research division, and they report the botnet contained half a million routers and NAS boxes before the FBI’s intervention.

The malware is also quite advanced, and it can survive a reboot, sort of. Because routers tend to have very minimal hardware resources, a permanently resident software addition needs to be small so as to fit. A full-featured piece of malware isn’t small, so how does VPNFilter square that circle? It only permanently stores a small part of itself, a loader that then fetches the rest of itself from the internet when the router boots up.

If the malware is permanent, why is the FBI asking people to reboot their routers? Won’t the it just re-load itself? Ordinarily, yes, but the FBI have taken down the online resources the initial loader uses to fetch the rest of the malware! BTW, that loader used a novel technique to try find the current IP of the command-and-control server at any given time — the IP was encoded into the geolocation data of a photo on a social media site!

Because the FBI has taken out the C&C infrastructure, rebooting an infected router should prevent the loader from finding the remainder of the malware, so only small stub of the malware will remain active. This is much much better than having the full malware, and should stop the malware receiving attack instructions, but a half-infected router is still a problem. As well as re-booting your router, you might consider re-flashing it with the very latest firmware (directly fetched from the vendor) so as to be absolutely sure you’re not infected.

BTW, it seems the malware did not use zero-day vulnerabilities to infect routers, but instead relied on the fact that most people don’t update their routers at all regularly, so most are a few firmware versions behind, and hence riddled with known vulnerabilities. So, updating seems like good advice anyway.

Links

• VPNFilter – is a malware timebomb lurking on your router? — nakedsecurity.sophos.com/…
• U.S. seeks to take control of infected routers from hackers — www.reuters.com/…
• FBI tells router users to reboot now to kill malware infecting 500k devices — arstechnica.com/…
• FBI: Kindly Reboot Your Router Now, Please — krebsonsecurity.com/…
• A detailed description of the issue on Security Now episode 665 (linked to start of segment) — overcast.fm/…

Notable Security Updates

• Apple have released security updates for all their OSes, but unusually, have not released details of the bugs fixed, their security updates page simply says ‘details available soon’ (Editorial by Bart: I’ve never seen this before, I’m guessing this has something to do with some kind of coordinated release of information across operating systems as part of a responsible disclosure. Hopefully all will become clear in due course) (From Allison: The page was updated right during our recording)
• DrayTek have issued an important firmware fix for their Vigor range of routers — nakedsecurity.sophos.com/…
• Many BMWs need to be patched against 14 security vulnerabilities over the next year or so. The researchers who found the bugs disclosed them to BWM responsibly, and have agreed to give BMW a year to get patches out into people’s cars before revealing the details. Thankfully as well as being responsibly disclosed, the bugs are also very difficult to exploit, so at leat for now, the real-world risk seems low — nakedsecurity.sophos.com/…

Notable News

• 🇺🇸 The Washington post reported that the FBI repeatedly inflated the number of encrypted cellphones they have and are trying to unlock by a factor of about six, misleading both congress and the public (Editorial by Bart: while this definitely make the FBI look bad – either incompetent or dishonest – the number is irrelevant, mandatory back doors are just as bad an idea regardless of how many or how few phones we’re talking about!) — www.imore.com/…, nakedsecurity.sophos.com/…, www.imore.com/… & daringfireball.net/…
• It’s been a bad two weeks for government censorship of apps:
  • 🇨🇳 Following demands from the Chinese government, Apple are removing CallKit enabled apps from the Chinese app store — www.imore.com/… & arstechnica.com/…
  • 🇷🇺 Following demands from the Russian Government, Apple has removed Telegram from the Russian iTunes Store. That removal seems to have had some un-intended side-effects, resulting in Telegram not being able to update their app on any iTunes store since April — www.imore.com/… & arstechnica.com/…
  • Apple have announced that from the 1st of July they will start to include government app take-down requests in their regular transparency reports — www.macobserver.com/…
• A bug in Facebook’s Android app briefly caused it to erroneously ask for root permissions on rooted Android devices. The internet exploded with conspiracy theories, but it does seem to have just been a simple bug in their integration with a third-party library. A new version was quickly released which fixed the problem. Android using Facebook users should probably check they have the latest version of the app installed — nakedsecurity.sophos.com/…
• It appears that a very unlikely series of unfortunate events led to an Oregon couple’s Amazon Echo emailing a recording of a private conversation they were having in their home to a random contact in their address book without their knowledge or consent (Editorial by Bart: it seems there is nothing nefarious going on here, just a series of unfortunately miss-heard phrases that happened to align to something unexpected and disquieting. It seems very unlikely this will happen again, but it does underline the fact that like all conveniences, voice assistants definitely do bring security tradeoffs to users’ lives) — www.imore.com/… & www.recode.net/…
• With just a small amount of effort Sophos Labs engineers found that four of fourteen popular Android apps they tested used HTTP connections to talk back to servers rather than HTTPS connections, and in the process, expose users personal data to eavesdroppers — nakedsecurity.sophos.com/…
• Another nail in Flash’s coffin as Microsoft announces the end of support for embedded Flash and Silverlight in documents on Office365 — nakedsecurity.sophos.com/…
• Facebook have updated their 2FA so you no longer need to associate a phone number with your account to use it — nakedsecurity.sophos.com/…
• Your Firefox account can now be secured with 2FA — nakedsecurity.sophos.com/…
• Controversially, the nation of Papua New Guinea plans to block Facebook for a month, and to use that time to root out fake accounts so that in theory, all PNG residents on Facebook will be abiding by the site’s real-name policy. The country’s ministry of information wants to study how PNG’s citizens use the site as part of an attempt to somehow measure both the positive and negative effects of social media, and try figure out of the good out-weighs the bad — nakedsecurity.sophos.com/…

Suggested Reading

• PSAs, Tips & Advice
  • How to set up 2FA on eBay – go do it now! — nakedsecurity.sophos.com/…
  • 🇺🇸 FBI Tech Tuesday: Building a Digital Defense with Credit Reports — www.fbi.gov/…
  • How to See Where Apple Tracks You on Your iPhone and iPad — www.macobserver.com/…
  • macOS: How to See Where a Download Came From — www.macobserver.com/…
  • 10 Strikes and You’re Out – the iOS Feature You’re Probably Not Using But Should — daringfireball.net/…
  • A neat tip — you can use iOS’s Guided Access feature to stop people swiping around through your photo library when you hand them your phone to show them a picture — www.imore.com/…
• Notable Breaches & Privacy Violations
  • TeenSafe Leaks 10,000 Kid’s Apple IDs and Passwords — www.macobserver.com/… & TeenSafe phone monitoring app leaked thousands of passwords — www.imore.com/…
  • 🇺🇸 T-Mobile bug let anyone see any customer’s account details — www.zdnet.com/…
  • 🇨🇦 Canadian banks BMO and Simplii Financial warn of large data breaches — www.imore.com/…
• News
  • The ACLU sound the alarm about Rekognition, a facial-recognition product Amazon are selling to governments. The ACLU describe the product as dangerous because it ‘can be readily used to violate civil liberties and civil rights’ — www.aclunc.org/…
  • A man tried to sell his Facebook Data on eBay and it went kinda of better than you would expect — www.imore.com/…
  • 🇺🇸 2 million stolen identities used to make fake net neutrality comments — nakedsecurity.sophos.com/…
  • 🇺🇸 California tests digital license plates. Is tracking cars next? — nakedsecurity.sophos.com/…
  • 🇬🇧 The UK government is considering making the owners of phone spamming companies personally liable so they can’t use corporate bankruptcy to skirt the law — nakedsecurity.sophos.com/…
  • 🇬🇧 The story that will not die – Google is in trouble over the Safari Workaround again, this time in the UK — nakedsecurity.sophos.com/…
  • 🇬🇧 Server? What server? Site forgotten for 12 years attracts hacks, fines — nakedsecurity.sophos.com/…
• Opinion & Analysis
  • 🇺🇸 An interesting series from Brian Krebs on US cell carrier’s practice of selling users real-time location data without notice or consent:
    • Mobile Giants: Please Don’t Share the Where — krebsonsecurity.com/…
    • Why Is Your Location Data No Longer Private? — krebsonsecurity.com/…
  • So How Secure is Messages in iCloud Anyway? — www.macobserver.com/…
• Propellor Beanie Teritory
  • Acoustic attacks can blue-screen computers — nakedsecurity.sophos.com/…

Palate Cleansers

• A cool diagram explaining the common disk usage related terminal commands from Julia Evans — mobile.twitter.com/…
• The very cool story of an 1830s hack of the French semaphore messaging network via the clever use of the backspace character — nakedsecurity.sophos.com/…
  • A 99% Invisible article about the same telegraph system with photos of a restored station and paintings of the originals — 99percentinvisible.org/…