Security Bits Logo

Security Bits – 14 December 2018

Followup

🇦🇺 Security Medium 1 — Australia’s Assistance and Access Act

The Australian parliament has just passed an extremely controversial and heavily criticised anti-encryption bill.

The bill provides the government three critical tools (from TMO’s great summary article on the law):

Under the law, Australian law enforcement and government agencies can compel tech companies to give three different levels of forced assistance:

Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”

Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).

Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this can’t include capabilities that “remove electronic protection, such as encryption.”

One of the biggest sources of criticism is the fact that the law seems to contradict itself. It can both force companies to create new methods for collecting and decrypting data, and yet at the same time says that companies can’t be forced to add a ‘systemic weakness’ or ‘systemic vulnerability’ to their software or hardware. (Editorial by Bart: this sounds to me like they tried to legislate a unicorn into existence!)

Apple’s response to the law is a good example:

“Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good […] That is a false premise. Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will, by extension, weaken the protections for everyone. It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.”

The law was also rushed, and is arguably incomplete. As well as many proposed and suggested changes and improvements from expert and industry groups never being taken up in parliament, the law doesn’t even define important concepts like what it means not to introduce systemic weaknesses or vulnerabilities. That detail is due to be added later through amendments!

With all this uncertainty and vagueness, a lot will depend on how the courts choose to interpret this law. If the ban on systemic weaknesses is taken seriously then the damage to security could be minimal, but if a very weak interpretation is used then this could be a really big deal indeed.

Finally, Australia is a member of the so-called Five Eyes group of nations who all share intelligence data with each other (Australia, Canada, New Zealand, UK & USA, more details at en.wikipedia.org/…), so this law will affect much of the English-speaking world.

Further Reading/Listening

Security Medium 2 — A Clever New Approach to Spear Phishing

There is a lot of media attention around a report released by security researchers describing a clever spear-phishing campaign perpetrated by Iran against US government officials.

The bottom line is that there is no need to panic, this is very easy to defend against, never click on links in emails!

With that out of the way, what did the attackers do? They combined two old techniques in an interesting new way.

Firstly, the use of hidden images with unique URLs in emails to track when the email is viewed is absolutely not new or novel. That’s how surveys like Survey Monkey capture their analytics data, and how spammers learn which addresses are real, and which are not.

Secondly, if you can trick a person into going to a fake page of your making, you can forward any authentication questions you want to them, turning your fake site into a kind of proxy server that wil give the attackers access to the victim’s account. This technique has been around for decades. It’s a great way to bypass CAPTCHAs!

So, what did these attackers do? Firstly, they did lots of homework so they could craft very convincing spear phishing emails. They then embedded tracking images into those emails so they knew when an email was viewed, and, they added a phishing URL into the email that would present the victim with a faked login page. When the victim submitted their details the attackers would submit those same details to the real service being impersonated, and reply with a page presenting what ever 2FA challenge the real page presented them. The victim would dutifully enter that into the fake page, and the attackers would copy it into the real page.

Clever, sure, but not a technological hack!

This only works if you can get the victim to click on a link in an email, and not to notice that they are not where they think they are, i.e. you need to count on the victim not looking at their browser’s address bar.

Links

Notable Security Updates

Notable News

  • Apple have been forced to crack down on a new type of App Store fraud – apps that trick users of TouchID devices into authorising very expensive in-app purchases. All the offending apps have been removed from the store, and affected customers are reportedly being refunded:
  • Microsoft cracks down on tech support scams, 16 call centers raided — nakedsecurity.sophos.com/…
  • Security researchers have found attacks in the wild exploiting a combination of the UPNProxy router vulnerability revealed recently, and the EternalBlue and EternalRed vulnerabilities revealed in the NSA leaks last year. They’ve dubbed this new malware EternalSilence. (Editorial by Bart: if you’re running an un-patched router you really need to stop doing that! Update your firmware if you can, or get a new router if you can’t) — nakedsecurity.sophos.com/…
  • In a bizarre twist in a rivalry to be the most popular YouTuber printers around the world are hacked to print out pro-PewDiePie propaganda (Editorial by Bart: don’t expose your printers to the internet, and if possible, keep their firmware patched!) — nakedsecurity.sophos.com/…
  • Citrix caused some confusion and controversy with a new periodic password reset. Some users assumed this new policy meant the service was probably hacked, but that doesn’t appear to be the case — krebsonsecurity.com/…
  • The UK parliament’s Digital, Culture, Media, and Sport committee (DCMS) published hundreds of private internal Facebook emails, many of them quite damning of the company — nakedsecurity.sophos.com/…
    • Facebook white-listed some apps for continued access to friends data after they changed their APIs to remove that access in 2014/15. It looks like this was done without user conscent.
    • Facebook knew that changing its Android app so it would collect call and text data would make them look bad, so they did their best to hide that they were doing it.
    • As we suspected, the now abandoned Facebook VPN ONAVO was used to gather data from users, and Facebook used that data for their corporate advantage (to help them figure out what apps were popular enough to be worth buying or investing in).
  • In a speech at the Brookings Institute in the US Microsoft President Brad Smith warned about the dangers of un-regulated use of facial recognition technology, and called for governments to step in and regulate: ‘We believe that the only way to protect against this race to the bottom is to build a floor of responsibility that supports healthy market competition’nakedsecurity.sophos.com/…
  • Apple have added experimental support for the WebAuthn authentication protocol to their Safari Technology Preview (effectively a beta version of Safari). Safari is the last of the major browsers not to support the protocol which is designed to allow hardware tokens and biometric devices to be used for authentication on the web — www.macobserver.com/…
  • A group that includes the Mozilla Foundation, NYU Law and the University of Dundee have launched the Trustable Technology Mark, a trust mark for Internet Of Things (IoT) devices. Only two companies are certified so far, but if this takes off it could become a useful tool for consumers when choosing between competing products — www.fastcompany.com/…
  • 🇺🇸 It’s still got a very long way to go to become an actual law, but 15 US senators have introduced a data privacy bill which they’ve titled the Data Care Act. The bill would impose three duties on companies: a Duty of Care, a Duty of Loyalty, and a Duty of Confidentialitywww.macobserver.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top