Followup
- Bloomberg’s controversial The Big Hack story
- SuperMicro released the results of an independent audit which found no evidence of hardware or software tampering on its motherboards — www.reuters.com/… & arstechnica.com/…
- The Marriott Breach
- Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing — www.nytimes.com/…
- An interesting related opinion piece by Brian Krebs — krebsonsecurity.com/…
🇦🇺 Security Medium 1 — Australia’s Assistance and Access Act
The Australian parliament has just passed an extremely controversial and heavily criticised anti-encryption bill.
The bill provides the government three critical tools (from TMO’s great summary article on the law):
Under the law, Australian law enforcement and government agencies can compel tech companies to give three different levels of forced assistance:
Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”
Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).
Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this can’t include capabilities that “remove electronic protection, such as encryption.”
One of the biggest sources of criticism is the fact that the law seems to contradict itself. It can both force companies to create new methods for collecting and decrypting data, and yet at the same time says that companies can’t be forced to add a ‘systemic weakness’ or ‘systemic vulnerability’ to their software or hardware. (Editorial by Bart: this sounds to me like they tried to legislate a unicorn into existence!)
Apple’s response to the law is a good example:
“Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good […] That is a false premise. Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will, by extension, weaken the protections for everyone. It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.”
The law was also rushed, and is arguably incomplete. As well as many proposed and suggested changes and improvements from expert and industry groups never being taken up in parliament, the law doesn’t even define important concepts like what it means not to introduce systemic weaknesses or vulnerabilities. That detail is due to be added later through amendments!
With all this uncertainty and vagueness, a lot will depend on how the courts choose to interpret this law. If the ban on systemic weaknesses is taken seriously then the damage to security could be minimal, but if a very weak interpretation is used then this could be a really big deal indeed.
Finally, Australia is a member of the so-called Five Eyes group of nations who all share intelligence data with each other (Australia, Canada, New Zealand, UK & USA, more details at en.wikipedia.org/…), so this law will affect much of the English-speaking world.
Further Reading/Listening
- Dangerous Australia Encryption Law Passed — www.macobserver.com/…
- Australia passes new law to thwart strong encryption — arstechnica.com/…
- Security Now Episode 693 goes into the Australian law in great detail — twit.tv/… & overcast.fm/…
- Does Australia’s access and assistance law impact 1Password? — blog.1password.com/…
Security Medium 2 — A Clever New Approach to Spear Phishing
There is a lot of media attention around a report released by security researchers describing a clever spear-phishing campaign perpetrated by Iran against US government officials.
The bottom line is that there is no need to panic, this is very easy to defend against, never click on links in emails!
With that out of the way, what did the attackers do? They combined two old techniques in an interesting new way.
Firstly, the use of hidden images with unique URLs in emails to track when the email is viewed is absolutely not new or novel. That’s how surveys like Survey Monkey capture their analytics data, and how spammers learn which addresses are real, and which are not.
Secondly, if you can trick a person into going to a fake page of your making, you can forward any authentication questions you want to them, turning your fake site into a kind of proxy server that wil give the attackers access to the victim’s account. This technique has been around for decades. It’s a great way to bypass CAPTCHAs!
So, what did these attackers do? Firstly, they did lots of homework so they could craft very convincing spear phishing emails. They then embedded tracking images into those emails so they knew when an email was viewed, and, they added a phishing URL into the email that would present the victim with a faked login page. When the victim submitted their details the attackers would submit those same details to the real service being impersonated, and reply with a page presenting what ever 2FA challenge the real page presented them. The victim would dutifully enter that into the fake page, and the attackers would copy it into the real page.
Clever, sure, but not a technological hack!
This only works if you can get the victim to click on a link in an email, and not to notice that they are not where they think they are, i.e. you need to count on the victim not looking at their browser’s address bar.
Links
Notable Security Updates
- Adobe released and out-of-band emergency update for Flash to address a zero-day bug that is being actively exploited — www.us-cert.gov/… & nakedsecurity.sophos.com/…
- On Patch Tuesday both Microsoft & Adobe released patches, including fixes for Windows, Office, Acrobat, and Flash — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
- Apple patch just about everything — www.us-cert.gov/… & arstechnica.com/…
- Patch now (if you can!): Latest Android update fixes clutch of RCE flaws — nakedsecurity.sophos.com/…
- Zoom patches serious video conferencing bug — nakedsecurity.sophos.com/…
- The latest version of Chrome (71) expands the brower’s blocking of misleading ads (as well as fixing 43 security vulnerabilities) — nakedsecurity.sophos.com/…
- Security researchers have revealed details of a bug in older versions of the firmware for VTech’s Storio Max AKA InnoTab Max tablet computers for kids. The bug was responsibly disclosed to VTech earlier this year, and a patch was published at the end of May. Anyone with one of these tablets should be sure they have this latest firmware installed now that the details of the vulnerability have been revealed — nakedsecurity.sophos.com/…
- Update now! WordPress 5.0.1 release fixes seven flaws — nakedsecurity.sophos.com/…
Notable News
- Apple have been forced to crack down on a new type of App Store fraud – apps that trick users of TouchID devices into authorising very expensive in-app purchases. All the offending apps have been removed from the store, and affected customers are reportedly being refunded:
- Microsoft cracks down on tech support scams, 16 call centers raided — nakedsecurity.sophos.com/…
- Security researchers have found attacks in the wild exploiting a combination of the UPNProxy router vulnerability revealed recently, and the EternalBlue and EternalRed vulnerabilities revealed in the NSA leaks last year. They’ve dubbed this new malware EternalSilence. (Editorial by Bart: if you’re running an un-patched router you really need to stop doing that! Update your firmware if you can, or get a new router if you can’t) — nakedsecurity.sophos.com/…
- In a bizarre twist in a rivalry to be the most popular YouTuber printers around the world are hacked to print out pro-PewDiePie propaganda (Editorial by Bart: don’t expose your printers to the internet, and if possible, keep their firmware patched!) — nakedsecurity.sophos.com/…
- Citrix caused some confusion and controversy with a new periodic password reset. Some users assumed this new policy meant the service was probably hacked, but that doesn’t appear to be the case — krebsonsecurity.com/…
- The UK parliament’s Digital, Culture, Media, and Sport committee (DCMS) published hundreds of private internal Facebook emails, many of them quite damning of the company — nakedsecurity.sophos.com/…
- Facebook white-listed some apps for continued access to friends data after they changed their APIs to remove that access in 2014/15. It looks like this was done without user conscent.
- Facebook knew that changing its Android app so it would collect call and text data would make them look bad, so they did their best to hide that they were doing it.
- As we suspected, the now abandoned Facebook VPN ONAVO was used to gather data from users, and Facebook used that data for their corporate advantage (to help them figure out what apps were popular enough to be worth buying or investing in).
- In a speech at the Brookings Institute in the US Microsoft President Brad Smith warned about the dangers of un-regulated use of facial recognition technology, and called for governments to step in and regulate: ‘We believe that the only way to protect against this race to the bottom is to build a floor of responsibility that supports healthy market competition’ — nakedsecurity.sophos.com/…
- Apple have added experimental support for the WebAuthn authentication protocol to their Safari Technology Preview (effectively a beta version of Safari). Safari is the last of the major browsers not to support the protocol which is designed to allow hardware tokens and biometric devices to be used for authentication on the web — www.macobserver.com/…
- A group that includes the Mozilla Foundation, NYU Law and the University of Dundee have launched the Trustable Technology Mark, a trust mark for Internet Of Things (IoT) devices. Only two companies are certified so far, but if this takes off it could become a useful tool for consumers when choosing between competing products — www.fastcompany.com/…
- 🇺🇸 It’s still got a very long way to go to become an actual law, but 15 US senators have introduced a data privacy bill which they’ve titled the Data Care Act. The bill would impose three duties on companies: a Duty of Care, a Duty of Loyalty, and a Duty of Confidentiality — www.macobserver.com/…
Suggested Reading
- PSAs, Tips & Advice
- ⭐️ Those are NOT your grandchildren! FTC warns of new scam — nakedsecurity.sophos.com/…
- ⭐️ How to Tell If Your Partner is Spying on Your Phone — motherboard.vice.com/…
- ⭐️ How to delete your Facebook information without deleting your account — www.imore.com/…
- ⭐️ How to Use One Mac as a Time Machine Destination for Another — www.macobserver.com/…
- ⭐️ How to Use the Console App for Troubleshooting — www.intego.com/…
- Notable Breaches & Privacy Violations
- ⭐️ Quora Data Breach: 100 Million Users Affected — www.macobserver.com/… & Quora.com admits data breach affecting 100 million accounts — nakedsecurity.sophos.com/…
- ⭐️ A subtle coding bug caused Instagram’s GDPR privacy portal to accidentally leak some users passwords. The bug has been fixed, and affected users have been notified — www.intego.com/…
- ⭐️ Google found another bug in their Google+ API that exposed more non-public profile data. Google found this bug themselves, and it looks like it has not been exploited in the wild. Google both patched the bug, and, brought forward the death of G+ for consumers by a few months — arstechnica.com/… & nakedsecurity.sophos.com/…
- Samsung fixes flaws that could have let attackers hijack your account — nakedsecurity.sophos.com/…
- Spectacularly inept web development exposed the customer data stored on servers run by the company that own the jewlery brands Jared and Kay Jewelers. The bug has now been fixed. — nakedsecurity.sophos.com/…
- 🇺🇸 Unencrypted medical data leads to 12-state litigation — nakedsecurity.sophos.com/…
- News
- ⭐️ InstaScam – Blue Ticks for Sale — www.macobserver.com/…
- 🇨🇳 Apple Removes 700 Apps from China App Store — www.macobserver.com/…
- 🇺🇸 Apple Employee Joins ACLU to Fight Government Back Doors — www.macobserver.com/…
- Cryptography failure leads to easy hacking for PlayStation Classic — arstechnica.com
- 🇺🇸 Border agents are copying travelers’ data, leaving it on USB drives — nakedsecurity.sophos.com/…
- YouTube is reading text in users’ videos — nakedsecurity.sophos.com/…
- Facebook has filed patents to predict our future locations — nakedsecurity.sophos.com/…
- 🇮🇹 Facebook fined $11m for misleading users about how data will be used — nakedsecurity.sophos.com/…
- How Internet Savvy are Your Leaders? — krebsonsecurity.com/…
- 🇺🇸 Google’s CEO Sundar Pichai testified in congress:
- Opinion & Analysis
- ⭐️ A cautionary tale for Non-profits who use FaceBook – monitor your account carefully, because hackers may be lurking in your account just waiting for the right moment to pounce, and to defraud well-meaning donors — www.wired.com/…
- ⭐️ The WIRED Guide to Data Breaches — www.wired.com/…
- ⭐️ Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret – The New York Times — www.nytimes.com/…
- ⭐️ Interesting research from privacy-protecting search engine DuckDuckGo suggests that Google still manages to personalise searches even when users log out of Google and use private browsing mode. Google dispute the conclusion, and point to flaws in the study’s methodology — nakedsecurity.sophos.com/…
- Propellor Beanie Territory
- Faster fuzzing ferrets out 42 fresh zero-day flaws — nakedsecurity.sophos.com/…
- Bleichenbacher’s CAT puts another scratch in TLS — nakedsecurity.sophos.com/…
- Kubernetes cloud computing bug could rain data for attackers — nakedsecurity.sophos.com/…
- Text CAPTCHAs easily beaten by neural networks — nakedsecurity.sophos.com/…