Security Bits Logo

Security Bits – 19 April 2019

Followup — Scanning for Cameras

The story we covered last time about a hidden camera being found in an Irish AirBnB got a conversation going on the NosillaCast Slack. The story revolved around a New Zealand family who stayed in an AirBnB in Cork, Ireland. The father was an IT guy, and he scanned the WiFi network using NMAP and was surprised to find a camera streaming live video to the internet. NosillaCastaways were curious as to whether regular humans could use tools like NMAP to do this themselves, or, whether there were other tools they could use instead.

NMAP is free and open source, so sure, anyone can use it in theory, but it falls into the category I (Bart) call for-nerds-by-nerds — in other words, the UI is not human-friendly!

There are human-friendly network scanners out there though. Personally I’ve been using iNet Network Scanner for Mac for years (I chatted with Allison about it WAY back on NC #383).

The NosillaCastaways had some other recommendations:

Security Medium — Browsers Move to Enforce HTML 5 ‘Link Auditing’ (Tracking Really)

Two browsers have recently changed how they support HTML 5’s new link auditing feature, and the change has stirred up a lot of controversy.

The feature, also referred to as HTTP pings, is not new, but until recently it was not heavily used on websites. The feature allows website developers to add an extra attribute to their links (<a> tags) which specifies a URL to ping when ever a user clicks on the link. The attribute is named ping.

Take the following as a practical example:

<a href="https://bartb.ie" ping="https://tracker.bartb.ie/">my home page</a>

The HTML 5 spec says that clicking on that link should cause the browser to do two things — send an HTTP request to https://tracker.bartb.ie/ with some special HTTP headers, and, take you to https://bartb.ie. Depending on whether or not the original page hosting the link shares a domain with the target of the ping, and on whether or not the page and the ping target are HTTPS URLs the ping will contain more of less information. It will always contain the Ping-To header specifying the URL being pinged, and it may also contain the Ping-From header specifying the page on which the link was clicked. It will always set the referrer to no-referer though.

While not including a referrer and not always sending the Ping-From header might make it sound like the trackers can only see the source URL some of the time, that’s not true. Developers can embed any information they wish to send to the tracking server right into the ping URL using HTTP query parameters.

Having said all that, it’s really important to understand that HTML 5 link auditing does not allow website owners to do any more tracking than they already do today by (ab)using HTTP redirects to route all links through a tracker before routing them on to their final destination. In fact, this gives servers less information than they get currently because the HTTP redirect method does always send the Referer header (that’s not a typo, it’s misspelled in the HTTP spec!) as well as cookies to the tracker.

It’s also important to understand that the existing HTTP redirect method has serious disadvantages for end-users. Chief among them are that the true destination of tracked URLs are hidden — the link you see is the link to the tracker, not to the final destination, and, the requests happen in series, not parallel — your browser doesn’t even know where to take you until the request to the tracking URL has fully completed.

By contrast, HTML 5 link auditing does not hide the final URL from the user, and, the ping to the tracker and the navigation to the requested site can happen in parallel.

The HTML 5 spec is also very clear that browsers (User Agents or UAs in HTML jargon) ‘should’ give users control over link auditing:

User agents should allow the user to adjust this behavior, for example in conjunction with a setting that disables the sending of HTTP Referer (sic) headers. Based on the user’s preferences, UAs may either ignore the ping attribute altogether, or selectively ignore URLs in the list (e.g. ignoring any third-party URLs) …

And the spec is even clearer about the fact the browsers have an obligation to clearly communicate the presence of auditing on a link to users:

When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URLs.
Example: For example, a visual user agent could include the hostnames of the target ping URLs along with the hyperlink’s actual URL in a status bar or tooltip.

The spec also notes the advantages over the existing tracking mechanisms in use all over the modern web:

The ping attribute is redundant with pre-existing technologies like HTTP redirects and JavaScript in allowing Web pages to track which off-site links are most popular or allowing advertisers to track click-through rates.

However, the ping attribute provides these advantages to the user over those alternatives:

  • It allows the user to see the final target URL unobscured.
  • It allows the UA to inform the user about the out-of-band notifications.
  • It allows the user to disable the notifications without losing the underlying link functionality.
  • It allows the UA to optimize the use of available network bandwidth so that the target page loads faster.

Thus, while it is possible to track users without this feature, authors are encouraged to use the ping attribute so that the user agent can make the user experience more transparent.

So, why all the commotion? Two reasons:

  1. The current version of Google Chrome enables link auditing by default, but, there is setting to disable it. The two versions of Chrome currently in the development pipe-line remove this setting, forcing link auditing to be permanently enabled.
  2. The latest version of Safari released just a few weeks ago (12.1) also forces link auditing to be enabled without an option for disabling it. Safari never had a user-accessible button for disabling the feature, but there was a way to disable it from the terminal using the defaults write command, but even that has been removed now.

Microsoft’s Edge browser was already behaving in this way, so Chrome and Safari have aligned themselves with Microsoft.

The notable exception is FireFox which retains its switch, and, which disables link auditing by default.

I should also mention that Opera, like Chrome, has had link auditing enabled by default, but did provide an off switch, and it too is removing that off switch.

From my reading of the spec it seems eminently clear that Microsoft, Google & Apple are all flagrantly in breach of the spirit of the HTML 5 spec at the very least. They do not give users control over link auditing like the spec says they should, and, they do not in any way make the presence of link auditing clear to users when they hover over links with ping attributes.

Opinion (Bart) Personally, I don’t expect better from Google, I sort of do from Microsoft, but I absolutely do from Apple. IMO they can’t be let trumpet their privacy credentials like they do and then behave like this without getting called out for their rank hypocrisy!

Links

Notable Security Updates

Notable News

  • Security researchers are warning of a ‘flood’ of exploits targeting the recently patched WinRAR vulnerability. If you ever installed WinRAR make sure you’ve either patched or deleted it! The app does not have an automatic update feature, so the attacks are proving very successful because users have never even been notified of the existence of a patch by outdated versions of the app (Editorial by Bart: this is one to warn friends and family about) — nakedsecurity.sophos.com/…
  • Details have been released of an as-yet un-patched zero-day in all versions of Windows. The bottom line is simple, do not open any .mht files (Microsoft’s default web page archiving format) from un-trusted sources — nakedsecurity.sophos.com/…
  • Starting with the next feature update to Windows 10 (due out in May), Microsoft is changing how it does updates. Monthly and security updates will remain mandatory, but they will be deferrable for a week at a time up to a maximum of 5 weeks. Feature updates will not install automatically until the current version is about to end support, so in practice that means feature updates will have an 18 month life — blogs.windows.com/… & nakedsecurity.sophos.com/…
  • 🇬🇧 the UK government is getting serious about regulating the internet:
  • A security researcher has shown that Samsung’s new under-screen fingerprint readers are dramatically easier to spoof than capacitive finger print readers like Apple’s TouchID and the sensors used on older Samsung phones. The under-screen phones use sound waves to read the fingerprint, so they can be fooled by any object that has the right shape. The older technologies require the fake finger to have the correct electrical properties as well as the correct shape. The researcher was able to go from a photo of a fingerprint on a wine glass to a working fake finger in just 13 minutes using only consumer 3D printing tools (Opinion from Bart: fingerprint sensors were always less secure than FaceID, but this makes the Samsung S10 even more dramatically less secure than Apple’s phones) — nakedsecurity.sophos.com/…
  • Powerful spyware targeting iOS has been spotted in the wild. It’s important to bear in mind that this malware is signed with an enterprise certificate, so in order to get infected a user must be tricked into side-loading the app and into accepting and installing a provisioning profile — techcrunch.com/…
  • Security researchers have released details of design flaws in the new WPA3 WiFi certification. They’ve given the flaws the catch name Dragonblood because the flaws affect a part of the spec known as the dragonfly handshake. The WiFi alliance (creators of the WPA3 certification) have been able to update their certification, and firmware updates to the small number of WPA3 devices in use today should remedy the problem. The security researchers underlined a more fundamental issue with how WiFi is managed — the specs are all developed in secret so they cannot be vetted before they are released. This has resulted in security disasters for all their specs (WEP, WPA, WPA2, and now WPA3). (Editorial by Bart: you think they’d learn their lesson eventually, but they’re showing no sign of that yet 🙁) — nakedsecurity.sophos.com/…
  • Using so-called honeypot devices security researchers have found that IoT devices exposed to the internet get attacked on average about 13 times a second! They offer some simple advice, including always setting a non-default password, and disable UPnP on your router so your IoT devices can’t expose themselves to the internet without your knowledge (yes, some of them do that!) — nakedsecurity.sophos.com/…
  • Google’s Chrome for iOS currently contains an un-patched bug that allows malicious sites to bypass the browser’s popup protections and take over users browsing sessions. In the run up to Easter the bug has been used to attack 500M iOS users, mostly in the US. There are some reports that Safari is affected too, but that’s not clear at the time of recording — nakedsecurity.sophos.com/… & threatpost.com/…
  • Google have started permanently banning ‘bad faith’ developers from their Play store — nakedsecurity.sophos.com/…
  • All phones running Android 7 (Nougat) or newer with Google’s play store installed can now be used as WebAuthn/FIDO2 hardware security keys. It’s not clear, but it seems this is only for use with Google sites, at least for now — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • Apple have made subscription scams much harder to pull off on iOS with the introduction of a new confirmation screen that makes it very clear that you are about to sign up to a subscription, how frequently it will recur, and how much it will cost each time — www.macobserver.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top