Security Bits Logo no alpha channel

Security Bits — 3 April 2022

Feedback & Followups

Deep Dive 1 — ProtestWare a Controversial and Dangerous New Form of Protest

In a recent Programming by Stealth TidBit (pbs.bartificer.net/…) we discussed the concept of supply chain security in programming, inspired by a recent incident where a developer sabotaged his own (very popular) open source JavaScript packages on the Node Package Manager (NPM).

One of the things I (Bart) pointed out in that case, is that the developer was merely making a point, and while he caused disruption, he didn’t do any real damage, but he could have!

Well, as if to prove the point, another developer has taken things up a notch and released a destructive update to a very popular open source JavaScript module published on NPM.

In this case the motivation was very different, and I guess, somewhat understandable. The developer has ties to Ukraine, and he was (and presumably still is) very angry about Russia’s invasion of the country. He started by adding non-destructive pro-peace protest code into the very popular node-ipc module. He did this by creating a new module he named peacenotwar which will “add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.”. He then added this module to node-ipc as a dependency. A dependency must be loaded first for the main module to function.

In case you’re wondering, node-ipc is a popular package for enabling Inter Process Communication in NodeJS JavaScript apps, hence the name. This is a very common thing to want to do, and node-ipc is (or at the very least, was) a very popular tool for solving this problem, getting near a million weekly downloads on NPM.

Having protest messages appear unexpectedly on your desktop is ethically questionable, but given the seriousness of the situation, I’m prepared to give some credence to the argument that it’s justified. I’d definitely say it falls into the moral grey zone. It’s definitely not indisputably evil.

Unfortunately, the developer didn’t stop there. He escalated things, adding code to peacenotwar that determined if the user was in Russia (based on IP address), and if so, deleted their files. This is where I (Bart) draw the line. This is irresponsible and dangerous. All code has bugs, and geolocation is imperfect, so there is a very real danger of doing real harm here. Also, just because you’re in Russia does not mean you support Putin’s invasion!

There is room for a debate around how much protest code is acceptable in the open source community. But clearly, this went too far. FWIW, I’m (Bart’s) in the ‘none’ camp — the place for protests is your release notes, documentation, and website, not in your open source code!

As for how this ended — the destructive code was removed by NPM, but even today (3 April 2022), node-ipc still lists peacenotwar as a dependency, so the non-destructive protest code continues to ship with node-ipc.

The bottom line remains the same though — it was always a bad idea to blindly and automatically consume all updates to all dependencies in your software projects. Dependency changes need to be deliberate acts, not invisible automations! All that’s changed is that the dangers have gone from hypothetical to actual. It was always a bad idea, and it remains a bad idea!

Link

Deep Dive 2 — Beware 1st Generation Wyze Cameras 🙁

TL;DR — if you have a Wyze generation 1 camera, it is not safe to use anymore. It has a critical un-patchable vulnerability. If you have a V2 or V3 Wyze camera, it’s very important you make sure it is fully patched.

We now know that in March 2019 the security company Bitdefender informed Wyze of a major vulnerability in their cameras. Attackers could remotely control the cameras and view videos saved on the SD card, but not watch a live stream.

Wyze did not acknowledge receipt of the report until November 2020. They did not patch the vulnerability until January 2022.

In February 2022 they discontinued the V1 camera because it can’t be patched as the hardware simply can’t work with the patch. They told users the camera was incompatible with a security update, and that using it would put them at ‘increased risk’ but gave no details.

Wyze never disclosed the details. The only reason we know about this at all is that the details were leaked to the press. It’s also important to note that Bitdefender didn’t disclose this vulnerability either. It is customary for security companies the disclose vulnerabilities in a relatively short time period, but Bitdefender says that they didn’t want to make millions of cameras vulnerable when they knew the company wasn’t going to be able to fix the problem. That response from Bitdefender isn’t being widely accepted in the security community.

It’s hard to imagine how Wyze’s response could have been worse. They sat on the problem for a year and a half, were slow to patch it even then, and were utterly opaque in communication with their users.

This is such a breach of customer trust in Allison and my opinion that we can’t ever trust them again. As a result, we will be advising all our friends and family to avoid all the company’s products from now on and to work to replace any Wyze cameras they have now.

Link

Deep Dive 3 — The EU Agrees on the DMA

The European Union has been working on a major new regulation to tackle the anti-trust concerns raised by big tech. This act is known as the Digital Markets Act, or the DMA.

It’s important to note that while the act passed a very major milestone this week, it has not passed, and a lot of the details remain to be worked out.

It’s important to remember that, unlike the USA, the EU it’s not a single country, so laws don’t get passed as they do within nations. The European Commission draft acts that need to get passed by both the European Parliament and the Council of Ministers to become directives, then each country then translates the directive into national law.

To avoid problems down the road, the Commission set up a marathon trialogue with representatives from the parliament and the council to hammer out a final deal on the DMA, and it’s that deal that was done this week. This means all three legislative branches of the EU agree on what will and won’t be in the act, but the final wording has not been written yet, and nothing has been passed yet. As the Commission put it in their own press release:

“After the legal text is finalised at technical level and checked by lawyer-linguists, it will need to be approved by both Parliament and Council. Once this process is completed, it will come into force 20 days after its publication in the EU Official Journal and the rules will apply six months after.”

So, we don’t have the final “technical level” text, and even when we do get it, it will still be open to interpretation. The act will give sole enforcement authority to the European Commission, but the first step will be an engagement between the commission and the company to try to agree on a path to compliance, so there’s a heck of a lot of uncertainty when it comes to the specifics.

With all those caveats out of the way, what has been agreed upon?

Firstly, since the point of this act is to fight anti-competitive behaviour, it will only apply to large corporations that provide core platform services and have been designated as gatekeepers. So unlike the GDPR, this law won’t apply to the vast majority of companies. The Commission will designate companies as gatekeepers. To be considered possible gatekeepers they really do need to be big — having a market cap of €75Bn or annual turn-over of €7.5Bn, and they must have at least 45M monthly users in the EU, and at least 10K yearly business users in the EU.

The act specifies both a list of responsibilities Gatekeepers have and a list of prohibitions. I’m not going to list them though, you can read those for yourselves 🙂. Instead, I want to focus on a few of the more important aspects.

No Data Sharing Without Explicit Consent

Gatekeepers can’t aggregate data from multiple services, including third-party services without explicit consent from the user. Targeted advertising is explicitly called out in the act as requiring consent.

In a very nice touch, gatekeepers can only nag you once a year to re-consider your choice not to consent!

Gatekeepers Must Allow Customer Choice

Exactly how far this will go isn’t clear yet, but the press release from the Commission says gatekeepers will have to “allow users to freely choose their browser, virtual assistants or search engines”.

It seems pretty clear alternative payment methods will have to be allowed in mobile apps, and it seems very likely there will be some kind of requirement for selling apps outside the gatekeeper’s own app stores, but that doesn’t necessarily mean a Wild West where anything goes. In press comments, Commission staff talked about “multiple safe and secure app stores” but didn’t mention sideloading.

Messaging Services Must Support Interoperability on Request

This was not a part of what the Commission wanted to do, so it came as a surprise to me that it was added to the act, but the Parliament was adamant that gatekeepers who run messaging services be forced to support interoperability with smaller services.

As it stands, the act will require gatekeepers to make APIs available to allow smaller messaging services to interoperate with their messaging services on request. Initially, this will only apply to one-on-one conversations. In comments, I’ve come across where the Commission staff made it clear they expect the APIs to support end-to-end encryption. The hope is that in four years it will be possible to add an interoperability requirement for group messaging as well.

Other Highlights

  • Unsubscribing from services has to be as easy as subscribing to them
  • Developers must be given ‘fair’ access to ‘supplementary functionalities’ on mobile devices, i.e. things NFC.
  • Sellers need to be given access to sales data on the things they sell in marketplaces run by gatekeepers
  • Gatekeepers can’t rank their own services higher than others, i.e. a ban on ‘self preferencing’

Links

❗ Action Alerts

Worthy Warnings

  • If you have a QNAP NAS that’s connected to the internet, and not patched, then it’s time to fix that because Sophos are warning about active attacks by the DEADBOLD ransomware that are exploiting these NAS boxes to destroy backups before deploying a regular ransomware attack — nakedsecurity.sophos.com/…

Notable News

  • A pair of major vulnerabilities has been found in the Spring Java framework by VMWare. It has nothing to do with their virtualisation products! If you’re in corporate IT, and you have apps that use Spring, it’s critical they be patched. It’s extremely unlikely there is anything regular folks can, let alone need, to do — nakedsecurity.sophos.com/… (Maybe buy your friendly neighbourhood corporate sysadmin a coffee 😉)
  • 🇺🇸 The Federal Trade Commission (FTC) has entered into a Consent Decree with popular custom printing site Café Press for ‘Data Breach Coverup’ that will see the company pay a fine of $½Bn and submit to a security assessment Biennially (every 2 years) for the next 20 years — nakedsecurity.sophos.com/… (Editorial by Bart: the story is worth a read because the FTC are extremely critical of Café Press for both how bad their security was before the breach, and how ineffective and dishonest their response was.)
  • 🇺🇸 Brian Krebs has warned that hacked US law enforcement accounts are being used to trick major tech companies, including Apple & Meta (Facebook), into handing over user data. Normally a subpoena is needed to get data, but there is a procedure for bypassing that requirement in cases where there is an immediate threat to life. Illegitimate access to any legitimate law enforcement email account is all attackers need to get the data they want — krebsonsecurity.com/… & www.macobserver.com/… (Editorial by Bart: this means the entire system is as strong as the weakest IT practices in the smallest of US police departments 😨)
  • Related: Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill — krebsonsecurity.com/…
  • Apple Stores won’t repair iPhones that are marked as missing anymore — www.imore.com/…
  • 🎧 Related Tip: Checklist 273: What Do You Do If You Lose Your iPhone? — overcast.fm/…

Top Tips

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

3 thoughts on “Security Bits — 3 April 2022

  1. […] we talk about the DMA (Digital Markets Act – see Bart’s deep dive on this during Security Bits for 3 April 2022) starting to work its way through the European Commission and how Tom interprets the […]

  2. […] About a month ago it was big news when the European Commission, European Parliament, and the European Council reached an agreement on the big-picture structure of the Digital Markets Act (DMA), and we dug into it in detail in Security Bits on 3 April 2022. […]

  3. […] 🇪🇺 The enforcement of the EU’s Digital Markets Act (the first of the two big bills to be announced) has been delayed until 2023 — http://www.macobserver.com/… (We did a deep-dive on it in early April) […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top