{"id":22019,"date":"2020-10-04T13:44:54","date_gmt":"2020-10-04T20:44:54","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=22019"},"modified":"2020-10-22T07:20:19","modified_gmt":"2020-10-22T14:20:19","slug":"sb-2020-10-04","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/10\/sb-2020-10-04\/","title":{"rendered":"Security Bits \u2014 4 October 2020"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>COVID apps continue to roll out\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/pennsylvania-launches-contact-tracing-app-built-apple-and-google-tech\">Pennsylvania launches contact tracing app built on Apple and Google tech \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; (&#x1f3f4;&#xe0067;&#xe0062;&#xe0065;&#xe006e;&#xe0067;&#xe007f; &#x1f3f4;&#xe0067;&#xe0062;&#xe0077;&#xe006c;&#xe0073;&#xe007f;) \u2014 <a href=\"https:\/\/www.imore.com\/nhs-covid-19-app-released-england-and-wales\">NHS COVID-19 app released in England and Wales \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/england-fixes-covid-19-app-issue\/\">England Fixes COVID-19 App Issue \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/news.sky.com\/story\/coronavirus-some-users-of-nhs-tracing-app-incorrectly-given-covid-19-exposure-alerts-12086225\">Coronavirus: Some users of NHS tracing app incorrectly given COVID-19 exposure alerts \u2014 news.sky.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1e7;&#x1f1ea; <a href=\"https:\/\/www.imore.com\/belgium-latest-launch-contact-tracing-app-based-applegoogle-tech\">Belgium the latest to launch contact tracing app based on Apple\/Google tech \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/new-york-and-new-jersey-launch-contact-tracing-apps-using-applegoogle-tech\">New York and New Jersey launch contact tracing apps using Apple\/Google tech \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Social media developments\n<ul>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/www.vice.com\/en_us\/article\/889pk3\/facebook-threatens-to-pull-out-of-europe-if-it-doesnt-get-its-way\">Facebook Says it Will Stop Operating in Europe If Regulators Don\u2019t Back\u00a0Down \u2014 www.vice.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/illinois-facebook-payout\/\">Illinois Facebook Users Can Apply for $400 Payout \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-outlines-its-privacy-stance-now-instagram-messenger-are-one\"> Facebook outlines its privacy stance now Instagram &amp; Messenger are one \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/tiktok-proposes-new-global-coalition-against-harmful-content\">TikTok proposes new global coalition against harmful content \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A more convincing looking updated version of the <em>O.MG<\/em> malicious USB to lightning cable that made a lot of headlines last year serves as a timely reminder not to trust cables or chargers from strangers \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/omg-lightning-cable-spy-sneakier-than-ever\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f9ef;The latest beta of the <em>checkra1n<\/em> iOS jailbreak includes the ability to jailbreak the T2 chip in modern Macs. There do not appear to be any security implications to this jailbreak, at least not yet, the ability to tweak the TouchBar appears to be the biggest implication \u2014 <a href=\"https:\/\/yalujailbreak.net\/t2-security-chip-jailbreak\/\">yalujailbreak.net\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x1f9ef;Deep Dive \u2014 <em>Zerologon<\/em> (CVE-2020-1472)<\/h2>\n<p>We have a new bug with a fancy name \u2014 <em>Zerologon<\/em>. Security researchers found a flaw in the <em>Microsoft Windows Netlogon Remote Protocol<\/em> or MS-NRPC. The spec misuses an otherwise secure encryption function (AES-CFB8). Some cryptographic functions need to be started with a piece of random data before they are ready to be used to securely encrypt real data. Cryptographers refer to this initial chunk of random data as the <em>Initialisation Vector<\/em>, or IV. The problem with the MS-NRPC spec is that it resulted in an encryption function that needs to use an IV always being passed all zeros instead of random data as the IV. That explains the <em>zero<\/em> in <em>Zerologon<\/em>.<\/p>\n<p>So what does MS-NRPC do? And more importantly, what does this flaw allow attackers to do that they shouldn&#8217;t be able to do?<\/p>\n<p>Thanks to US antitrust laws and some diligent people in the US DOJ, Microsoft publish the specifications for the protocols that power Windows networking and groupware. Initially, this was demanded by commercial competitors like Novell (anyone remember <a href=\"https:\/\/en.wikipedia.org\/wiki\/NetWare\">NetWare<\/a>?). Novell may be a distant memory, but the fact that these specs are public is what enables our Macs to play nice in corporate environments, our NAS devices to publish our files as if they were Windows file servers, and for Linux clients and servers to fully participate in Windows-based network, and even host Active-Directory-compatible domains that Windows desktop computers can join seamlessly. Without these specs open source projects like SAMBA would have to reverse-engineer the various protocols their product relies on, instead, they simply get to implement the spec!<\/p>\n<p>So, this is how Microsoft describes MS-NRPC in <a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-nrpc\/ff8f970f-3e37-40f7-bd4b-af7336e4792f\">the official specification<\/a>:<\/p>\n<blockquote><p>\n  \u2026 an RPC interface that is used for user and machine authentication on domain-based networks; to replicate the user account database for operating systems earlier than Windows 2000 backup domain controllers; to maintain domain relationships from the members of a domain to the domain controller, among domain controllers for a domain, and between domain controllers across domains; and to discover and manage these relationships.\n<\/p><\/blockquote>\n<p>Basically, MS-NRPC is the fundamental protocol that holds a Windows domain together.<\/p>\n<p>Because of the all-zeros IV, attackers with network-level access to a Windows domain can impersonate any computer on the domain, including a domain controller, and, obtain <em>Domain Administrator<\/em> privileges (network-level <em>root<\/em> access). Basically, if an attacker gets onto a network where there&#8217;s even one domain-joined computer, they can take over the entire Windows domain. In a modern corporate environment, controlling the Windows domain gives an attacker control of just about everything. This really is about as bad as it can get!<\/p>\n<p>In theory, an insecure smart lightbulb could be all it takes to expose an entire trans-national corporate network!<\/p>\n<p>A few zeros in an IV become a domain admin login without a password \u2014 definitely <em>Zerologon<\/em>!<\/p>\n<p>But wait, there&#8217;s more!<\/p>\n<p>A lot of security vulnerabilities are the result if implementation mistakes \u2014 the coders try to write code that follows the spec, but they make a mistake. Those bugs will exist in single products and are usually easy for the vendor to fix. This is not one of those bugs \u2014 in this case, it was a mistake in the specification, so even perfect implementations of the spec are vulnerable!  This vulnerability also affects SAMBA and some network storage devices (high-end SANs more than low-end NAS devices for reasons that will become obvious shortly).<\/p>\n<p>But wait, there&#8217;s even more \u2014 Microsoft are seeing active exploitation of this bug in the wild!<\/p>\n<p>This all sounds pretty bad, what is that fire extinguisher emoji doing in the heading?<\/p>\n<p>This is a really big deal for corporate IT, but there are three good reasons regular folk don&#8217;t need to panic:<\/p>\n<ol>\n<li>This bug was responsibly disclosed. Microsoft patched it in their August <em>Patch Tuesday<\/em> security update, and SAMBA have also released patches. The security researchers did not release any details on the bug until after Microsoft published their September <em>Patch Tuesday<\/em> updates.<\/li>\n<li>This bug affects Windows domains, most home users don&#8217;t run Windows domains! Also, most home and even Small Office\/Home Office NAS devices don&#8217;t support Windows domains, only higher-end NAS and SAN devices provide Windows domain services.<\/li>\n<li>Most homes are behind NAT routers, providing protection from direct exploitation. If a home user did run an unpatched Windows domain though, they could get exploited indirectly via another otherwise insecure device, most likely some shoddy IoT contraption that&#8217;s all big forgotten!<\/li>\n<\/ol>\n<p>Bottom line \u2014 home users who patch their devices really have nothing to worry about here.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Microsoft&#8217;s Security Advisory \u2014 <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1472\">portal.msrc.microsoft.com\/\u2026<\/a><\/li>\n<li>CERT&#8217;s Vulnerability Note \u2014 <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/490028\">www.kb.cert.org\/\u2026<\/a><\/li>\n<li>SAMBA&#8217;s Security Announcement \u2014 <a href=\"https:\/\/www.samba.org\/samba\/security\/CVE-2020-1472.html\">www.samba.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/09\/17\/zerologon-hacking-windows-servers-with-a-bunch-of-zeros\/\">Zerologon \u2013 hacking Windows servers with a bunch of zeros \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple have released security updates for just about all their OSes:\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/watchlist\/safari-14\/\">Safari 14 \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.intego.com\/mac-security-blog\/understanding-safaris-new-privacy-report\/\">Understanding Safari&#8217;s New Privacy Report \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/tidbits.com\/2020\/09\/24\/macos-10-15-7-catalina-ios-14-0-1-ipados-14-0-1-watchos-7-0-1-and-tvos-14-0-1-squash-bugs\/\">macOS 10.15.7 Catalina, iOS 14.0.1, iPadOS 14.0.1, watchOS 7.0.1, and tvOS 14.0.1 Squash Bugs \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/watchlist\/security-update-2020-005-mojave-and-high-sierra\/\">Security Update 2020-005 (Mojave and High Sierra) \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-pulls-safari-14-and-security-update-macos-mojave\">Apple pulls Safari 14 and security update for macOS Mojave \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2020\/10\/02\/macos-10-14-6-mojave-supplemental-update-fixes-problems-with-an-updated-safari-14-0\/\">macOS 10.14.6 Mojave Supplemental Update Fixes Problems with an Updated Safari 14.0 \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/instagram-patches-security-bug-would-let-hackers-take-over-your-smartphone\">Instagram patches security bug that would let hackers take over your smartphone \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/09\/100000-razer-users-data-leaked-due-to-misconfigured-elasticsearch\/\">Private data gone public: Razer leaks 100,000+ gamers\u2019 personal info \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Cloudflare have launched a free privacy-first alternative to Google Analytics \u2014 <a href=\"https:\/\/www.businesswire.com\/news\/home\/20200929005178\/en\/\">www.businesswire.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2020\/10\/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam\/\">Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><em>Blacklight<\/em> is an interesting tool for checking websites for ad trackers \u2014 <a href=\"https:\/\/themarkup.org\/blacklight\">themarkup.org\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+HLr55IZxE\">Checklist 199: iOS 14 Privacy Features with Nick Leon \u2014 overcast.fm\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-the-internet-works\/\">How the Internet Works \u2014 www.intego.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Libsyn&#8217;s Rob Walch is raising awareness of privacy-invading trackers embedded in some podcasts:\n<ul>\n<li>Rob&#8217;s original article \u2014 <a href=\"https:\/\/podcastbusinessjournal.com\/privacy-vs-podcasting\/\">podcastbusinessjournal.com\/\u2026<\/a>\n<ul>\n<li>An updated version of the same article that is being actively updated with developments \u2014<a href=\"https:\/\/podcast411.libsyn.com\/privacy-does-really-matter-in-podcasting\">podcast411.libsyn.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+HLr5hSI-4\">Checklist 198: Listener Tracking in Podcasts with Rob Walch \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+HLr5wUsho\">Checklist 196: \u201cThe Art of Mac Malware: Analysis\u201d with Patrick Wardle \u2014 The Checklist by SecureMac \u2014 Overcast \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>&#x1f4fa; <a href=\"https:\/\/www.netflix.com\/title\/81254224?s=i&amp;trkid=13747225\">The Social Dilemma \u2014 www.netflix.com\/\u2026<\/a><\/li>\n<li><strong>From Allison:<\/strong> <a href=\"https:\/\/www.vice.com\/en_us\/article\/pkyzek\/signal-new-pin-feature-worries-cybersecurity-experts\">Signal\u2019s New PIN Feature Worries Cybersecurity\u00a0Experts \u2014 www.vice.com\/\u2026<\/a>\n<ul>\n<li><em><strong>Editorial by Bart:<\/strong> I completely understand the criticisms, and until Signal introduced a setting to make the new PIN optional, I was 51% on the side of the critics, but now that the feature is optional, I think that on balance, this will make more people more secure by making the platform more usable by regular folks. Moxie is completely correct when he says this new system is much more secure than using contacts synced with iCloud, Office365, or Google Apps! Also, the fact that this will enable phone-number-free communication via Signal in an upcoming update is reason enough for the change IMO.<\/em><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.pcmag.com\/news\/election-engineering-how-us-experts-are-making-sure-your-vote-will-count\">Election Engineering: How US Experts Are Making Sure Your Vote Will Count \u2014 www.pcmag.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> <img decoding=\"async\" src=\"https:\/\/pbs.twimg.com\/media\/EjAYGIBXkAALbYJ.jpg\" alt=\"stay at 127.0.0.1 wear a 255.255.255.0\" \/><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. COVID apps continue to roll out &#x1f1fa;&#x1f1f8; Pennsylvania launches contact tracing app built on Apple and Google tech \u2014 www.imore.com\/\u2026 &#x1f1ec;&#x1f1e7; (&#x1f3f4;&#xe0067;&#xe0062;&#xe0065;&#xe006e;&#xe0067;&#xe007f; &#x1f3f4;&#xe0067;&#xe0062;&#xe0077;&#xe006c;&#xe0073;&#xe007f;) \u2014 NHS COVID-19 app released in England and Wales \u2014 www.imore.com\/\u2026 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[170,50,569,2003,3220,4336],"class_list":["post-22019","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-hack","tag-security","tag-security-bits","tag-vulnerabilities","tag-vulneratiblity","tag-zerologon"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=22019"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22019\/revisions"}],"predecessor-version":[{"id":22112,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22019\/revisions\/22112"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=22019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=22019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=22019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}