Key security articles for week ending 22-7-22

I had a need to analyse the week's security news today, so thought I would share. If anyone is interested, I may repeat it in the future, but for now this is all about me :)

21-7-22

The @GCHQ and @NCSC proposals for child safety surrounding end-to-end encryption, all amount to a single premise: that messenger software should [be forced to] lie to its users regarding the privacy that it provides.

• Takeaway: Another proposed requirement on tech companies to remove encryption from communications, adding to the long line of dissimilar and un-cohesive attempts to eliminate encryption.
• Takeaway: This discussion has more nuance than any single mind can contemplate. It’s true that individuals have a right to privacy. It’s also true that individuals expect law enforcement to police “bad” activity that is otherwise protected by the right of privacy. Finally, it’s also a prerequisite for most B2B & B2C communications that encryption exists, and has some degree of provable secrecy (+/- quantum resistance). It’s a compleicated set of tensions.
• Note: The technical likelihood is that the manufacturers of platforms (iOS, Android, Windows, etc.) will comply as best they can without wholesale compromise of all data, yet will likely provide methods of allowing backdoors to be planted on individual devices. Most update services can already individually target individual machines (e.g. iOS upgrades are a per-device upgrade)
• Also see https://twitter.com/zsentek/status/1550045723663732737?utm_source=substack&utm_medium=email

Heatwave forced Google and Oracle to shut down computers

• https://www.bbc.com/news/technology-62202125?xtor=AL-72-%5Bpartner%5D-%5Bbbc.news.twitter%5D-%5Bheadline%5D-%5Bnews%5D-%5Bbizdev%5D-%5Bisapi%5D&at_custom4=B39F387A-0849-11ED-BD8A-69CE4744363C&at_medium=custom7&at_custom1=%5Bpost+type%5D&at_custom3=%40BBCWorld&at_custom2=twitter&at_campaign=64
• Takeaway: Business Continuity and Disaster Recovery Plans are important, and need to cover many unlikely scenarios.

Continued cyber activity in Eastern Europe observed by TAG

• https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/?utm_source=substack&utm_medium=email
• The Ukraine war has a signficant cyber implication (irrespective of it’s real-world impact, which will be debated for years)
• Takeaway: The threat actors currently active in the Ukraine war (on either side) will return to ransomware attacks in the future, and have gained a lot of experience. We should expect virulence when they turn their focus back to the west.

iOS 16 Lockdown Mode will significantly enhance the security of the devices if turned on

• https://www.sevarg.net/2022/07/20/ios16-lockdown-mode-browser-analysis/?utm_source=substack&utm_medium=email
• Takeaway: It’s a great feature, however may reduce functionality more than most users are willing to accept
• Takeaway: This is meant for highly attacked devices, not standard users

A crack in the Linux firewall/ Billions of Linux devices will never be patched for a new netfilter vulnerability

• https://www.randorisec.fr/crack-linux-firewall/?utm_source=substack&utm_medium=email
• Takeaway: Any device not receiving support from a caring vendor will never be patched

NFT collector loses 100 ETH (~$150,000) in a joke gone wrong

• https://twitter.com/web3isgreat/status/1549888768500449280?utm_source=substack&utm_medium=email
• The disaster that is Web 3 is the gift that keeps giving
• Takeaway: Web 3 is a failure that hasn’t been properly discovered yet. It’s failed at the primary mission of being decentralised, and the secondary mission of being secure. Web 4 may be a working thing.

Confluence has another critical bug, with hard-coded credentials

• https://twitter.com/fluepke/status/1549892089181257729?s=21&amp%3Bt=nxpPxvB0kh9pD2LmbJIoqw&utm_source=substack&utm_medium=email
• Takeaway: Any company capable of this type of dumbarsery doesn’t understand their product, or security. How do I do a facepalm emoji?
• ?

20-7-22

TeamViewer installs suspicious font only useful for web fingerprinting

• https://www.ctrl.blog/entry/teamviewer-font-privacy.html?utm_source=substack&utm_medium=email
• No action required

Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware

• https://www.vice.com/en/article/bvmnxd/russia-released-a-ukrainian-app-for-hacking-russia-that-was-actually-malware
• Takeaway: All apps you download are a way of allowing unknown code of unknown intent to execute on your device, written by unknown people with unknown agendas. Don’t execute untrusted code.

In no joking:), I discovered like 17 RCE bugs all in a SINGLE attack surface in Windows, which proved one point I've been talking about for a while. Thread.

• https://twitter.com/haifeili/status/1549460352617705472?utm_source=substack&utm_medium=email
• Takeaway: All software has bugs, and we shouldn’t implicitly trust any vendor, or the code they provide. Don’t execute untrusted code.

Justice Department Seizes and Forfeits Approximately $500,000 from North Korean Ransomware Actors and their Conspirators

• https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors
• Takeaway: Everyone is a target of state-backed bad actors

19-7-22

SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables

• https://arxiv.org/abs/2207.07413?utm_source=substack&utm_medium=email
• This is just another method of data exfiltration (deliberate or otherwise).
• Takeaway: Any attacker who can gain physical proximity to a device, or the device’s I/O (including power supply) can directly or indirectly exfiltrate data from a device
• Takeaway: Any attacker that can run arbitrary code on a device can cause data exfiltration, even over air gaps, over significant distances
• Takeaway: Where Risk=Likelihood x Impact, for most devices this is low risk, because there are many, many better (faster, remote, more accurate) methods of data exfiltration. For critical infrastructure, airgapped networks and similar, there are fewer options for data exfiltration, therefore the likelihood increases signficantly.

Busting browser fails: What attackers see when they hack your employees’ browser

• https://blog.detectify.com/2022/07/18/what-attackers-see-when-they-hack-your-browser/
• Browsers are the new OS. ~70% of all desktop browser sessions are in Chrome. The remainder is Safari, or “others”
• Takeaway: Browser plugins are terrible for security, and should be avoided at all costs.
• Takeaway: Sharing data between browsers (i.e. signing into Microsoft/Google/Firefox browser controls) will result in unexpected data exposure

New security research: #PassBleed: How to get @okta master passwords in clear text for all employees

• https://twitter.com/gal_diskin/status/1549386931930284035?s=21&amp%3Bt=TxZVQbN_Zy3PAqvnEhj7AA&utm_source=substack&utm_medium=email
• Takeaway: Okta made a bad, bad mistake. which could be indicative of their overall methodology. Proceed with caution on Okta projects
• Takeaway: Review of all identity provider settings is critical, because compromise will result in the wholesale compromise of all assets, including user accounts, devices, applications, data and cloud services.

‘Zero Trust’ security is a poor choice of words

• https://code.mendhak.com/zero-trust-poor-choice-of-words/?utm_source=substack&utm_medium=email
• Takeaway: The phrase “Zero Trust” is probably not to be uttered around users, as it doesn’t convey the intended meaning of the concept.

A wide range of routers are under attack by new, unusually sophisticated malware

• https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/?utm_source=substack&utm_medium=email
• https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/?utm_source=substack&utm_medium=email
• Takeaway: Claims that DNS and HTTPS hijacking, Interception Attacks (MiTM) and SOHO router compromise are rare are unfounded, and these attacks need to be considered in threat modelling

Lock Screen Bypass Exploit of Android Devices (CVE-2022–20006)

• https://medium.com/maverislabs/lock-screen-bypass-exploit-of-android-devices-cve-2022-20006-604958fcee3a
• Takeaway: The lock screen is the only protection against accessing corporate M365 data by an attacker with physical access to the device
• Takeaway: The ability to remotely patch corporate devices is critical to the ongoing security of the business. Further the ability to deny access to corporate resources on unpatched (and BYOD) devices is essential

Google Play hides app permissions in favor of developer-written descriptions

• https://twitter.com/reybango/status/1548388199675731968?utm_source=substack&utm_medium=email
• Takeaway: All apps from Google Play must now be considered actively malicious. Never install an application you don’t have cause to trust.
• Takeaway: If this description was generated by the manifest of the application (i.e. technically derived, not supplied by potential adversarial developers), this would not be a significant problem

China faces its first truly mega-leak (1 billion user’s records exposed)

• https://riskybiznews.substack.com/p/risky-biz-news-china-faces-its-first
• Takeaway: China isn’t doing anything necessarily better than the rest of the world, but the great firewall of china hides it from the rest of the world. Scanning from within China results in the same everything-is-on-fire situation the rest of the world is in

Denmark bans Google Workspace:

• Source (Danish) article: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2022/jul/datatilsynet-nedlaegger-behandlingsforbud-i-chromebook-sag-
• https://riskybiznews.substack.com/p/risky-biz-news-google-removes-app
• The Datatilsynet banned the use of Google Workspace, citing Google's hidden data collection practices, which transferred the personal details of Danish citizens abroad to US servers, contrary to EU and Danish legislation.

Digium Phones Under Attack: Insight Into the Web Shell Implant

• https://unit42.paloaltonetworks.com/digium-phones-web-shell/
• Takeaway: A security incident on an attack surface (in this case, Asterix VoIP servers) can compromise downstream devices (phones)
• Takeaway: The devices being compromised are actually the endpoint telephony devices

Software advertised on social media as a password-recovery and password brute-forcing tool for programmable logic controllers (PLCs) also contains a version of the Sality malware.

• https://www.bleepingcomputer.com/news/security/password-recovery-tool-infects-industrial-systems-with-sality-malware/
• Takeaway: Never run code you don’t actively have cause to trust
• Takeaway: Never run code you don’t actively have cause to trust (it bears repeating)

Attack vector for GitHub projects

• https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/
• By leveraging the ability to spoof and forge commits’ metadata on GitHub, an attacker can deceive users and lure them into using poisoned repositories.

New vulnerabilities in fingerprint sensors and cryptocurrency wallets

• https://riskybiznews.substack.com/p/risky-biz-news-google-removes-app
• Takeaway: Trust of physical devices is unwarranted
• Takeaway: Biometrics are fundamentally insecure with the majority of current consumer-grade technology

Experts concerned about ransomware groups creating searchable databases of victim data

• https://therecord.media/experts-concerned-about-ransomware-groups-creating-searchable-databases-of-victim-data/ .
• Unsurprising - this is a symptom of the real problem (security)

Ongoing phishing campaign can hack you even when you’re protected with MFA

• https://arstechnica.com/information-technology/2022/07/microsoft-details-phishing-campaign-that-can-hijack-mfa-protected-accounts/
• Takeaway: This is not fundamentally different than any other interception/MiTM attack
• Takeaway: The reliance on JWT and similar tokens is a security weakness that has no current technical answer in widespread use

Are blockchains decentralized?

• https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/
• Takeaway: Blockchains are immature, and likely a bad technical answer for any problem they were designed to fix
• Takeaway: One day blockchain will be a functional, well designed and secure platform. Check back in 5 years
• Takeaway: Any product that implements blockchain is likely introducing supply chain risk, vulnerabilities and is not likely to be solving the core problems they claim to solve. Again, this will change in time, but Web 3 has set blockchain back by several years - don’t expect a good solution in the near term

Source articles unashamedly stolen from https://risky.biz/ and https://substack.com/profile/11790324-the-grugq , comments are mine.