Something Awesome reflection

Upon reflection, I’d say my Something Awesome has been mostly successful. I chose a simpler project to do for my Something Awesome because I anticipated I would be strapped for time because of the new trimester timetable.

In my original proposal, I aimed to have at least two news posts and one roundup post every week as part of my base success criteria. I was able to mostly achieve this, posting 4 weeks worth of Something Awesome content during the 5 weeks we were given to work on it. I did have other commitments during week 6 so I couldn’t work on it during that week. I did spend week 7 catching up on the week 6 postings.

I did have some extension criteria in my original proposal, though because I was so tight on time, I was unable to complete any of the extensions I proposed.

Given how busy I was at time during the trimester, I'm quite happy with what I was able to achieve for my Something Awesome.

Week 8 lecture reflection

This week’s morning lecture was about the human nature and how humans make errors. There was a note about how next week’s after lecture movie was going to be important for the final exam. The movie is going to be played after the evening lecture finishes at 8PM and I know I definitely won’t be able to watch it then. I guess I’ll have to be creative if I’m going to watch it in preparation for the final exam.

Buckland talked about several instances of human error that lead to a disaster. Some disasters mentioned were the Three Mile Island accident, Chernobyl, Bhopal and Challenger disasters. Buckland also briefly mentioned the Schlieffen Plan. I’d like to briefly talk about that here.

Back before WW1, Germany had a war plan. The main aim of this plan was to prevent a two front war. This was because of the convoluted system of alliances between various European nations.

Germany was part of the Triple Alliance with Austria-Hungary and Italy. The other major military alliance back then was that of the Triple Entente, consisting of Great Britain, France and Russia. The Schlieffen Plan was a plan that prepared for a war with Russia. This was because if Germany were to be at war with Russia to the east, Russia’s ally France would also likely attack Germany from the west. This meant Germany would have to fight a war on two fronts.

Because Germany would be outnumbered in a two-front war, it could not win the war via attrition. The Schlieffen plan was to take care of France. It involved sending most of the German army west to fight France, knock France out of the war then send the remaining army to deal with Russia. They would do this by bypassing the heavily defended Franco-German border. The German army would invade through Belgium and quickly flank the French army. The main aim was to quickly take Paris and eliminate France from the war.

WW1 started once Austra-Hungary declared war on Serbia. Serbia was allied with Russia and Russia subsequently declared war on Austria-Hungary. Austria-Hungary’s ally Germany declared war on Russia and France. Germany’s Schlieffen Plan was put into action.

The plan failed due to a variety of reasons. Firstly, Germany did not expect Belgium to resist the German invasion. Not only did the Belgian army slow the German advance, the invasion of Belgium brought Great Britain into the war further adding to the enemies that Germany had in the west. The Germans took way too long to reach France, and ultimately failed to reach Paris altogether due to British intervention in France.

Secondly, the Germans did not expect the Russians to mobilise so quickly in the east. The original plan expected Russia to be slow to organise and mobilise their armies. This was because Russia had recently lost a war with Japan when the plan was conceived. Russia’s quick mobilisation meant Germany could not commit all their forces to the western front.

The combination of both of these meant the Schlieffen failed to quickly eliminate France from the war. Germany did end up fighting a war of attrition on both fronts. It also did not help that their ally in Austria-Hungary was incapable of fighting on its own, and their former ally in Italy defected and joined the war as an enemy belligerent.

This video produced by The Great War (fantastic YouTube channel by the way) explains the Schlieffen Plan in more detail. It’s quite interesting and worth the watch.

Police state mass debate

The module 7 case study was hyped as the best one from the other studies. I have to say I definitely agree with this. We were to debate on whether the Australian government should be able to increase their surveillance on the Australian people.

I made two critical errors in the tut. We were given time to choose a side and prepare for the debate. I chose the side opposing more surveillance as it was my personal opinion on the subject. Turns out it was a tarp and we were jebaited as we had to debate for the other side. The first error I made was not seeing this move coming.

During the debate itself, each person would have 2 minutes to argue for their side, with the “for” side going first. Once the first “for” person finished, a person on the "against” side had their right of reply and then the next person on the “for” side had right to reply to the “against” person’s arguments. This would alternate and go along each side until every person spoke. The second error I made was sitting at the very end on the “for” side I was debating for. This meant I was the very last person to speak. Debating for a side I’m not comfortable or agree with, being the last person to speak and speaking after all the arguments have been taken by others? This is gonna go well isn’t it?

One consolation I had with going last was I had plenty of time to BS some form of coherent argument. This was exactly what I ended up doing.

One person from the opposition talked about how expensive expanding existing surveillance systems would be. Since the current government are the LNP and keep touting themselves as tHe BeTtEr EcOnOmIc MaNaGeRs, I argued the government could use the budget surplus™™™ they already achieved next year to fund the extra surveillance.

Another person mentioned something about the fear of starting a civil war. To that I say bring it on! I welcome any opportunity to topple an inept and corrupt government. If it’s gonna take a civil war or revolution, then so be it. Viva la revolution! I argued that with more surveillance, there would be more data on politicians. The general public has more incriminating evidence that can be used to overthrow the government if they need to.

I do want to reiterate that my personal opinion on the subject is completely the opposite of the side I was debating for. More surveillance would make it even easier to prosecute whistle-blowers and individuals they do not like. The government are using terrorism and crime as a scapegoat to pass draconian laws and edge closer to having a police state. They are doing this because the general Australian public are complacent with politics and are more interested in sport and who’s getting married on some braindead reality show on a garbage TV channel. The public are more easily swayed by fear politics than the facts of the matter.

The Assistance and Access legislation passed last year was very stupid and shouldn’t have passed. It has potentially destroyed whatever’s left of the Australian tech industry. If the destruction of the NBN was the first strike for the Australian tech industry, the Assistance and Access legislation could very well be the killing blow. Privacy and security will be compromised with none of the benefits that the politicians kept on trying to say. We won’t more easily catch criminals and terrorists because if you happen to work in the world of crime, you’re likely more than smart enough to figure out workarounds to bypass the new changes. With the new laws, we’re submitting to the terrorists’ attempts to change our lifestyle and society. In a way, we are letting them win...

That’s my wrap which turned into a minor rant about the case study. Definitely very fun to be a part of.

Hero image credit: Imgur via /r/photoshopbattles

Week 7 lecture reflection

The lecture began with a debrief of the mid-trimester exam. It turned out there was a question that wasn’t done well by everyone that had no “truly” correct answer. Buckland ended up awarding everyone a free mark because of this. I couldn’t exactly remember what I put for this question in the exam but it doesn’t matter now because everyone is going to get a free mark for it.

The rest of the morning lecture was about the Diffie Hellman Key Exchange. It is nice that it provides confidentiality via a shared secret. It doesn’t provide authentication though, with any person able to easily eavesdrop on communications. It is definitely nice that it utilises the mathematical property of associativity to work.

Relevant xkcd

Source: xkcd #2176

Week 6 roundup: GPDR shooting a record fine, a Zoom zero day, Logitech wireless injection, and bypassing denied permissions (also some fallout from the Assistance and Access legislation)

Welcome to the fourth edition of my roundup blog posts. New malware strains seemed to be the flavour of this week so I tried to include new on other security happenings. There was some news on the Assistance and Access legislation that passed parliament last year. Sorry for the /r/titlegore.

British Airways set to be fined $329m for 2018 data breach under the EU’s GDPR rules, with four weeks to appeal the fine

Image credit: British Airways

British Airways (BA) is facing a £183m ($329 AUD) fine under GDPR rules for a data breach last year.

BA is the first company to be fined under the new rules, which came into effect last year. The new rules fine companies for failing to protect consumer data. The maximum penalty is 4% of turnover, with BA’s fine representing 1.5% of its 2017 turnover. Previously, the old laws allowed for the largest fine £500k ($898k AUD), which was given to Facebook for its role in the Cambridge Analytica incident last year.

The breach was disclosed in September 2018. It involved redirecting customers visiting the BA website between April and June 2018 from the BA website to a fraudulent site. There, customers had their personal details collected. Around 500,000 customers had their logins, payment information, booking details, names and addresses collected in the breach. The collection of information was believed to have began in June 2018.

The Information Commisoner’s Office (ICO) issued the fine to BA. ICO have given BA 28 days to appeal the fine. BA intends to appeal the fine fully, saying “we intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals”.

Source: BBC News, ZDNet

Zero day vulnerability with Zoom application allowed users to be forcibly joined into calls without their consent

Image credit: FlipWeb

The macOS conference call application Zoom has a zero day vulnerability. The vulnerability can forcibly join users to a malicious actor’s own Zoom call, and users joined can have their video enabled by default without the application ever asking the user for consent. I wrote a separate blog post about this in more detail.

Source: Jonathan Leitschuh

Vulnerability with Logitech wireless USB dongles means their connections could be hijacked

Image credit: Engadget

A vulnerability with Logitech wireless USB dongles (receivers) has been discovered by a security researcher. The dongles are used by Logitech wireless mice, keyboards and presentation clickers. Dongles using Logitech’s proprietary “Unifying” technology, which uses 2.4GHz radiowaves to communicate with the wireless device, are affected by the vulnerability.

The vulnerability was discovered by Marcus Mengs. It allows attackers to log the user’s keystrokes sent from the wireless device to the connected computer. Furthermore, attackers are also able to inject their own keystrokes to the connected computer. This meant the attacker could take over a computer connected to the Logitech dongle without needing to access the wireless mouse, keyboard or presentation clicker that the dongle was connected to.

Some Logitech dongles have a “key blacklist” system that is supposed to prevent the injection of keystrokes. The vulnerability can bypass this prevention system entirely. If encryption was used to encrypt the connection between the wireless device and the connected dongle, the vulnerability could also allow attackers to obtain the encryption key.

Logitech was notified about the vulnerability by Mengs. Logitech plan to fix some of the issues, but not all.

Source: ZDNet

Study reveals how Android apps can bypass OS-level permission restrictions

https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-via-a-keyboards-leds/

Image credit: Android Police

Android Marshmallow introducted granular runtime app permissions replaced the previous system of blanket award all permissions to apps that requested them. Users can deny apps any permissions they do not want to grant. However, apps have workaround ways to access data they do not have permission to access. I wrote a separate blog post about this in more detail.

Source: Naked Security, CNET

In other news

Canonical Ltd, the company behind the Ubuntu Linux distro has its GitHub account compromised. Ubuntu Security tweeted about the incident, saying the account’s credentials were compromised and the account was used to create repos and issues. The source code for Ubuntu was left untouched by the breach.

Amazon says Australia’s anti-encryption laws are “technically flawed”. In a submitted review of the Assistance and Access legislation that passed parliament late last year, Amazon warned the laws could “reduce consumer trust in technology”.

Security backdoor discovered in a Ruby library that checks for password strength. The backdoor involved checking if the library was being used in a testing or production environment. When in production mode, it would download and run a second payload creating the backdoor in apps and sites that used the library. The backdoored library was downloaded 547 times.

Phishing emails impersonating eFax are distributing trojans. One of the trojans being spread is Dridex which steals bank credentials through browser sessions and has been able to avoid antivirus detection.

Australian encryption laws developed and passed parliament despite little consultation with Australian technology companies. Documents obtained under Freedom of Information reveal how the Department of Home Affairs did not consult Australian technology companies about the Assistance and Access legislation which passed parliament late last year.

Update to Firefox means HTTPS is required before a site or service is allowed to access a device’s microphone and camera. Starting from Firefox 68, the browser will only expose a device’s microphone and camera in secure contexts.

Security researcher says Australian anti-encryption laws are being used to undermine the freedom of the press. This comes after two police raids on a News Corp journalist and the ABC’s Sydney offices that occurred within days of each other last month.

Malware pushes unwanted advertising to 25m Android devices. The malware known as Agent Smith replaces legitimate apps with infected clones that are used to display ads. The vulnerability that the malware leverages was fixed in December Android security patch of 2017.

Spying tool can spy on users using encrypting messaging services on iOS and Android. The tool known as FinSpy can collect information on users’ contacts, messages, emails, calendars, GPS information, photos, files on internal storage and call data.

Monash University deploys multi-factor authentication to users after being targeted by Iranian attacks which have affected international universities. Monash Uni was affected by the Silent Librarian phishing attack, thought to be of Iranian origin. The phishing attack has targeted 144 U.S. universities and 176 other international universities, netting the attackers over 30TB of data.

NSW transport minister proposes the use of facial recognition as an alternative to the Opal card. NSW transport minister Andrew Constance said the facial recognition system would be a means of convenience and could allow commuters to bypass Opal gate barriers.

Snooping vulnerability causes Apple to disable watchOS Walkie-Talkie app. The vulnerability made it possible to eavesdrop other people without their consent by using an iPhone.

Zhilian resumes allegedly leaked by employees. 160,000 resumes were involved in the leak on the Chinese recruitment site, allegedly for 5 Chinese Yuan (roughly $1 AUD) each.

Keyboard LEDs can be exploited to steal data. An Israeli university has shown how line of sight of the Caps Lock, Num Lock and Scroll Lock LEDs on a keyboard could be used to obtain data.

Update strain of FinFisher spyware discovered by Kaspersky in Myanmar. The spyware was first used in 2018 and affects both iOS and Android devices, collecting information on contacts, messages, emails, calendars, GPS, photos and data from RAM.

Google Assistant recordings leaked by Belgian contractor. Anonymised recordings were leaked to the Belgian news organisation VRT.

--

Hero image credit: Imgur via /r/photoshopbattles

Total War: Cyber

The module 6 case study was about cyber warfare. We were to imagine a war between Australia and another world superpower. We had to think about possible avenues of attack from the other belligerent and what needed to be done to best defend Australia and its people.

Coming up with what to do was somewhat difficult. I figured that with Australia being part of the ANZUS treaty, the U.S. would reinforce Australia in the war. WIth U.S. involvement, Australia would be the insignificant military force and the other belligerent would most probably focus their efforts to defeat the U.S. and ignore Australia. In the case that Australia were to have primary involvement in the war, our group came up with some recommendations to protect Australia and its resources. They were:

Prevent the war in the first place: war is expensive and wasteful. It would be ideal to stop any tension through diplomacy before it escalates into a war.

Education of our leaders: our politicians have proven time and time again that they know nothing about technology. This is deadly in a war situation and will hamper the efforts of those fighting or defending. With education, we could lower the chances of them being socially engineered by the other belligerent.

Improve security for databases: in the modern world, most data is stored in a centralised database of some sort. This makes it a single point of attack for the other belligerent and they will concentrate their efforts to penetrate this. Because there isn’t really a feasible way to distribute the data, focusing our efforts on defense of this could distract the other belligerent and give our other forces opportunities to attack the enemy elsewhere while they are distracted.

Because Australia doesn’t really have a presence on the world stage, there isn’t much to attack, especially from a “cyber” context, if we do find ourselves in a war. Hence it was difficult to come up with concrete or expansive recommendations.

Hero image credit: National Geographic (Youtube)

Study reveals Android apps can workaround OS-level app permissions

In the past, Android apps were granted all the permissions they required upon installation. When the user went to install an app, they would be informed of all the permissions they would be granting to the app. Google changed this behaviour in Android 6.0 Marshmallow so that app permissions were granular instead. Apps targeting Android M and above had to prompt the user when they requested a certain permission.

Last year, Google changed the policy in their Play Store to make all apps uploaded to the store target the two most recent Android versions. As of writing this, Android 9 Pie is the newest version so apps need to target at least Android 8 Oreo. With the release of Android Q expected soon, apps will need to target at least Android Pie to be published on the Play Store. Recently, Epic Games refused to publish the Android version of their flagship game Fortnite on the Play Store, with some speculating they’re doing so to avoid sharing 30% of the app revenue with Google and to circumvent the Play Store target API restriction (Fortnite targets Android 5.0 Lollipop, the version before the permission prompts were introduced).

Despite all these measures Google are putting in to improve privacy and security, there are still ways for apps to unwittingly get permissions that were not granted to them. A study published on the U.S FTC government website outlines how apps can workaround permissions to obtain user data, even if the user denied them these permissions.

Analysis

App permissions as seen in Android 9 Pie

The researchers analysed nearly 90,000 Android apps on a devices with various Android versions and discovered some app that were able to collect data that they shouldn’t. With some reverse engineering, the researchers discovered two main workarounds to access data that is normally protected with app permissions.

The first of these is called a “side channel attack”. This is possible when sensitive information is available in multiple locations on a device. The example Naked Security had was for an app request location data. For an app to access location data, the app requests permission from the user to access the device’s GPS. Normally if the user denies permission to the device’s GPS, the app wouldn’t be able to get location data. However, another way to determine location is by analysing the MAC address of the connected Wi-Fi, and the app can access the MAC address from the local unprotected cache. With the MAC address, the app can determine the device’s location even though it was not explicitly granted the location permission.

The second workaround is called a “covert channel”. This is when an application with escalated privileges or permissions communicates to an application that does not have these. Another sensitive piece of information stored on device is its IMEI number. Normally an app would require special permissions to read this. However, an app that can read the IMEI could send it to an app that couldn’t.

The researchers found that software libraries from Baidu and Salmonads were leaking sensitive information about the device. The libraries stored the IMEI in internal storage which made it readable by any app with the storage permission granted. Normally, granting an app the storage permission would allow it to read files in internal storage, but not read sensitive device information like its IMEI.

Repercussions

Image credit: XDA

For now, all Android versions are potentially vulnerable to this. Google has said this has been fixed in Android Q, the next version of Android that is currently in beta. Android Q is slated to be released soon, but it’s unlikely that any Android device before 2017 will receive it. With an overwhelming majority of active devices running Android Oreo or later and roughly a quarter of all active Android devices running versions without OS-level app permissions, it certainly leaves many devices potentially vulnerable. With Android Q on the horizon and only one in ten active devices running the latest Android P, there is precedence that many devices will not receive the update that fixes this vulnerability.

Source: Naked Security, CNET

Hero image credit: Android Police

Week 6 lecture reflection

Buckland was ill for this lecture so the lecture was done over Skype. Unfortunately I have a COMP2041 assignment due later during the week so I spent most of the lecture working on that and not paying much attention to the lecture. I guess I’ll have to catch up at a later time.

There were a few times when I paid more attention to the lecture. I remember Buckland talking about buffer overflows. Because of the way buffers are stored in the memory stack, an attacker could overflow the buffer and access other information on the stack. For instance, the attacker could control method or function flow during runtime by accessing altering the return address.

Buckland also talked about how he exploited some post office system involving express envolopes when he was younger. Although what he did might not be correct or ethical, it was perfectly within the post office rules at the time. I suppose the moral of this was to use systems and their functions normally as they are made, as long as it wasn’t overly illegal because you aren’t using a system abnormally.

Zero Day vulnerability with Zoom can forcibly join users to conference calls without their consent, among other things

Zoom is a macOS application for conducting conference calls. It’s ease of use makes it one of the more popular options among businesses. One way it achieves this is with “one click to reinstall and launch” functionalities. However, these functions can be exploited maliciously.

Security engineer Jonathan Leitschuh discovered a vulnerability with the Zoom application earlier this year. He reported it to Zoom but it was not fixed for many months. As such, Jonathan escalated the issue and published his findings. The vulnerability now has zero day status.

Analysis

Leitschuh’s zero day leverages on multiple components working in unison.

When Zoom is first installed on a machine, it installs and runs a local server in the background with the fixed port 19421. The purpose of this is to allow the user to easily join a Zoom call with minimal effort from the user. However. this server also allowed Zoom to update or reinstall itself if the user tried to join a Zoom call without the application installed. Any website that the user visits can interact with this server and Zoom’s use of this server is entirely undocumented.

Zoom’s ease of joining calls is also be exploited in the zero day. A user can easily join a Zoom call by visiting an appropriate URL. The URL would contain a conference number that identifies the call the user is joining. For example:

https://zoom.us/j/123456789

(Also please don’t click this link. It’s not a real call. Tumblr’s garbage text editor is telling me there’s no hyperlink but the live blog still has the hyperlink...)

When the user visits the above URL, the page tells the local server to launch the Zoom app and connect the user to the specified call. Leitschuh found the server could accept input parameters to do this and discovered the following parameters were responsible for this:

action=join

confno=[whatever the conference number is]

Thus in the above conference call example, the Zoom page would interact with the local server, telling the server to connect the user to the call and visits the user to the following URL:

http://localhost:19421/launch?action=join&confno=123456789

By having the user visit the above URL, the user would be connected to the Zoom call. It does not prompt the user for their consent to join. As such, Leitschuh demonstrated through a proof of concept that any malicious actor could embed an (obscured) iframe into their site to get any visiting user to join their Zoom call.

Not only can a malicious actor force a user to join a Zoom call without their consent, they can also join the call with their video recording device automatically enabled. Hosts of Zoom calls have the option to automatically have participants join the call with their video connected. The default setting for Zoom users is to allow hosts of calls to choose if they want call participants to automatically have their video enabled upon joining.

The Zoom call options as seen by the host organising the call. They can automatically enable participants’ video recording devices upon joining. Image credit: Jonathan Leitschuh

The exploitation of the local Zoom server to forcibly join users to a call, the option for call hosts to automatically enable participants’ video upon joining, and the default setting of allowing hosts to automatically enable video combine to make the zero day vulnerability. Leitschuh notes that this could be used in malicious advertising, phishing attacks, or even denial of service (DOS) attacks by repeatedly getting the user to join an invalid call.

Repercussions

Image credit: PCMag

This vulnerability is a zero day and is not fixed. All macOS machines that use the Zoom application are vulnerable. Because the Zoom local server reinstalls the Zoom application when the user joins a Zoom call without it installed, it means users who have previously used Zoom are also vulnerable.

For now, Zoom users can prevent their video from being enabled by changing the default setting. Users can also terminate the local Zoom server and remove the server files.

Setting to prevent the automatic enabling of a user’s video. Image credit: Jonathan Leitschuh

Zoom has acknowledged the zero day when Leitschuh reported his findings to them. Zoom has defended its practices and this stubbornness to patch the zero day is leaving millions of macOS devices that have currently or previously used the Zoom application vulnerable.

Source: Jonathan Leitschuh

Hero image source: FlipWeb

Week 5 roundup: new guidelines, remote unlocking, forced surveillance, and resetting other people’s passwords

Welcome to the third edition of my roundup blog posts. If you’re reading this, it means Tumblr’s text editor didn’t explode this time.

Germany set to detail security measures that must be present in web browsers they are deemed “secure”

Image credit: Gizmodo

Modern web browsers are very capable and thus see widespread use. This means they should be secure against any attacker in the everchanging internet landscape. Because the scope of a possible attack is so wide nowadays, it is difficult to define what “secure” means in the context of a web browser. Regardless, Germany is set to detail guidelines that define what a browser must have in order to be deemed “secure”.

Germany’s Federal Office for Information Security, or Bundesamt für Sicherheit in der Informationstechnik (BSI), first introduced these guidelines in 2017. They have published a new draft document with new guidelines. The notable guidelines include:

Mandatory support for TLS

Mandatory support for a list of trusted certificates, including extended validation (EV) certificates. These certificates must be verified against a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP)

Indication to the user via iconography or colour to show the encryption status of network communications

Mandatory support for HTTP Strict Transport Security (HSTS) (RFC 6797), Same Origin Policy (SOP), Content Security Policy (CSP) 2.0, and  Sub-resource integrity (SRI)

Mandatory signed and verifiable automatic updates of the browser and its installed extensions or plugins

The browser’s password manager, if it has one, must store user-deletable, encrypted passwords. Access to the password manager is only granted to the user after they have entered a master password

Browser cookies and history must be user-deletable

Giving organisations the option to disable or prevent the sending of browser telemetry or usage statistics, the ability to have locally locally-defined site blocklists, and the ability to regulate the browser addons or extensions installed

Mandatory inclusion of mechanism to detect harmful content or URLs

Accessible options to toggle plugins, extensions or Javascript

The browser must be executable with minimal permissions from the operating system

Mandatory sandboxing or isolation of webpages and browser components. Components may communicate with other components via an interface. Resources of the components must not be directly accessible

Browsers must be programmed in a language that support stack and heap memory protections

The browser’s vendor must move to a new browser if a security flaw is not fixed within 21 days of public disclosure

The draft document is currently going through public debate in Germany. Once this is complete, the BSI will publish the finalised document with all the guidelines.

Source: ZDNet

Zipato smart hubs had a vulnerability that allowed for the easy unlocking of connected smart locks

Image credit: TechCrunch

Smart homes with smart things in them are thought to be more secure than their tradtional counterparts. However this is not the case as some security researchers discover a security flaw with Zipato smart hubs that made it possible to remotely unlock a connected smart lock. I wrote a separate blog post about this in more detail earlier in the week.

Source: TechCrunch

Tourists in China’s Xinjiang region are forced to install data-collecting malware on their smartphones

Image credit: The Guardian

China already controls and sees what its citizens can see and say both on the network level and on the personal device level. It is more difficult to exert this control to personal devices from foreign tourists. Authorities in China’s Xinjiang region are flexing their powers to access these foreign devices.

A joint investigation between VICE, The New York Times, The Guardian,  Süddeutsche Zeitung and German broadcaster NDR has revealed the extent of the surveillance on foreign tourists being carried out by Xinjiang authorities.

Border authorities stop tourists and confiscate their phones. The authorities then install a pre-built malware app referred to as BXAQ or 蜂采 (Fēng cǎi). BXAQ collects data on the phone owner’s emails, text messages, contacts. The app also seems to collect data on the phone’s hardware specifications. Any data collected by the app is uploaded to a server.

The Xinjiang region of China is home to a large Muslim population. Chinese authorities are undergoing a mass surveillance program of the region and its people. BXAQ seems to be also searching and flagging any data or information related to Islam. Some of these include an al-Qaida produced magazine and information on the Islamic month of Ramadan. Other seemingly unrelated things BXAQ flags are information on the Dalai Lama and a Japanese metal band.

For iOS devices, the device is plugged into a reader that performs the same scanning procedures as BXAQ. Android devices support  third-party app sideloading so the BXAQ app is installed directly on the device and is uninstalled afterwards. In some reare cases, authorities did not uninstall BXAQ before return the phone to its owner. The APK file for the Android BXAQ app was obtained by VICE and uploaded to their GitHub account.

It is not clear where the collected data is sent to or how long it is stored before being deleted. The joint investigation also notes there is no evidence of surveillance of tourists after they have their phones returned to them.

Source: VICE, The New York TImes, The Guardian

7-Eleven Japan discontinues new mobile payment app within days after launch

Image credit: Google Play

7-Eleven Japan recently launched a new mobile payment app. Usage of the app was discontinued within days because it allowed users to reset the passwords of other user accounts. I wrote a separate blog post about this in more detail.

Source: Android Police, ZDNet

In other news

Google releases the monthly Android security patch for July. Some critical vulnerabilities with the kernel, WLAN host and driver, and audio were fixed, with Android version 7.0 Nougat and newer affected.

Dating app fined for misleading users about privacy and leaking their nudes. The app leaked user’s photos for a year and did not make any changes despite being notified of the leak by several news sites when first discovered. The photos were found on an unprotected server.

Decade-old “Heaven’s Gate” technique is still being incorporated into modern malware. Heaven’s Gate works to allow 32-bit applications running on 64-bit machines to execute 64-bit code. 64-bit operating systems have a subsystem to run 32-bit applications and by escaping this, the malware application was able to evade antivirus detection. This vulnerability is patched in modern OSes like Windows 10, but Heaven’s Gate malware applications still target legacy OSes.

U.S. Customs and Border Protection suspends a subcontractor after collected information was transferred to its network that was attacked. Photos of travellers and car registration plates were transferred. Attackers stole government agency contracts, budget spreadsheets and slideshow presentations.

MacOS malware masquerading as an installer for Adobe Flash is appearing in Google search results. The malware installs mallicious applications and browser extensions.

Phishing site mimics the site used to obtain the Instagram “verified” checkmark. The site was discovered by some security researchers.

Google security researcher discovers an iMessage vulnerability that soft-bricks iPhones. The vulnerability caused the Springboard, the launcher app that handled the homescreen on iPhones, to crash and launch itself infinitely mimicing the behaviour of a bootloop. All solutions to recover from this require the affected user to wipe their device.

OpenID Foundation says “Sign In with Apple” is not OpenID complient and insecure. The new service announced by Apple at WWDC 2019 is built on top of the OpenID connect platform but is not compliant with all the standards set by the foundation.

Attack steals money from banks in Bangladesh, India, Sri Lanka and Kyrgyzstan. One affected bank in Bangladesh had over $3m USD stolen.

UK forensics firm paid ransom to attackers. The ransomware caused police to suspend all operations with the firm.

--

Hero image credit: Getty Images via The New York Times

Vulnerability with 7-Eleven Japan payment app results in $725m in illegal transactions

Convenience stores are a staple in Japan. Various chains such as FamilyMart and Lawson have stores scattered at nearly every corner of every street. 7-Eleven is one such convenience store chain that operates there. They have just released a new mobile payment app at the beginning of the month. However within days, usage of the app was quickly discontinued due to a security vulnerability.

The security vulnerability resulted in ¥55m or $725m stolen from across 900 7-Eleven customers. 7-Eleven Japan promised to compensate customers for the lost money.

Analysis

The 7-Eleven payment app handles transactions with user accounts. Users register their accounts and link their credit or debit card to them. When users go to pay for their store purchases, the app displays a barcode which is scanned by a cashier and the amount is deducted from the card.

To help users who are locked out from accessing their accounts, the app provides a way to reset their passwords directly in the app. Normally, a password reset request would send the password reset link to the email registered to the account holder. This means if you didn’t have access account owner’s email account, you couldn’t reset their password.

The flaw with 7-Eleven’s app was that it allowed password request emails to be sent to another email address. This allowed you to reset a password of another person’s account. The attacker would only need to know the legitimate owner’s email address, date of birth and phone number to request a password reset link emailed to their own email address.

The app did not need to be modified in anyway and HTTP requests did not need to be tamped with to have the emails sent to a third party address. Additionally, if the user did not set their date of birth for their account it would default to the 1st January 2019. Some accounts could be vulnerable to this account without knowing the account holder’s birthday.

Repercussions

The 900 affected user have lost money as a result of this vulnerability, with 7-Eleven compensating them for the losses. Other cashless payment vendors will more thoroughly check and test their systems to make sure it doesn’t have the same vulnerability.

In Japan, cash is still the most prominent payment method. Japan is slowly switching to cashless payment systems. This 7-Eleven vulnerability however will make potential and existing users more reluctant to use cashless payment systems and adaption to this system will slow as a result.

Source: Android Police, ZDNet

Hero image credit: Google Play

Security researchers find security vulnerability with Zipato smart home hubs

As technology becomes ever more capable, consumers crave to have the latest and greatest tech being used in more applications across the household. Over the past decade, the smartphone has been the bastion for the bleeding edge of technological innovation. As the hardware and software innovations in smartphones become more developed, their use will become more widespread and will trickle down to other mediums.

Smart home appliances are the newest way for manufacturers to utilise these newest innovations. Startups and established companies alike showcase their latest smart home products at the annual CES trade show, with wide variety ranging from smart doorbells to a smart closet and a smart toilet (the future is now). To an uninterested outsider, it looks like they’re slapping WiFi or bluetooth to traditional home applicances and calling them “smart”. One would expect this new smart technology to be fairly secure. However this is not always the case.

Security researchers Chase Dardaman and Jason Wheeler have published some research into the vulnerabilities with Zipato smart hubs. They found some security vulnerabilities which can be used in tandem to unlock a door with a Zipato smart lock. Zipato have since fixed the vulnerabilities.

Analysis

The smart hub tested was the ZipaMicro. ZipaMicro had an on-device memory card that stored all the relevant data about the users and hub devices. The device had an internal “root” user account which had access to all internal functions like a sysadmin. Typically root accounts cannot be readily accessed and are protected by a password. However, the researchers were able to extract the private SSH key for the root user from the memory card.

With access to the SSH key, internal access to the ZipaMicro can be achieved without a password. Using the SSH key, the researchers downloaded a file from the ZipaMicro that contained the hashed passwords of the hub’s users.

Normally, knowing the password hash without knowing the plaintext would not be enough to authenticate. This is because the other authentication systems accept the plaintext password, hash it and then compare the plaintext hash to the stored password hash. In this case the attacker would need to brute force the hash to get the plaintext. However, the ZipaMicro uses pass the hash authentication which allows it to authenticate users using their password hash without the need for the plaintext password. Thus by authenticating by providing the password hash, the researchers were able to tell the device that they were a legitimate user. With the hub authenticating the researchers, they were able to write a short Python script to send lock and unlock commands to a connected smart lock.

Proof of concept to unlock a smart lock connected to ZipaMicro. Source: BlackMarble via TechCrunch

The researchers also discovered that the same private SSH key used to gain root access was hardcoded in all ZipaMicro hubs sold, meaning all ZipaMicro hubs had these same security vulnerbilities. Additionally if an apartment building had one main account registered to manage all the apartments in the building, an attacker would be able to unlock any door with a connected smart lock once they had the user account’s password hash.

The researchers did find one caveat: the attacker would need to be connected to the same WiFi network as the ZipaMicro. This would make it harder to unlock the smart lock without physical access.

Repercussions

Zipato has patched the vulnerability with the ZipaMicro and discontinued sales of the hub. Each hub now comes with a unique private SSH key. However, users of the hub who have yet to update their devices remain vulnerable to this type of attack.

Smart hubs in homes allow landlords to enter their tenant’s homes whenever they wanted. Although they could do so without this vulnerability, the news about this hub’s vulnerability would put the practice in the spotlight. With this in mind, consumers will be less willing to purchase smart hubs for their homes.

With news of Zipato’s hubs being previously vulnerable, other manufacturers will test their own products for similar vulnerabilities. The surfacing of this new should make current and future smart hub products on the market more secure overall.

Source: TechCrunch

Hero image credit: TechCrunch

Grand self-driving auto

The module 5 case study was about self-driving cars. Similar to last week, we had to answer the question individually first and discuss our answers with the group.

However this time around there was a twist. We were put into groups at the very beginning and each group was given a question. We were then given time to individually answer the question and share our answers with the group afterwards. Like last week, we were all given the same question. However it turned out that each group was to answer the question from a different perspective. The group I was in answered the question from the perspective of a government minister.

The question asked us whether we should have legislation to allow for self driving vehicles. It had us consider which assets needed to be protected, what risks were needed to be considered and what needed to be changed to address these risks.

I thought of a few assets that needed to be protected. These were:

Native animal species: Australia is home to many dropbears unique animal species that will behave unexpectedly. Australian humans also fall under this category.

National infrastructure and landmarks: infrastructure like roads and signs would need to be protected from any damage.

Industries: because I was thinking like a government minister, I was thinking about my political donors the people I serve and how jobs might be affected.

I brainstormed several risks with self-driving cars and tried to address them. These were:

How would the computer controlling the car react when other human drivers, pedestrians or animals behave unpredictably? This risk was the hardest to address because as a driver, you would have no control over these risk factors. It would be very difficult or maybe even outright impossible to program the self-driving AI to prepare for this. I could only think of smaller solutions to this risk. One was to change the driving and pedestrian cultures to account for self-driving vehicles and stop them from acting unpredictably. The other was to install barriers to prevent animals from accessing the roads.

How would the self-driven car adapt to changing driving conditions? The car would not know what to do when they encounter a poorly maintained road. The car would not know how to read a damaged road sign ir a blacked out traffic light. The car would also not know what to do when a road is partially closed due to roadworks, and when cones and temporary signage is erected for this. To mitigate this, we could ensure that all road infrastructure is properly maintained. For example damaged road signs would be replaced. For the problem of roadworks, roadwork protocols should be changed and standardised so that self-driving cars can be accounted for and adapt to the changed driving conditions.

How secure is the on-board driving computer from 3rd party attacks and hijackings? The computer controlling the car is like any other computer that has existed and is susceptible to 3rd party attacks and hijacking. The computer and the AI will be provided by various companies. To mitigate this risk, we should have regular checks and audits on the companies involved to make sure they are up to date with the newest techonological advancements. The audit would have some protocol and the protocol should also change regular to keep up with changes in technology and the industry.

Overall, my decision considering all this is that we should have self-driving cars. I think the risks can be managed and with the future of technology advancing in this direction, a government minister must serve in the best interests of their mates the people and propell the nation forwards towards this future.

Also side note, I really look forward to a future with self-driving cars. If only they were already here right now when I’m in uni. That way I wouldn’t need to spend 1.5 - 2 hours on public transport to commute to uni. A journey via the car would halve the time it would take for me to get here...

Hero image credit: Google

Week 5 lecture reflection

The bulk of the morning lecture was used explaining WEP. At first glance, the intent of WEP is a sensible one. There was a need to secure wireless traffic and WEP was the supposed solution to make it like wired communications. Obviously as Buckland explained in the lecture, WEP is very insecure. Specifically, it utilises the XOR operation to “encrypt”, but XOR is very easily reversible and makes it really easy to decrypt.

The moral of this was to not “roll your own”. In this context, it’s best not to create your own hash function or security standard/protocol. This is because it’s almost certain there’s someone out there that has done it already, and do it better than you have. It is better to not make the same mistakes others have made trying to “roll their own” and use existing systems or libraries. This concept is also very relevant to programming. There exists a myriad of programming libraries out there for every programming language that already has implemented something useful well. It’s better to use their pre-built library than to create your own library mirroring the pre-built library. If you need to add some custom features, it’s better to take the pre-built library as a base and add extension functions onto that.

Week 4 roundup: Tumblr’s text editor poo-ed itself

I had hours of unpublished work for this week’s roundup post all lost because the text editor managed to bug out.

Because Tumblr doesn’t save revisions of a draft post, I’m unable to recover my unpublished work.

Lession learnt: remember to save your work constantly because Tumblr is shite.

Out of frustration, I’m only posting a link dump to some security news for this week...

— OP

https://www.androidpolice.com/2019/06/23/presidential-alerts-can-be-easily-spoofed-thanks-to-lte-security-vulnerabilities/

https://techcrunch.com/2019/06/21/lte-flaws-spoof-presidential-alerts/

https://dl.acm.org/citation.cfm?id=3326082

https://www.politico.com/story/2019/06/27/trump-officials-weigh-encryption-crackdown-1385306

https://www.cnet.com/news/trump-officials-want-to-outlaw-unbreakable-encryption-report-says/

https://www.reuters.com/article/us-usa-cyber-yandex-exclusive-idUSKCN1TS2SX

https://threatpost.com/mongodb-leak-exposed-millions-of-medical-insurance-records/146125/

https://www.androidpolice.com/2019/06/27/onedrive-personal-vault-extra-storage/

https://www.microsoft.com/en-us/microsoft-365/blog/2019/06/25/onedrive-personal-vault-added-security-onedrive-additional-storage/

https://www.itnews.com.au/news/one-in-ten-aussie-businesses-suffered-it-breaches-last-year-527306

https://security.googleblog.com/2019/06/google-public-dns-over-https-doh.html

https://www.zdnet.com/article/brazil-leads-in-ransomware-attacks/

https://www.zdnet.com/article/huawei-security-half-its-kit-has-at-least-one-potential-backdoor/

https://threatpost.com/microsoft-excel-attack-vector/146062/

https://www.zdnet.com/article/microsoft-excel-power-query-feature-can-be-abused-for-malware-distribution/

https://www.zdnet.com/article/hacker-steals-4-5-million-from-bitrue-cryptocurrency-exchange/

https://threatpost.com/thousands-of-iot-devices-bricked-by-silex-malware

https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans//146065/

https://www.cnet.com/news/ea-origin-had-a-vulnerability-that-left-300-million-players-potentially-exposed/

https://www.zdnet.com/article/ea-fixes-cloud-flaw-that-could-have-left-user-accounts-at-risk/

https://threatpost.com/ea-games-account-hijacking-bug/146031/

https://www.kotaku.com.au/2019/06/researchers-discover-bugs-in-eas-origin-that-exposed-millions-of-accounts/

https://threatpost.com/second-florida-city-pays-hackers-500k-post-ransomware-attack/146018/

https://www.zdnet.com/article/second-florida-city-pays-giant-ransom-to-ransomware-gang-in-a-week/

https://www.cnet.com/news/another-florida-city-pays-hackers-over-ransomware-attack/

https://techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/

https://www.vice.com/en_us/article/j5w4xx/myspace-employees-spied-on-users-with-internal-tool-overlord

Western intelligence agencies attack Yandex with spyware, accounts targeted

Search engines are some of the internet’s most frequently visited sites. They quickly serve search results that are relevant to a user’s search query, allowing the user to quickly find any information they require. Their mass use also means the organisations running them hold plenty of sensitive information about their users, making them juicy targets for attackers to try to break.

Hackers affiliated with Western intelligence agencies broke into Russian company Yandex, deploying malware in an attempt to spy on users and their accounts. Yandex is the Russian equivalent to Google, offering similar products and services. The Yandex search engine is fifth largest in the world.

Analysis

Image credit: Global Research

In “late” 2018, the Yandex security team detected an attack on its systems. The attack was detected at a very early stage and was neutralised before any user data was compromised.

Yandex collaborated with Russian cybersecurity company Kaspersky and say the attack and the malware used are of Western origin. The malware used is called Regin. It is thought to be used by the “Five Eyes” intelligence alliance. Members of the Five Eyes include the United States, United Kingdom, Canada, Australia and New Zealand. It is unclear which Five Eyes nation(s) was responsible for the attack. Regin was identified as a Five Eyes tool in 2014 after revelations by Edward Snowden. Snowden is currently living in exile in Russia.

The attackers sought technical details of the methods that Yandex use to authenticate its user accounts. The attack is thought to be intended for espionage rather than to disrupt or steal intellectual property. The ultimate purpose of the attack could be to impersonate a legitimate Yandex user to access their private details and messages.

The attack was acknowledged by a Yandex spokesperson with the spokespeson declining to give further details.

Repercussions

U.S. President Donald Trump and Russian President Vladimir Putin meet at the 2019 G20 Summit. Image credit: PBS

This incident will further strain the diplomatic relationship between Russia and the United States.

The relationship between the two countries has already been on the downturn since the 2016 U.S presidential election, with accusations of Russian meddling with the Trump campaign to undermine the Clinton campaign. Russia has denied any wrongdoing, though the Mueller report did find Russian interference with the election.

Russia may take retaliatory action because of this Yandex incident. The legitimacy and effectiveness of U.S. diplomacy will be affected, with Russia possibly using this incident as leverage for any its own future diplomatic endeavours.

Source: Reuters

Hero image credit: Reuters