Privacy, Security Archive

Secure Boot: this is not the protection we are looking for

So there you have it: recommending idly Secure Boot for all systems requiring intermediate security level accomplishes nothing, except maybe giving more work to system administrators that are recompiling their kernel, while offering exactly no measurable security against many threats if UEFI Administrative password and MOK Manager passwords are not set. This is especially true for laptop systems where physical access cannot be prevented for obvious reasons. For servers in colocation, the risk of physical access is not null. And finally for many servers, the risk of a rogue employee somewhere in the supply chain, or the maintenance chain cannot be easily ruled out. The author makes a compelling case, but my knowledge on this topic is too limited to confidently present this article as a good one. I’ll leave it to those among us with more experience on this subject to shoot holes in the article, or to affirm it.

Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms

In a joint effort, tech giants Apple, Google, and Microsoft announced Thursday morning that they have committed to building support for passwordless sign-in across all of the mobile, desktop, and browser platforms that they control in the coming year. Effectively, this means that passwordless authentication will come to all major device platforms in the not too distant future: Android and iOS mobile operating systems; Chrome, Edge, and Safari browsers; and the Windows and macOS desktop environments. A passwordless login process will let users choose their phones as the main authentication device for apps, websites, and other digital services, as Google detailed in a blog post published Thursday. Unlocking the phone with whatever is set as the default action — entering a PIN, drawing a pattern, or using fingerprint unlock — will then be enough to sign in to web services without the need to ever enter a password, made possible through the use of a unique cryptographic token called a passkey that is shared between the phone and the website. Passwords are a terrible security practice, and while password managers make the whole ordeal slightly less frustrating, using my phone’s fingerprint reader to log into stuff seems like a very welcome improvement.

How a decades-old database became a hugely profitable dossier on the health of 270 million Americans

To most Americans, the name MarketScan means nothing. But most Americans mean everything to MarketScan. As a repository of sensitive patient information, the company’s databases churn silently behind the scenes of their medical care, scooping up their most guarded secrets: the diseases they have, the drugs they’re taking, the places their bodies are broken that they haven’t told anyone but their doctor. The family of databases that make up MarketScan now include the records of a stunning 270 million Americans, or 82% of the population. The vast reach of MarketScan, and its immense value, is unmistakable. Last month, a private equity firm announced that it would pay $1 billion to buy the databases from IBM. It was by far the most valuable asset left for IBM as the technology behemoth cast off its foundering Watson Health business. Imagine how easy it would be for companies to hire only people in tip-top health, and disregard anyone with even the smallest of preexisting conditions. This data is hugely valuable to just about anyone.

IRS will soon require selfies for online access

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to will be through, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device. That will go down well.

A data black hole: Europol ordered to delete vast store of personal data

The EU’s police agency, Europol, will be forced to delete much of a vast store of personal data that it has been found to have amassed unlawfully by the bloc’s data protection watchdog. The unprecedented finding from the European Data Protection Supervisor (EDPS) targets what privacy experts are calling a “big data ark” containing billions of points of information. Sensitive data in the ark has been drawn from crime reports, hacked from encrypted phone services and sampled from asylum seekers never involved in any crime. Sometimes we need to be reminded that authorities illegally amassing huge troves of data on unsuspecting and innocent people is not something that only happens in the US. But it is also worth noticing how in EU we at least have institutions that are trying curb these blind mass surveillance tendencies. If that fight will have measurable effects in the long run is something that we can’t foresee.

Pluton is not (currently) a threat to software freedom

At CES this week, Lenovo announced that their new Z-series laptops would ship with AMD processors that incorporate Microsoft’s Pluton security chip. There’s a fair degree of cynicism around whether Microsoft have the interests of the industry as a whole at heart or not, so unsurprisingly people have voiced concerns about Pluton allowing for platform lock-in and future devices no longer booting non-Windows operating systems. Based on what we currently know, I think those concerns are understandable but misplaced. As usual, Matthew Garrett does an excellent job explaining complex topics like this.

A deep dive into an NSO zero-click iMessage exploit: remote code execution

Google’s Project Zero describes a (now fixed) zero-click exploit in iMessage, and, well, it’s kind of insane. JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent. Mother of god.

Dude this should NOT be in a Dell Switch… Or HPE Supercomputer

Today we are going to share the result of a bit of investigation that started a few months ago on STH. The short version, it appears as though the Dell EMC S5200-ON series switches, the company’s high-end 25GbE-200GbE switches, have license/ royalty stickers that have a different company name on them than they should have. Instead of saying “American Megatrends”, they instead said “American Megatrands”. To give some perspective, this looks strange because it would be like buying a Dell notebook and getting a “Macrosoft Wandows” license sticker on it. Through a fairly rough October, we validated that indeed these stickers are in the wild. Ultimately, after we brought their existence to American Megatrends (AMI) and Dell’s attention (HPE did not care enough to investigate), we now have an artifact that says that American Megatrends is honoring the license stickers and will not pursue legal action against Dell’s customers or those using them. This may seem like something insignificant and innocuous, but supply chain security is a big, big deal, and the fact these clearly misspelled license/royalty stickers made their way from printing down to the end-user of not just corporate hardware but supercomputers for the US military is… Concerning, to say the least. It shows that tampering with hardware anywhere between production of the individual chips and components down to delivery by the delivery person might be a lot easier to do than we think.

Revealed: leak uncovers global abuse of cyber-surveillance weapon

Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists. Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones. Is anyone really surprised? Smartphones are the ideal tools for authoritarian regimes – cameras, microphones, GPS, and other sensors in one neat little package, always on the person, ready to be exploited. Of course criminal regimes are going to abuse them, and of course no smartphone is safe.

Public key cryptography: OpenSSH private keys

When you create standard RSA keys with ssh-keygen you end up with a private key in PEM format, and a public key in OpenSSH format. Both have been described in detail in my post Public key cryptography: RSA keys. In 2014, OpenSSH introduced a custom format for private keys that is apparently similar to PEM but is internally completely different. This format is used by default when you create ed25519 keys and it is expected to be the default format for all keys in the future, so it is worth having a look. An in-depth analysis of what’s inside the OpenSSH private key format and how it is different from the standard PEM format.

The long hack: how China exploited a US tech supplier

Remember that story from two years ago, about how China had supposedly infiltrated the supply chain of Supermicro? The story was denied by American intelligence agencies and the CEOs of Apple and Amazon, but today, Bloomberg posted a follow-up piece with more sources, both anonymous and named, that the story was, in fact, real, and probably a lot bigger, too. The article lists several attacks that have taken place, all using hardware from Supermicro. Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as tthey tried to counter each one and learn more about China’s capabilities. Bloomberg is clearly sticking by and expanding its story, so this means it’s their and their sources’ word against that of giant corporations and American intelligence agencies, and we all know giant corporations and American intelligence agencies never lie. Right?

SerenityOS: writing a full chain exploit

I recently came across SerenityOS when it was featured in hxp CTF and then on LiveOverflow’s YouTube channel. SerenityOS is an open source operating system written from scratch by Andreas Kling and now has a strong and active community behind it. If you’d like to learn a bit more about it then the recent CppCast episode is a good place to start, as well as all of the fantastic videos by Andreas Kling. Two of the recent videos were about writing exploits for a typed array bug in javascript, and a kernel bug in munmap. The videos were great to watch and got me thinking that it would be fun to try and find a couple of bugs that could be chained together to create a full chain exploit such as exploiting a browser bug to exploit a kernel bug to get root access. You don’t get articles like this very often – exploiting a small hobby operating system? Sure, why not.

A look at GSM

There are well documented security flaws in GSM, and publicly available tools to exploit them. At the same time, it has become considerably cheaper and easier to analyze GSM traffic over the past few years. Open source tools such as gr-gsm have matured, and the community has developed methods for capturing the GSM spectrum without the need for expensive SDR radios. With less than $100 and a weekend it’s possible to capture and analyze GSM traffic. With some extra effort it’s possible to decrypt your own traffic, and depending on how your mobile provider has set up their network it may even be possible for somebody else to illegally decrypt traffic they don’t own. GSM is terrifying.

WhatsApp delays privacy changes following backlash

The WhatsApp messaging service announced on Friday that it would delay changes to new business features after people around the world criticized the new policy. The Facebook-owned company said it is “going to do a lot more to clear up misinformation around how privacy and security works on WhatsApp.” Privacy rights activists heavily criticized the WhatsApp changes, saying it was the latest step showing Facebook’s poor handling of user data. The real issue was a far larger than expected exodus of users to services like Signal and Telegram. I doubt Facebook will actually make any meaningful changes – instead, we’ll see a different tone or wording.

Steam’s login method is kinda interesting

How do you send a password over the internet? You acquire a SSL certificate and let TLS do the job of securely transporting the password from client to server. Of course it’s not as cut-and-dry as I’m making it out to be, but the gist of it holds true and stood the test of time. This hasn’t always been this way though, and one incredibly popular storefront on the world wide web prefers to add a little extra to this day. I’ll be discussing Steam’s unique method of logging in their users, and go down a deep rabbit hole of fascinating implementation details. Not exactly my cup of tea, but if there’s one thing I’ve learned over the years here at OSNews, it’s that the most obscure stuff can generate a lot of interest. So, here you go.

Apple’s privacy labels reveals Whatsapp and Facebook Messenger’s hunger for user data

When Apple unveiled major privacy upgrades at the WWDC 2020 for its iOS14, a battle royale broke out between the tech giant and Facebook. The social media giant claimed user data was critical to its ability to serve relevant ads and that Apple’s policies would stymie small business.  As the world now grapples with Facebook’s privacy changes that require users to compulsorily share their Whatsapp data with the social media platform, Apple’s privacy labels update all but confirms what we always knew. That, data collected by Whatsapp and Facebook Messenger is far in excess of what its competitors do. Apple’s privacy labels are a great idea, and despite Google being a data-hungry company, I wouldn’t be surprised if they make their way to Android soon, too. I love how they make the contrast between various applications to incredible stark and clear. Good move by Apple.

The EU may be looking into breaking end-to-end encrypted chats

The EU is often at the forefront of consumer protection when it comes to privacy laws like the GDPR. But now it looks like the Council of the European Union might undermine all of this with a move to cancel secure end-to-end encryption as we know it, the ORF (Austrian Broadcasting Corporation) reports. The ORF obtained an internal draft in which the Council argues that the motion is meant as a counteract against terrorism, pointing to last week’s Vienna shooting. However, it’s becoming increasingly clear that the terror attack could’ve been prevented without further surveillance powers if it wasn’t for egregious mistakes in the Austrian counterterrorism office. It seems like the attack is used as a pretense to gain public support. Throwing babies out with the bathwater under nebulous claims of “but terrorism!” isn’t just an American thing. For now, this is just a proposal by one cog in the EU government machine and it’s unlikely to go anywhere (for now!), but wheels are definitely in motion, and just like our friends in the US, we have to remain vigilant for politicians abusing terrorist attacks to erode our rights and freedoms.

Online voting vendor Voatz urges Supreme Court to limit security research

The Supreme Court is considering whether to adopt a broad reading of the Computer Fraud and Abuse Act that critics say could criminalize some types of independent security research and create legal uncertainty for many security researchers. Voatz, an online voting vendor whose software was used by West Virginia for overseas military voters in the 2018 election, argues that this wouldn’t be a problem. “Necessary research and testing can be performed by authorized parties,” Voatz writes in an amicus brief to the Supreme Court. “Voatz’s own security experience provides a helpful illustration of the benefits of authorized security research, and also shows how unauthorized research and public dissemination of unvalidated or theoretical security vulnerabilities can actually cause harmful effects.” As it happens, we covered a recent conflict between Voatz and an independent security researcher in last Thursday’s deep dive on online voting. And others involved in that altercation did not see it the way Voatz did. This reminds me of TurboTax in the United States, who lobbies aggressively to keep filing taxes as difficult as possible as to protect its business.

Hospital devices exposed to hacking with unsupported operating systems

As reported on CNET today: A huge proportion of internet-connected imaging devices at hospitals run outdated operating systems, according to research released Tuesday by Palo Alto Networks, a cybersecurity firm. The company found that 83% of these devices run on outdated software that can’t be updated even when it contains known vulnerabilities that hackers can exploit. This is such a serious issue, but most people are oblivious to the problem of critical legacy systems that cannot be upgraded. Most critics just make uniformed statements like “upgrade” to a modern OS, but it’s usually a cocktail of ageing hardware and legacy software requirements that will stop upgrades from happening.

How the CIA used Crypto AG encryption devices to spy on countries for decades

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret. The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software. But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages. The article is behind a paywall, sadly, but I figured it’s important enough to link to.