For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS. The company provided a message to Ars, stating that while Google and Samsung have worked hard to significantly improve the security of Android. During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some them. On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction. In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox). The security of an operating system is only as strong as its weakest links, and if Apple is slacking a bit on things like iMessage and Safari, while Google and Samsung work to strengthen Android’s weakest links, this is only a logical outcome.
Privacy, Security Archive
Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller’s device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band. China is basically performing ethnic cleansing on a massive scale, and it’s using technology to aid in its goal o eradicating an entire population group. It’s chilling, and every single technology company active in China – or worse yet, aiding the regime – should be held accountable.
Samsung has advised owners of its latest TVs to run regular virus scans. A how-to video on the Samsung Support USA Twitter account demonstrates the more than a dozen remote-control button presses required to access the sub-menu needed to activate the check. It suggested users should carry out the process “every few weeks” to “prevent malicious software attacks”. What.
A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack. I never answer phone calls from telephone numbers I am not familiar with, let alone when the incoming callers his their number blocked. Apparently, though, not even protects you from attacks such as these.
A new report by Bloomberg claims that telecom giant Vodafone had found potential hidden backdoor vulnerabilities in Huawei equipment, but the claims have been refuted the carrier. The Bloomberg report makes claims that Vodafone Italy confirmed that they had found vulnerabilities as far back as 2009 in Huawei telecoms and internet equipment. Obviously Vodafone has a massive interest in denying these stories, and I find it suspicious that stories like this are almost always waved away with a we forgot to turn off/remove a diagnostic thing, oopsie!, but for us mere mortals it’s just impossible to get a good reading on this. I mean, it’s not as if we have much of a choice but to assume our carriers know what they’re doing. …wait.
Unikernels are small, specialized, single-address-space machine images constructedby treating component applications and drivers like libraries and compiling them, along with a kernel and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun and IncludeOS, and found that this was decidedly not the case: unikernels, which in many ways resemble embedded systems, appear to have a similarly minimal level of security. Features like ASLR, W^X, stack canaries, heap integrity checks and more are either completely absent or seriously flawed. If an application running on such a system contains a memory corruption vulnerability, it is often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown. Furthermore, because the application and the kernel run together as a single process, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular OS, e.g. arbitrary packet I/O. We demonstrate such attacks on both Rumprun and IncludeOS unikernels, and recommend measures to mitigate them. This is a 100+ page article – book? – that isn’t for the faint of heart.
We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers. Google hopes other email services will also adopt these new security standards.
Colm MacCárthaigh, who was Principal Engineer for Amazon Web Services Elastic Load Balancer five years ago, posted an interesting recollection of his experience the day the Heartbleed bug went public. OpenSSL was in use widely across AWS, and the team there basically dropped everything to hot patch millions of deployments, then over the next hours and days took many other steps to mitigate the damage. It’s a fascinating story if you’re familiar with information security, or even just minimally familiar with the infrastructure that keeps the internet going.
A trending and vastly expanding GitHub database where Chinese developers have been airing their workplace grievances may be at risk of censorship. A number of internet users in China are reporting seeing their access to the database cut off when using browsers offered by companies like Tencent, Alibaba, Xiaomi, and Qihoo 360, as first spotted by Abacus. There’s no indication yet that these censorship efforts may have originated from government orders. And as a reminder: western technology companies, most prominently Apple, is working very closely with the Chinese government, giving them access to user data of Chinese users to aid the China’s totalitarian surveillance state.
HMD Global, the Finnish company that sublicensed the Nokia smartphone brand from Microsoft, is under investigation in Finland for collecting and sending some phone owners’ information to a server located in China. In a statement to Finnish newspaper Helsingin Sanomat, the company blamed the data collection on a coding mistake during which an “activation package” was accidentally included in some phones’ firmware. HMD Global said that only a single batch of Nokia 7 Plus devices were impacted and included this package. Why does stuff like this keep happening? It seems like such a simple thing to not preinstall dodgy stuff on factory-set smartphones.
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is a criminal enterprise that needs to be broken up into its constituent parts sooner rather than later.
David Balaban says, “There are plenty of operating systems aimed at achieving online anonymity. But how many of them are really good?” He highlights five candidates: Tails OS, Whonix, Kodachi, Qubes, and Subgraph. He concludes that Kodachi is the best OS to preserve anonymity. Have any OSNews readers evaluated any of these OSes? Do you agree with his conclusion?
Huawei’s rotating chairman Guo Ping has gone on the offensive this week at Mobile World Congress, following continued pressure on US allies to drop the Chinese telecoms giant over national security fears. In a strident on-stage speech and a Financial Times editorial, Guo is escalating Huawei’s side of the story by explicitly calling out the NSA, which Edward Snowden has shown to have hacked Huawei in the past, while presenting his company as a more secure option for the rest of the world. “If the NSA wants to modify routers or switches in order to eavesdrop, a Chinese company will be unlikely to co-operate,” Guo says in the FT, citing a leaked NSA document that said the agency wanted “to make sure that we know how to exploit these products.” Guo argues that his company “hampers US efforts to spy on whomever it wants,” reiterating its position that “Huawei has not and will never plant backdoors.” This war of words and boycotts will continue for a long time to come, but Guo makes an interesting point here by highlighting the fact the NSA hacked Huawei devices and email accounts of Huawai executives. I personally do not believe that devices made in China for other brands – Apple, Google, whatever – are any safer from tampering than devices from a Chinese brand. These all get made in the same factories, and I can hardly fault the Chinese government for doing what all our western governments have been doing for decades as well. It’s not a pretty game, and in an ideal world none of it would be necessary, but we should not let blind nationalism get in the way of making sound decisions.
The boot process, in computer hardware, forms the foundation for the security of the rest of the system. Security, in this context, means a “defense in depth” approach, where each layer not only provides an additional barrier to attack, but also builds on the strength of the previous one. Attackers do know that if they can compromise the boot process, they can hide malicious software that will not be detected by the rest of the system. Unfortunately, most of the existing approaches to protect the boot process also conveniently (conveniently for the vendor, of course) remove your control over your own system. How? By using software signing keys that only let you run the boot software that the vendor approves on your hardware. Your only practical choices, under these systems, are either to run OSes that get approval from the vendor, or to disable boot security altogether. In Purism, we believe that you deserve security without sacrificing control or convenience: today we are happy to announce PureBoot, our collection of software and security measures designed for you to protect the boot process, while still holding all the keys. Good initiative.
Security researchers at the Network and Distributed Systems Security Symposium in San Diego are announcing the results of some fascinating research they’ve been working on. They “built a fake network card that is capable of interacting with the operating system in the same way as a real one” and discovered that Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system. Vendors have been gradually improving firmware and taking other steps to mitigate these vulnerabilities, but the same features that make Thunderbolt so useful also make them a much more serious attack vector than USB ever was. You may want to consider ways to disable your Thunderbolt drivers unless you can be sure that you can prevent physical access to your machine.
Huawei Technologies Co. would deny any Chinese government request to open up “back doors” in foreign telecommunications networks because they aren’t legally obliged to do so, the company’s chairman says. Liang Hua, speaking to reporters in Toronto on Thursday, said the company had received an independent legal opinion about its obligations under Chinese law and said there is nothing forcing companies to create what he called “back doors” in networks. He said they’d never received any such request, but would refuse it if they did. At this point, it seems silly to assume such backdoors do not already exist in one form or another – if not at the device level, then at the network level. This isn’t merely a Chinese thing either; western governments are doing the same thing, draped in a democratic, legal veneer through secret FISA-like courts and similar constructions.
Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status. Unbeknown to most people, in many cases that data is being shared with someone else: Facebook. The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed. At this point, none of this should surprise anyone anymore. Still, this particular case involves applications without any Facebook logins or similar mechanisms, giving users zero indiciation that their data is being shared with Facebook. These developers are using Facebook analytics code inside their applications, which in turn collect and send the sensitive information to Facebook. Other than retreat to a deserted island – what can we even do?
A team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma, in a campaign that shows how potent cyber-weapons are proliferating beyond the world’s superpowers and into the hands of smaller nations. The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens. No device is secure.
Great reporting by TechCrunch’s Josh Constine: Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop. Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe. This is a very interesting case. These users are clearly doing this of their own volition; they are making the choice to give up their privacy so Facebook can see literally everything they do on their iPhone. At the same time, we can all agree this scummy, sleazy, and stupid, and I would love for Apple to have the guts to revoke Facebook’s iOS developer account. They won’t, of course, but if Apple really cares about privacy – they do not, but for the sake of argument, let’s assume that they do – they should remove Facebook from the App Store.
Christian Haschek found a Raspberry Pi attached in a network closet at the company he works for, and since nobody knew what it was or where it came from, he and his colleagues decided to investigate. I asked him to unplug it, store it in a safe location, take photos of all parts and to make an image from the SD card (since I mostly work remote). I have worked on many Raspberry Pi projects and I felt confident I could find out what it does. At this point nobody thought it was going to be malicious, more like one of our staffers was playing around with something. Interesting – but worrisome – story.