Security Bits — 4 October 2020

Feedback & Followups

• COVID apps continue to roll out
  • 🇺🇸 Pennsylvania launches contact tracing app built on Apple and Google tech — www.imore.com/…
  • 🇬🇧 (🏴󠁧󠁢󠁥󠁮󠁧󠁿 🏴󠁧󠁢󠁷󠁬󠁳󠁿) — NHS COVID-19 app released in England and Wales — www.imore.com/…
    • England Fixes COVID-19 App Issue — www.macobserver.com/…
    • Coronavirus: Some users of NHS tracing app incorrectly given COVID-19 exposure alerts — news.sky.com/…
  • 🇧🇪 Belgium the latest to launch contact tracing app based on Apple/Google tech — www.imore.com/…
  • 🇺🇸 New York and New Jersey launch contact tracing apps using Apple/Google tech — www.imore.com/…
• Social media developments
  • 🇪🇺 Facebook Says it Will Stop Operating in Europe If Regulators Don’t Back Down — www.vice.com/…
  • 🇺🇸 Illinois Facebook Users Can Apply for $400 Payout — www.macobserver.com/…
  • Facebook outlines its privacy stance now Instagram & Messenger are one — www.imore.com/…
  • TikTok proposes new global coalition against harmful content — www.imore.com/…
• A more convincing looking updated version of the O.MG malicious USB to lightning cable that made a lot of headlines last year serves as a timely reminder not to trust cables or chargers from strangers — www.macobserver.com/…
• 🧯The latest beta of the checkra1n iOS jailbreak includes the ability to jailbreak the T2 chip in modern Macs. There do not appear to be any security implications to this jailbreak, at least not yet, the ability to tweak the TouchBar appears to be the biggest implication — yalujailbreak.net/…

🧯Deep Dive — Zerologon (CVE-2020-1472)

We have a new bug with a fancy name — Zerologon. Security researchers found a flaw in the Microsoft Windows Netlogon Remote Protocol or MS-NRPC. The spec misuses an otherwise secure encryption function (AES-CFB8). Some cryptographic functions need to be started with a piece of random data before they are ready to be used to securely encrypt real data. Cryptographers refer to this initial chunk of random data as the Initialisation Vector, or IV. The problem with the MS-NRPC spec is that it resulted in an encryption function that needs to use an IV always being passed all zeros instead of random data as the IV. That explains the zero in Zerologon.

So what does MS-NRPC do? And more importantly, what does this flaw allow attackers to do that they shouldn’t be able to do?

Thanks to US antitrust laws and some diligent people in the US DOJ, Microsoft publish the specifications for the protocols that power Windows networking and groupware. Initially, this was demanded by commercial competitors like Novell (anyone remember NetWare?). Novell may be a distant memory, but the fact that these specs are public is what enables our Macs to play nice in corporate environments, our NAS devices to publish our files as if they were Windows file servers, and for Linux clients and servers to fully participate in Windows-based network, and even host Active-Directory-compatible domains that Windows desktop computers can join seamlessly. Without these specs open source projects like SAMBA would have to reverse-engineer the various protocols their product relies on, instead, they simply get to implement the spec!

So, this is how Microsoft describes MS-NRPC in the official specification:

… an RPC interface that is used for user and machine authentication on domain-based networks; to replicate the user account database for operating systems earlier than Windows 2000 backup domain controllers; to maintain domain relationships from the members of a domain to the domain controller, among domain controllers for a domain, and between domain controllers across domains; and to discover and manage these relationships.

Basically, MS-NRPC is the fundamental protocol that holds a Windows domain together.

Because of the all-zeros IV, attackers with network-level access to a Windows domain can impersonate any computer on the domain, including a domain controller, and, obtain Domain Administrator privileges (network-level root access). Basically, if an attacker gets onto a network where there’s even one domain-joined computer, they can take over the entire Windows domain. In a modern corporate environment, controlling the Windows domain gives an attacker control of just about everything. This really is about as bad as it can get!

In theory, an insecure smart lightbulb could be all it takes to expose an entire trans-national corporate network!

A few zeros in an IV become a domain admin login without a password — definitely Zerologon!

But wait, there’s more!

A lot of security vulnerabilities are the result if implementation mistakes — the coders try to write code that follows the spec, but they make a mistake. Those bugs will exist in single products and are usually easy for the vendor to fix. This is not one of those bugs — in this case, it was a mistake in the specification, so even perfect implementations of the spec are vulnerable! This vulnerability also affects SAMBA and some network storage devices (high-end SANs more than low-end NAS devices for reasons that will become obvious shortly).

But wait, there’s even more — Microsoft are seeing active exploitation of this bug in the wild!

This all sounds pretty bad, what is that fire extinguisher emoji doing in the heading?

This is a really big deal for corporate IT, but there are three good reasons regular folk don’t need to panic:

1. This bug was responsibly disclosed. Microsoft patched it in their August Patch Tuesday security update, and SAMBA have also released patches. The security researchers did not release any details on the bug until after Microsoft published their September Patch Tuesday updates.
2. This bug affects Windows domains, most home users don’t run Windows domains! Also, most home and even Small Office/Home Office NAS devices don’t support Windows domains, only higher-end NAS and SAN devices provide Windows domain services.
3. Most homes are behind NAT routers, providing protection from direct exploitation. If a home user did run an unpatched Windows domain though, they could get exploited indirectly via another otherwise insecure device, most likely some shoddy IoT contraption that’s all big forgotten!

Bottom line — home users who patch their devices really have nothing to worry about here.

Links

• Microsoft’s Security Advisory — portal.msrc.microsoft.com/…
• CERT’s Vulnerability Note — www.kb.cert.org/…
• SAMBA’s Security Announcement — www.samba.org/…
• Zerologon – hacking Windows servers with a bunch of zeros — nakedsecurity.sophos.com/…

❗ Action Alerts

• Apple have released security updates for just about all their OSes:
  • Safari 14 — tidbits.com/…
    • Related: Understanding Safari’s New Privacy Report — www.intego.com/…
  • macOS 10.15.7 Catalina, iOS 14.0.1, iPadOS 14.0.1, watchOS 7.0.1, and tvOS 14.0.1 Squash Bugs — tidbits.com/…
  • Security Update 2020-005 (Mojave and High Sierra) — tidbits.com/…
    • Apple pulls Safari 14 and security update for macOS Mojave — www.imore.com/…
    • macOS 10.14.6 Mojave Supplemental Update Fixes Problems with an Updated Safari 14.0 — tidbits.com/…
• Instagram patches security bug that would let hackers take over your smartphone — www.imore.com/…

Worthy Warnings

• Private data gone public: Razer leaks 100,000+ gamers’ personal info — arstechnica.com/…

Notable News

• Cloudflare have launched a free privacy-first alternative to Google Analytics — www.businesswire.com/…
• 🇺🇸 Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam — krebsonsecurity.com/…

Top Tips

• Blacklight is an interesting tool for checking websites for ad trackers — themarkup.org/…

Excellent Explainers

• 🎧 Checklist 199: iOS 14 Privacy Features with Nick Leon — overcast.fm/…

• How the Internet Works — www.intego.com/…

Interesting Insights

• Libsyn’s Rob Walch is raising awareness of privacy-invading trackers embedded in some podcasts:
  • Rob’s original article — podcastbusinessjournal.com/…
    • An updated version of the same article that is being actively updated with developments —podcast411.libsyn.com/…
  • 🎧 Checklist 198: Listener Tracking in Podcasts with Rob Walch — overcast.fm/…
• 🎧 Checklist 196: “The Art of Mac Malware: Analysis” with Patrick Wardle — The Checklist by SecureMac — Overcast — overcast.fm/…
• 📺 The Social Dilemma — www.netflix.com/…
• From Allison: Signal’s New PIN Feature Worries Cybersecurity Experts — www.vice.com/…
  • Editorial by Bart: I completely understand the criticisms, and until Signal introduced a setting to make the new PIN optional, I was 51% on the side of the critics, but now that the feature is optional, I think that on balance, this will make more people more secure by making the platform more usable by regular folks. Moxie is completely correct when he says this new system is much more secure than using contacts synced with iCloud, Office365, or Google Apps! Also, the fact that this will enable phone-number-free communication via Signal in an upcoming update is reason enough for the change IMO.
• 🇺🇸 Election Engineering: How US Experts Are Making Sure Your Vote Will Count — www.pcmag.com/…

Palate Cleansers

• From Allison:

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.