Security Bits — 14 November 2021

Feedback & Followups

Following on from our discussion of 2FA bypasses by tricking people into giving up their one-time-passwords, Vice did a detailed article describing one of the new 2FA-bypass-as-a-service cybercrime offerings: The Booming Underground Market for Bots That Steal Your 2FA Codes — www.vice.com/…
🇺🇸 The US Commerce Department has added the NSO Group (the makers of the infamous Pegasus spyware) to the US Entity List, making it illegal for US firms to import, export, or trade any NSO group products — www.imore.com/…
Apple are continuing their attack on side-loading, with Craig Federighi giving an impassioned speech outlining the dangers at the Web Summit in Lisbon — www.imore.com/… & arstechnica.com/…
Social Media Developments

Deep Dive 1 — the Trojan Source Attack

Security researchers have described a new technique for hiding malicious code so that compilers see it, but humans don’t.

The trick involves abusing Unicode special characters for altering the direction of the flow of text. Most languages are read left-to-right, but some are right-to-left. As well as allowing entire documents to be marked as right-to-left, Unicode provides special hidden characters for switching the text direction of different sections within a single file. This is useful, for example, you need this when you want to write an English document that quotes Arabic or Hebrew passages.

These special characters don’t change the order of the contents in the actual file, they only change the way Unicode-aware views display the text.

Compilers are programs that convert human-written and readable text into binary code computers can execute. Compilers process text files in order, and they completely ignore formatting characters like those for specifying text direction.

The Code editors and IDEs (Integrated Development Environments) used by developers use standard APIs to render text in a human-friendly way, with nice fonts, colours, text styles, and varying weights. Those APIs are generic, used to render text in all sorts of apps, so unlike compilers, they do obey Unicode text direction markers.

This means that by a pure accident of code re-use, it’s possible for code editors to show text in a different order than the compiler will see it. That’s a massive problem because it means the code humans see is not the code the compilers will compile, opening up a universe of nefarious possibilities.

While it would be possible to engineer situations where reversing the order of parts of the code could invert the logic of a conditional in useful ways (e.g. if x < 5 and if 5 < x literally have the opposite meaning to each other), the security researchers found something much more dangerous — if you nest Unicode direction markers in a specific way, you can make sections of text disappear from view completely!. The ability to have code exist but not be visible to humans is obviously extremely valuable to anyone with evil intents!

This sounds bad, but don’t Panic — firstly, before publishing their findings, the researchers responsibly disclosed this issue to important developer software providers, secondly, they checked all of GitHub for examples of this attack in use and found none, and thirdly, the fix is very easy, update code editors and IDEs to show code in the same way compilers interpret it, i.e. ignore Unicode direction markers. (You could fix this with a single regular expression 🙂)

The most likely attack scenario would be so-called supply chain attacks like the infamous SolarWinds attack this year.

Another likely scenario would be to sneak code like this into open source projects. That’s why it’s a big deal that one of the companies given advanced notice was Microsoft, so they were able to fix GitHub so pull requests will not be fooled by this trick.

If you write code, what should you do? If all your code is your own (probably with well-established third-party libraries that you trust), then you’re very unlikely to be affected by this. However, if you maintain code that accepts submissions from anonymous sources, you’ll need to be sure you’re reviewing those changes in an environment that has been updated, like GitHub.

Finally, this is a good reminder of why no one should use software that’s out of support. This is a trivial fix for app developers, but, if you’re using an app no developer is maintaining, you’ll never get this simple fix!

Link

An excellent explanation of the bug from Brian Krebs — krebsonsecurity.com/…

Deep Dive 2 — those Emails from the FBI

Over the weekend many US sysadmins received an email genuinely from the FBI’s mail infrastructure which warned them about some kind of vague security threat and name-dropped a security researcher as the bad guy. The email contained some superb techno-babble the Star Trek writers would be proud of:

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators.

Strangely, there was no call to action. No link to click on, no request for information, no malicious attachment to open, nothing!

Initial speculation was that it was an attempt to DDOS the FBI by generating lots of calls, or to besmirch the named security researcher, but thanks to Brian Krebs we now have the answer. It was an anonymous security researcher of un-known hat colour who wanted to draw the FBI’s attention to a flaw in one of their websites without having to reveal his identity. Basically, vulnerability disclosure by funny news story!

Thanks to Krebs we also know how it happened. No servers were hacked into, no passwords leaked, guessed, or cracked, and no one socially engineered — it was simply terrible web design leftover from the dark early days of the web when JavaScript was often abused to do things on the client-side that really really should be done on the server.

There was an old web form online that was visible to the public that sent emails in a really dumb way.

Normally when you enter information on a web form it gets submitted to the server where it can be securely validated, and where any needed emails can be securely sent. Server-side code is used for the validation and mailing because it’s invisible to web browsers and can’t be edited using them. Client-side code on the other hand runs in the browser, so browser tools allow visitors to both see and edit the code.

The vulnerable FBI web page composed the subject and body for emails in JavaScript, on the client-side, then submitted the information to a URL on the server that sent whatever it received using the FBI’s mail server. Anyone could submit an HTTP request specifying any subject and any body, and the script would send the email! You could do it by writing some simple HTML with a form whose action was set to the FBI URL that had an appropriately named text box for the subject and text area for the mail body. Or, you could use an AJAX call in your browser’s JavaScript console, or you could use a command-line HTTP utility like curl or wget. Simply put, it’s hard to imagine an easier-to-abuse implementation of what should be basic functionality.

The fix was very easy, the FBI powered down the old server 🙂

❗ Action Alerts

Patch Tuesday has been and gone, and the updates from Microsoft include fixes for zero-day bugs and other bugs being actively exploited in the wild, don’t delay, patch now! — krebsonsecurity.com/…
- Microsoft’s patches included an update to the updater for legacy windows versions for which paid extended support can be purchased, i.e. Windows 7 & Server 2008 R2, and these include final end dates for even this paid-for extended support – Windows 7 gets updates until January 2023, and Server 2008 R2 until January 2024 — nakedsecurity.sophos.com/…
Security Updates from Apple:
- Apple have released security updates for all their current OSes: tvOS 15.1, iOS 15.1 & iPadOS 15.1, watchOS 8.1 & macOS Monterey 12.0.1
- Apple have also patched their supported older OSes: Security Update 2021-007 Catalina, macOS Big Sur 11.6.1, iOS 14.8.1 & iPadOS 14.8.1 & Safari 15.1
- Apple also updated iCloud for Windows to version 13, adding new features as well as security fixes — www.macrumors.com/… & support.apple.com/…
- “PSA: Apple isn’t actually patching all the security holes in older versions of macOS” ArsTechnica arstechnica.com/…

Worthy Warnings

‘Tis the Season for the Wayward Package Phish – Krebs on Security — krebsonsecurity.com/…
Scammers Are Using Fake Job Ads to Steal People’s Identities — www.propublica.org/…
“Customer complaint” email scam preys on your fear of getting into trouble at work — nakedsecurity.sophos.com/…
Brian Krebs outlines a new kind of multimode phishing attack combining SMS and voice: SMS About Bank Fraud as a Pretext for Voice Phishing – Krebs on Security — krebsonsecurity.com/…
A high-profile example in India highlights the lengths iPhone thieves go to to try trick victims into giving them their Apple ID username & password so they can disable activation lock and actually use the device they stole. If you lose a device, expect someone to try trick you into entering your Apple ID somewhere you shouldn’t and be extra alert: After snatching iPhone 12, thieves in Delhi bypass Apple’s Find My system — www.indiatoday.in/…
There has been a data breach at the online trading site Robinhood, but thankfully the biggest thread seems to be future phishing attacks. Robinhood deserve praise for their excellent disclosure: Robinhood Announces Data Security Incident — blog.robinhood.com/…

Notable News

Interesting Insights

Sophos have released their 2022 Threat Report. It looks back at 2021 and projects forward to 2022. No surprise, 2021 was dominated by ransomware, and 2022 is likely to be too — news.sophos.com/…
- Related: International law enforcement is continuing it’s fight against malware: 🇪🇺 Europol announces “targeting” of 12 suspects in ransomware attacks — nakedsecurity.sophos.com/…
Apple have released their transparency report for 2020 — they received fewer requests than the previous year, and they responded with information at a slightly lower rate (77% of the time -v- 80%). Surprisingly, Germany is the highest requestor, followed by the expected big-hitters the US & China. All this needs to be taken with a massive grain of salt because the reporting period ends just before the January 6th insurrection in the US, which very likely resulted in a huge spike which we’ll see in the next report — www.cnet.com/… & www.macobserver.com/…

Palate Cleansers

Somewhat disappointingly, macOS Monterey only shipped with an abstract wallpaper, not with a photographic one like previous California-named OSes from Apple have. Thankfully some local photographers took care of that for us and created a beautiful dynamic wallpaper for Monterey — www.vyncher.com/…
A very useful flow chart for when you or your friends or family see something unexpected in the night sky (no, it’s not aliens, but might still be cool!) — apod.nasa.gov/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A *tip of the hat* to thank a member of the community for bringing the story to our attention.