SecurityEndeavors

We get a chance to talk to Jack Rhysider, host of Darknet Diaries, "a podcast covering true stories from the dark side of the Internet." In this interview, we learn about how perseverance played an important role in the process of figuring out the path Jack wanted to be on and is ultimately, pursuing.

Show notes for Security Endeavors Headlines for Week 5 of 2019

Check out our subreddit to discuss this week's headlines!​

InfoSec Week 6, 2019 (link to original Malgregator.com posting)

The Zurich American Insurance Company says to Mondelez, a maker of consumer packaged goods, that the NotPetya ransomware attack was considered an act of cyber war and therefore not covered by their policy.
According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” One would think that the language in the cyber insurance policy was specifically designed to be broad enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers.
Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But then Zurich stated that it wouldn't pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is not responsible for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. This is what Zurich believes constitutes "cyber war."
https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html

Reuters reports that hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients. According to investigators at cyber security firm Recorded Future, the attack was part of what Western countries said in December is a global hacking campaign by China’s Ministry of State Security to steal intellectual property and corporate secrets. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.
https://www.reuters.com/article/us-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUSKCN1PV141

A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards.
Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols.

This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.

According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks.The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.
Current IMSI-catcher devices target vulnerabilities in this protocol to downgrade AKA to a weaker state that allows the device to intercept mobile phone traffic metadata and track the location of mobile phones. The AKA version designed for the 5G protocol --also known as 5G-AKA-- was specifically designed to thwart IMSI-catchers, featuring a stronger authentication negotiation system
But the vulnerability discovered last year allows surveillance tech vendors to create new models  of IMSI-catchers hardware that, instead of intercepting mobile traffic metadata, will use this new vulnerability to reveal details about a user's mobile activity. This could include the number of sent and received texts and calls, allowing IMSI-catcher operators to create distinct profiles for each smartphone holder.
https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/

The Debian Project is recommending the upgrade of golang-1.8 packages after a vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in the “go get” command, which could result in the execution of arbitrary shell commands.
https://www.debian.org/security/2019/dsa-4380

It is possible to trick user’s of the Evolution email application into trusting a phished mail via adding a forged UID to a OpenPGP key that has a previously trusted UID. It's because Evolution extrapolates the trust of one of OpenPGP key UIDs into the key itself. The attack is based on using the deficiency of Evolution UI when handling new identifiers on previously trusted keys to convince the user to trust a phishing attempt. More details about how the flaw works, along with examples are included in the article, which is linked in the show notes. Let’s take a minute to cover a bit of background on Trust Models and how validating identities work in OpenPGP and GnuPG:

The commonly used OpenPGP trust models are UID-oriented. That is, they are based on establishing validity of individual UIDs associated with a particular key rather than the key as a whole. For example, in the Web-of-Trust model individuals certify the validity of UIDs they explicitly verified.

Any new UID added to the key is appropriately initially untrusted. This is understandable since the key holder is capable of adding arbitrary UIDs to the key, and there is no guarantee that new UID will not actually be an attempt at forging somebody else's identity.
OpenPGP signatures do not provide any connection between the signature and the UID of the sender. While technically the signature packet permits specifying UID, it is used only to facilitate finding the key, and is not guaranteed to be meaningful. Instead, only the signing key can be derived from the signature in cryptographically proven way.

GnuPG (as of version 2.2.12) does not provide any method of associating the apparent UID against the signature. In other words, from e-mail's From header. Instead, only the signature itself is passed to GnuPG and its apparent trust is extrapolated from validity of different UIDs on the key. Another way to say this is that the signature is considered to be made with a trusted key if at least one of the UIDs has been verified.
https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html

If you’re up for some heavy reading about manipulation and deceit being perpetrated by cyber criminals, it may be worth checking out a piece from buzzfeednews. It tells a woeful and dark tale that does not have a happy ending.
A small excerpt reads: “As the tools of online identity curation proliferate and grow more sophisticated, so do the avenues for deception. Everyone’s familiar with the little lies — a touch-up on Instagram or a stolen idea on Twitter. But what about the big ones? Whom could you defraud, trick, ruin, by presenting false information, or information falsely gained? An infinite number of individual claims to truth presents itself. How can you ever know, really know, that any piece of information you see on a screen is true? Some will find this disorienting, terrifying, paralyzing. Others will feel at home in it. Islam and Woody existed purely in this new world of lies and manufactured reality, where nothing is as it seems.”
https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go

Security researchers were assaulted by a casino technology vendor Atrient after responsibly disclosed critical vulnerabilities to them. Following a serious vulnerability disclosure affecting casinos globally, an executive of one casino technology vendor Atrient has allegedly assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. The article covers the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed.
https://www.secjuice.com/security-researcher-assaulted-ice-atrient/

Article 13, the new European Union copyright law is back and it got worse, not better.
In the Franco-German deal, Article 13 would apply to all for-profit platforms. Upload filters must be installed by everyone except those services which fit all three of the followi

Show notes for Security Endeavors Headlines for Week 4 of 2019

Check out our subreddit to discuss this week's headlines!
Now also available on SoundCloud

InfoSec Week 5, 2019 (link to original Malgregator.com posting)

According to a Reuters investigation, United Arab Emirates used former U.S. intelligence operatives to hack into the iPhones of activists, diplomats and foreign politicians using so-called Karma spyware. It’s described as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said. In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the attackers harvest saved passwords, which could be used for other intrusions. According to the report, Karma relies, at least in part, on a flaw in Apple’s iMessage messaging system. The flaw allowed for the implantation of malware on the phone through iMessage which establishes a connection with the device even if the phone’s owner didn’t use the app. 

To initiate the compromise, Karma needed only to send the target a text message — no action was required on the part of the recipient. It isn’t clear whether the Karma spyware is still in use. The story says that by the end of 2017, security updates to the iPhone software had made Karma far less effective. 

https://www.reuters.com/investigates/special-report/usa-spying-karma/ 

Russia also has it's own Wikileaks. Called Distributed Denial of Secrets, the website aims to "bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web." Distributed Denial of Secrets, or DDoS, is a volunteer effort that launched last month. Its objective is to provide researchers and journalists with a central repository where they can find the terabytes of hacked and leaked documents that are appearing on the internet with growing regularity and is being considered a kind of academic library or a museum for leak scholars. DDoS differs from WikiLeaks in that it doesn’t solicit direct leaks of unpublished data—its focus is on compiling, organizing, and curating leaks that have already appeared somewhere in public. The DDoS project compiled more than 200,000 emails into a spreadsheet for ease of searching. In all, its cache now contains 61 different leaks totaling 175 gigabytes. 

https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked 

The Japanese government will run penetration tests against all the IoT devices in the country in preparation for the Tokyo 2020 Summer Olympics. They want to map vulnerable devices and find out how to harden infrastructure. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.

The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.

https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/ 

The Cyber Independent Testing Lab, or CITL, is a nonprofit organization that focuses on consumer cybersecurity. They published research back in December of 2018, demonstrating how 28 home wireless routers fail to use even basic security techniques. CITL presented an update to that research during Shmoocon 2019, showing identical or similar weaknesses in 1,000 home and commercial Wi-Fi routers, across 6,000 firmware versions and 18 vendors. This includes highly rated devices from brands such as Asus, Belkin, Buffalo, D-Link, Linksys, and Netgear.
It’s no secret that many Wi-Fi routers are highly insecure. Security researchers, pointing at issues such as hard-coded default passwords and irregular security updates, have been issuing warnings for years. What might be alarming about CITL’s latest research is that despite the alarm bells, CITL finds that vendors are generally building Wi-Fi routers with fewer protections than they had in 2003. The organization’s acting director says the research will be published soon on the CITL site.

https://the-parallax.com/2019/01/24/wi-fi-router-security-worse-citl-shmoocon/ 

A bug in the Samsung Galaxy Apps Store allowed an attacker to inject arbitrary code through the interception of periodic update requests made by the vendor’s App Store itself. Due to initiating checks for updates in the Samsung Galaxy Apps Store in the clear, meaning not over a secured connection, an attacker can manipulate network traffic via Man-In-The-Middle style, and can change the URL for load-balancing and modify the requests for the update mirrors with inauthentic, user controlled domains. This would allow an attacker to trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid digital certificate, and simulate the API of the app store to modify existing apps on a given device. An attacker could exploit this vulnerability to achieve Remote Code Execution on Samsung devices.

https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/ 

Over 9,000 Cisco RV320/RV325 routers are currently being exploited in the wild after the network hardware manufacturer announced updates were available to patch newly published vulnerabilities. The release of the Proof of Concept exploit code triggered the scanning of devices by would-be attackers and professionals alike. Thousands of routers are exposed on the internet with a web-based management interface vulnerability that could allow an unauthenticated, remote attacker to either retrieve sensitive configuration information or perform remote command injections.

https://securityaffairs.co/wordpress/80363/hacking/cisco-rv320-rv325-hack.html 

If you can imagine a mathematical version of the Kumite featured in the the 80s movie BloodSport, then you might be cheering from the stands this week as the US National Institute of Standards and Technology (NIST) announced the second-round candidates for quantum resistant public-key encryption and key-establishment algorithms. After releasing a report on the status of quantum-resistant cryptography in April 2016, NIST followed up in December 2016 with a call to the public to submit post-quantum algorithms that potentially could resist a quantum computer’s onslaught. The agency spent one year collecting the submissions and another working with the larger cryptography community on a first round of review to focus on the most promising algorithms. Of the 69 submissions NIST received, these 26 algorithms made the cut. 

This second round will focus more heavily on evaluating the submissions’ performance across a wide variety of systems, Moody said, because so many different devices will need effective encryption. 

https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/bBxcfFFUsxE 

https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals 

A vulnerability in Apple’s FaceTime application allows the activation of the microphone of the device being called, allowing audio to be transmitted back to the person who initiated the session, all without ever having accepted a call. It’s also possible to trigger the camera to turn on as well. The issue has been replicated when calling from either from a mobile device or a Macintosh desktop. Apple has disabled the FaceTime conferencing servers before the fix is released. Word of the FaceTime bug has been spreading virally over social media. Apple says the issue will be addressed in a software update “later this week”.