IT NEWS

Rogue QR code antics have been back in the news recently. They’re not exactly a mainstay of fakery, but they do tend to enjoy small waves of popularity as events shaped by the real world remind everyone they still exist.

The most notable example where this is concerned is of course the pandemic. With the spread of Covid-19, people and organisations naturally wanted to move away from physical contact. Contactless cards were in, and so too were QR codes. This was fertile ground for scammers to move back into a pact they may have long since abandoned.

Even outside of scams, the use of QR codes as a safe way to do important things is questionable. The problem with QR codes stems from how easy they are to use. Point your smartphone’s camera at a QR code and your phone will happily read it, convert it to a URL, and then open the URL in your browser. Very trusting.

What’s happening this time?

The Better Business Bureau are warning us to be on the lookout for QR code scams. The latest example they give is of a student sent a letter about loan consolidation. The letter contained links to an official .gov site, and also included “a barcode and QR code that looked legitimate”. Unfortunately once the victim contacted the scammers by phone, they were tricked into an eventual loss of just over a thousand dollars. You can see an older example of such a scam tactic here. Whether by QR code and bogus website or plain old unsolicited telephone call, the outcome is typically the same. Monthly fees going out of the victim’s bank account until they notice something is wrong.

Tracker tricks

We took a look at some of the recent examples listed in the BBB scam tracker. This is where people essentially crowdsource scams they encounter, adding them into the tracker database.

There was no common pattern between scam types, which ran the range of phishing and identity theft to employment fakouts and bank imposters. With that in mind, here’s the ones which caught our eye:

Trading for QR codes

One person claims they lost $5,100 after a stranger reached out on Instagram and convinced them to get into the wild world of forex (Foreign Exchange) trading. The discussion was moved to WhatsApp where a “withdrawal fee” of $4,102 was sent to a supplied QR code. When more requests for cash happened, the victim became suspicious.

A scam of utility

Another scam of note was related to utility services. A victim claims they were told their electricity would be turned off within 20 minutes. The only way to fix this was to pay an unpaid bill by going to a nearby gas station and sending $900 or so dollars via a QR code. The QR code downloaded a Bitcoin app, and at that point they presumably became suspicious and went no further.

Of employment, supplies, and money muling

As you’ve seen, sending potential victims to gas stations to use Bitcoin ATMs is a popular technique. Perhaps the most shocking example we saw was along these same lines. The victim didn’t lose any money, but they did lose an awful lot of time, and experienced what must have been a lot of stress.

Our subject applied for a virtual job at a new organisation, after uploading their resume to a job hunt website. The entire job interview was performed using the secure messaging app Telegram, which is somewhat unusual. They sent their supposed new employers a copy of their driving license and other personal information. The victim was then sent $5,000 to “purchase equipment” for their job, and instructed to send $4,800 to their “software vendor’s” Bitcoin address via a gas station ATM.

It wasn’t long before they were given the cold shoulder by the people asking them to receive and send money. They had almost certainly been used as a money mule: Laundering dubious funds by breaking the link between the sender and the recipient, thanks to the gas station ATM.

In most cases, the QR code isn’t some sort of surprise gotcha. Nothing leaps out at the victim and drops malware, or pops something terrible on the desktop. No, the scammers are using them the same way regular folks do—for convenience. They’re simply a means of getting the victim in front of an ATM machine. From there, they set the ball rolling to part them from their money (or have them act as the conduit for ill-gotten gains).

Avoiding QR scams

If you’re dealing with QR codes in public, on ads or posters, check that they haven’t been tampered with (look for stickers with a new QR code placed over an original).

QR codes in correspondence can be trickier. The trick is to remember that a QR code is easy to create and is no more trustworthy than any other word or web address. When dealing with codes from businesses you’ve dealt with, try to confirm the code is genuine. If the code opens a website asking for login details, confirm that it’s the company’s legitimate address. Asking for logins from QR codes is risky behaviour and should really be avoided whether a real code or not.

And if anyone tries to steer you towards a Bitcoin ATM, move swiftly in the opposite direction.

Follow these rules and you’ll hopefully avoid any code-based pitfalls.

The post If a QR code leads you to a Bitcoin ATM at a gas station, it’s a scam appeared first on Malwarebytes Labs.

An investigation by Twitter into racist tweets levied against three Black players on the English football team following the national hopefuls’ loss against Italy last month revealed that anonymity played almost no role in whether users posted abusive comments from their accounts.

The analysis, which revealed that 99 percent of the accounts that Twitter suspended were not anonymous, provides the latest evidence that requiring real identities on social media platforms will not lead to any measurable decrease in online abuse.

“While we have always welcomed the opportunity to hear ideas from partners on what will help, including from within the football community, our data suggests that ID verification would have been unlikely to prevent the abuse from happening – as the accounts we suspended themselves were not anonymous,” Twitter UK wrote in a blog post. “Of the permanently suspended accounts from the Tournament, 99% of account owners were identifiable.”

According to Twitter, its own automated tools to find and remove abusive content are working: The company’s internal tech tools found and removed 1,662 harmful tweets during the UEFA Euro 2020 Final and in the 24 hours following the match. By July 14—three days after the final—that number grew to 1,961, though the total included 126 tweets that were removed due to non-automated reporting by “trusted partners,” Twitter said.

The racism directed against England’s players drew immediate attention after the team’s loss in one of the most anticipated football matches in the country’s recent history. As the match closed with a 1 – 1 tie, three of England’s players shot penalty kicks. All three missed.

According to Vice, the three penalty kickers were called racist slurs on Instagram, faced racist comments on Twitter, and received “direct threats to their safety, in far-right and neo-Nazi channels” on Telegram.

The proposed solutions to this type of abuse are as old as the abuse itself. As we discussed on the Lock and Code podcast with Electronic Frontier Foundation Director of Cybersecurity Eva Galperin, commentators often suggest that social media companies require a person to provide their real identity when creating an account and using a platform.

“The premise is that if people used their real names that they would not post this kind of harassing content,” Galperin said. “That if your name was next to every opinion you had, that you would be more careful about the things that you say online.”

But, Galperin said, the premise falls apart when looking at the real world.

“This assumes a level of shame that is simply not there,” Galperin said. “People are willing to be tremendous jerks online. And the more powerful that they are offline, the more likely it is that they will act as bullies online and that they will put their names next to it and feel no shame whatsoever.”

Now, after decades of this dynamic being recognized by online privacy experts, it appears that Twitter has joined the crowd that says that, thankfully, anonymity is not worth destroying.

The post Twitter says it out loud: Removing anonymity will not stop online abuse appeared first on Malwarebytes Labs.

The sheer number of patches (44 security vulnerabilities) should be enough to scare us, but unfortunately we have gotten used to those numbers. In fact, 44 is a low number compared to what we have seen on recent Patch Tuesdays. So what are the most notable vulnerabilities that were patched.

• One actively exploited vulnerability
• One vulnerability that has a CVSS score of 9.9 out of 10
• And yet another attempt to fix PrintNightmare

Let’s go over these worst cases to get an idea of what we are up against.

CVEs

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

Actively exploited

CVE-2021-36948 is an elevation of privilege (EoP) vulnerability in the Windows Update Medic Service. The Windows Update Medic Service is a background service that was introduced with Windows 10 and handles the updating process. Its only purpose is to repair the Windows Update service so that your PC can continue to receive updates unhindered. Besides on Windows 10 it also runs on Windows Server 2019. According to Microsoft CVE-2021-36948 is being actively exploited, but it is not aware of exploit code publicly available. Reportedly, the exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox. The bug is only locally exploitable, but local elevation of privilege is exactly what ransomware gangs will be looking to do after breaching a network, for example.

9.9 out of 10

CVE-2021-34535 is a Remote Code Execution (RCE) vulnerability in Windows TCP/IP. This is remotely exploitable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host. This vulnerability exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.

This vulnerability received a CVSS score of 9.9 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

9.8 out of 10

Another high scorer is CVE-2021-26432, an RCE in the Windows Services for NFS ONCRPC XDR Driver. Open Network Computing (ONC) Remote Procedure Call (RPC) is a remote procedure call system. ONC was originally developed by Sun Microsystems. The NFS protocol is independent of the type of operating system, network architecture, and transport protocols. The Windows service for the driver makes sure that Windows computers can use this protocol. This vulnerability got a high score because it is known to be easy to exploit and can be initiated remotely.

More RDP

CVE-2021-34535 is an RCE in the Remote Desktop Client. Microsoft lists two exploit scenarios for this vulnerability:

• In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.
• In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest.

Since this is a client-side vulnerability, an attacker would have to convince a user to authenticate to a malicious RDP server, where the server could then trigger the bug on the client side. Combined with other RDP weaknesses however, this vulnerability would be easy to chain into a full system take-over.

Never-ending nightmare of PrintNightmare

The Print Spooler service was subject to yet more patching. The researchers behind PrintNightmare predicted that it would be a fertile ground for further discoveries, and they seem to be right. I’d be tempted to advise Microsoft to start from scratch instead of patching patches on a very old chunk of code.

CVE-2021-36936 an RCE vulnerability in Windows Print Spooler. A vulnerability that was publicly disclosed, which may be related to several bugs in Print Spooler that were identified by researchers over the past few months (presumably PrintNightmare).

CVE-2021-34481 and CVE-2021-34527 are RCE vulnerabilities that could allow attackers to run arbitrary code with SYSTEM privileges.

Microsoft said the Print Spooler patch it pushed this time should address all publicly documented security problems with the service. In an unusual step, it has made a breaking change: “Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges.”

To be continued, we suspect.

The post PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday appeared first on Malwarebytes Labs.

Synology PSIRT (Product Security Incident Response Team) has put out a warning that it has recently seen and received reports about an increase in brute-force attacks against Synology devices. PSIRT suspects the botnet commonly known as StealthWorker is responsible for this increase in activity.

Synology

Synology specializes in data storage and most people will know it because of its Networked Attached Storage (NAS) devices. These NAS devices seem to be what the botnet is targeting. The company does not believe the botnet is exploiting vulnerabilities in its software, it’s simply going after weak or default passwords using brute force guessing.

In a brute force guessing attacks, software attempts to find a device’s password with a bit of educated guesswork (typically by using a list of known, common passwords). It tries a password, sees if it works, and if it doesn’t, tries another, and another, and another, until it either guesses a password correctly or exhausts its list and moves on.

In this case, if a password is guessed successfully, the device is infected with malware that will carry out additional attacks on other devices.

StealthWorker

We reported about Trojan.StealthWorker.GO in February of 2019 when it emerged as a brute forcer written in Golang that was discovered to be involved in a rise in attacks against e-commerce websites. Golang is a statically-typed, compiled, general-purpose programming language that we see more often in the current malware landscape. Shortly after the involvement in CMS platforms StealthWorker started to target Linux and Windows machines.

In June 2020, Akamai researchers uncovered a malware campaign spreading Golang-based malicious code that was also attributed to StealthWorker. It was found targeting Windows and Linux servers running popular web services and platforms like WordPress, Drupal, Joomla, and Magento. One significant factoid discovered back then was that cleaning the compromised system was not enough. It would be re-infected within minutes if the password stayed the same. This would indicate either a very efficient brute-force technique or, perhaps more likely, the use of a method to store and retrieve passwords that were once guessed right.

Once deployed on a compromised machine, the malware creates scheduled tasks on both Windows and Linux to gain persistence and, as Synology warned, then deploys second-stage malware payloads. Botnets can be used to spread other malware like cryptojackers and ransomware. Or your device can be used in DDoS or click-fraud campaigns. On CMS platforms the botnet can equip a compromised e-commerce website with an embedded skimmer that steals personal information and payment details when unsuspecting customers enter them into the website.

Mitigation

Synlogy says it is working with multiple CERT organizations worldwide in an attempt to locate and take down the botnet’s command and control servers.

Synology recommends that all users check their system for weak administrative credentials and change them if necessary. Synology also recommends enabling auto block and account protection. Finally, you should set up multi factor authentication (MFA) where possible.

Synology also advises users to enable Snapshot to keep their NAS safe from encryption-based ransomware. This performs a regular, off-site backup. More Synology NAS-specific security advice can be found on its site.

The company’s advice is also valid for any other Internet-facing NAS devices. Synology only reports these attacks are performed on its devices, but that might be because it is where they have a clear picture of what’s going on. It does not mean other devices are being neglected by the botnet. There is no reason for StealthWorker, or other botnets, to pass up on other manufacturer’s devices.

Stay safe, everyone!

The post Check your passwords! Synology NAS devices under attack from StealthWorker appeared first on Malwarebytes Labs.

Last week, The Record broke the news that a self-described “pen tester” for the infamous Conti ransomware gang, who goes by the handle m1Geelka, had leaked manuals, technical guides, and software on the underground forum XSS. According to the screenshot of m1Geelka’s original forum post—and screenshots of later ones from several security researchers being passed around on Twitter—their problem seems to be (surprise, surprise) money: Conti isn’t paying “hard workers” enough of what it extorts.

If you’ve heard of Conti, it’s likely in connection with a devastating attack on Ireland’s Health Service Executive in May. The attack affected the provision of healthcare across the entire country, causing hundreds of thousands of appointments to be scrapped.

m1Geelka’s rant starts:

Dumb divorce, not work. They recruit penetration testers, of course … They recruit guys to test Active Directory networks, they use the Locker – Conti. I merge you their 10-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.

The reference to “their 10-address cobalt servers and type of training materials” refers to the materials m1Geelka leaked on the forum, which included the IP addresses of the Conti gang’s Cobalt Strike command and control servers.

Aside from the tactics, techniques and procedures (TTPs), the leak comes with a few interesting lessons:

Ransomware is an industry

The leak further reinforces something we already knew: That ransomware is a mature criminal business that includes cooperation between groups, the division of labor, the division of work, extensive outsourcing and competition for skilled workers.

According to one observer, Conti’s recruitment on the XSS forum tries to induce potential “pen testers” like m1Geelka with familiar-sounding work conditions, such as fully remote working, a salary of $1,500 plus a percentage of the spoils from attacks, and a five-day work week (yup, you get weekends off).

Others reported that m1Geelka later suffered a case of buyer’s remorse and walked back some of their claims, saying they were never an affiliate of Conti and that they had only leaked data that was already public. Perhaps somebody reminded them that some things are done differently in the underground economy.

Everyone is vulnerable to insider threats

Although some see this leak as an example of there being “no honor among thieves”, it isn’t. Disgruntled employees or contractors exist in all walks of life, and occasionally take out their frustration on employers’ computers, networks, and data. The leak is simply another example of how unexceptional the ransomware economy is.

These kind of incidents happens everywhere—they even happen at the FBI—and, according to the UK’s National Crime Agency, they happened more in 2020 than in 2019 because of the disruption caused by the pandemic.

Which means it can happen to you, and your approach to security should account for it.

Conti cares about your revenue

Modern ransomware attacks are often described as “targeted”, but there is some misunderstanding about what that means. Most of the time it means that attackers focus on one target at a time, rather than attacking as many targets as possible.

A small detail of the Conti leak reported by NBC shows that Conti documentation encourages attackers to investigate potential targets in Google—searching for “WEBSITE + revenue”—and reminds them to check multiple sources, so they get an accurate number.

The advice appears in “MANALS_V2 Active Directory”, listed in a section called “Increasing privileges and collecting information”, and appears to be one of the steps attackers are told to take after breaking into a target’s network. If attackers are discovering this kind of information after they’ve broken in rather than before, it shows they aren’t going after specific targets, merely vulnerable ones.

The post Ransomware turncoat leaks Conti data, lifts the lid on the ransomware business appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• RDP brute force attacks explained
• The 3 biggest threats reaching for your antivirus software’s off switch
• Zoom and gloom? Video comms org agrees to settle for $85m
• COVID-19 vaccine appointment system attacked in Italy
• Chrome casts away the padlock – is it good riddance or farewell?
• NSA issues advice for securing wireless devices
• What is Tor?
• Amazon will pay you $10 for your palm prints. Should you be worried?
• Edge’s Super Duper Secure Mode benchmarked: How much speed would you trade for security?
• Apple’s search for child abuse imagery raises serious privacy questions

Other cybersecurity news:

• New phishing attack “sneakier than usual” (Source: ZDNet)
• Can the public cloud become confidential? (Source: Help Net Security)
• UK’s Ministry of Defence coughs up bug bounties for crowdsourced pentesting (Source: The Register)
• FTC warns of phishing text scam (Source: Infosecurity Magazine)
• Chipotle marketing emails hijacked to spread malware (Source: Security Boulevard)
• Prometheus TDS: The $250 service behind recent malware attacks (Source: Bleeping Computer)
• Raccoon stealer bundles malware, propagates via Google SEO (Source: ThreatPost)
• Microsoft says LemonDuck malware could be tricky to shift (Source: TechRadar)
• Warning over Facebook scam in Redcar (Source: The Northern Echo)
• U.S. Attorney: Providence man turned to social media to help in fraud scheme (Source: The Providence Journal)

Stay safe!

The post A week in security (August 2 – August 8) appeared first on Malwarebytes Labs.

The early bird catches the worm. Unless the worm was early enough to hide.

On August 3, 2021 a vulnerability that was discovered by Tenable was made public. Only two days later, on August 5, Juniper Threat Labs identified some attack patterns that attempted to exploit this vulnerability in the wild. The vulnerability is listed as CVE-2021-20090.

Router firmware

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Under the description of CVE-2021-20090 you will find:

“a path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.”

But during the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. In its synopsis, Tenable lists some 36 devices that have been confirmed to be affected. The list of affected devices include some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.

The path traversal vulnerability means that some files on the devices can be accessed without authentication because they fall under a bypass list. Attackers can use this vulnerability to bypass authentication procedures on the affected routers and modems to enable the Telnet service, which will allow threat actors to connect to devices remotely and take over control of the affected device. The full technical details of the discovery and the Proof-of-Concept (PoC) can be found in the Tenable TechBlog.

Quick response

Once again, the importance of responsible disclosure is demonstrated since it only took threat actors two days after the publication of a PoC to add this vulnerability to their arsenal. The threat actor seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar to those found to be used against devices from vendors like SonicWall, D-Link, Netgear, Cisco, Tenda, MicroFocus, and Netis. This same threat actor was found earlier to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, just hours after vulnerability details were published.

Mirai

Mirai is the name of the malware behind one of the most active and well-known Internet-of-Things (IoT) botnets. It started with Mirai taking advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. In this way, it was able to quickly corral an army of small, Internet-connected “smart” devices, like cameras, into a botnet.

You may remember hearing about this botnet after the massive East Coast internet outage of 2016 when the Mirai botnet was leveraged in a DDoS attack aimed at Dyn, an Internet infrastructure company. Traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.

After the source code of the original Mirai botnet was leaked, this code was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets. These operators are engaged in an ongoing competition to find new victims and hijack devices from each other. The original authors of Mirai were convicted for leasing their botnet out for DDoS attacks and click fraud. But their successors are still very much using the foundations of the first Mirai botnet.

Mitigation

The vulnerability was patched in April and  owners of any of the affected devices listed in the table mentioned above are advised to ask their router vendor for security patches. Tenable reported the issues to the CERT Coordination Center for help with contacting and tracking all the affected vendors.

What is worrying about the current situation is that many of the owners of vulnerable devices are home users that were provided with the device by their internet provider. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.

The post Home routers are being hijacked using vulnerability disclosed just 2 days ago appeared first on Malwarebytes Labs.

The Internet has been on fire since the August 4 discovery (disclosed publicly by Mathew Green) that Apple will be monitoring photos uploaded to iCloud for child sexual abuse material (CSAM). Some see this as a great move by Apple that will protect children. Others view this as a potentially dangerous slide away from privacy that may not actually protect children—and, in fact, could actually cause some children to come to harm.

How does this work?

It’s important to understand that, contrary to what it sounds like, Apple will not be rifling through all your photos on iCloud. All scanning for CSAM material will be done on the device itself, by an artificial intelligence algorithm. That system, called neuralMatch, will perform two functions.

The first is to create a hash of any photos on the device before they are uploaded to iCloud. (A “hash” is a computed value that should be a unique representation of a file, but that cannot be reversed to obtain a copy of the file itself.) This hash will be compared to a database of hashes of known CSAM materials on the device. The result is recorded cryptographically and stored on iCloud alongside the photo. If the user passes some minimum threshold of photos that match known CSAM hashes, Apple will be able to access those photos and the iCloud account will be shut down.

The second function is to protect children under 13 against sending or receiving CSAM images. Apple’s AI will attempt to detect whether images sent or received via iMessage have such content. In such cases, the child will be warned, and if they choose to view or send the content anyway, their parents will be notified. For children between 13 and 18, the same warning will be shown, but parents will apparently not be notified. This all relies on the child’s Apple ID being managed under a family account.

Why should I worry about monitoring a child’s texts?

There are a lot of potential problems with this. This can be a serious violation of a child’s privacy, and the behavior of this feature is predicated on an assumption that may not be true: That a child’s relationship with their parents is a healthy one. This is not always the case. Parents or guardians could be complicit in the creation of CSAM content. Further, an abusive parent could see a warning about a legitimate photo that was falsely identified as CSAM content, and could harm the child based on false information. (Yes, the parent would have the option to view the photo, but it’s possible a parent may choose not to. I certainly wouldn’t want such an image of my child in my head.)

Also, consider the fact that this applies to being sent an image, not just sending an image. Imagine the trouble a bully or scammer could cause by sending CSAM material, or the damage that could be done if a child of an abusive parent were sent a CSAM image and viewed it without fully understanding why it was being blocked or what the consequences would be!

And finally, as the EFF’s Eva Galperin pointed out on Twitter there is also the danger that this well intentioned functionality “is going to out a lot of queer kids to their homophobic parents”.

What’s the problem with monitoring photos uploaded to iCloud?

Although a comparison of a hash to a file has a low chance of false positives, it can definitely happen. Apple claims that there should be a one in one trillion chance of false positives, but it remains to be seen if that is true in practice.

Apple is providing a process to appeal in cases where an account is wrongly closed because of false positives. However, anyone who has been involved in reviews and appeals with Apple knows they don’t always go your way, nor are they always speedy. Sometimes they are, sometimes not. Time will tell how big a problem this is.

What about the privacy issues?

For a company that has constantly talked about protecting users’ privacy, this seems like a reversal. However, Apple has clearly put a lot of thought into this, and is emphasizing the fact that none of this happens on their servers. Apple states that all the processing happens on the device, and that it does not see the images (unless it’s determined that abuse is happening).

Further, CSAM is a big problem. I don’t think there’s anyone—other than pedophiles—who wouldn’t want to see all production of and trafficking in CSAM brought to an end. So many will praise Apple for taking this action.

This doesn’t mean there aren’t issues, though. Many view this as a first step onto a slippery slope. Blocking CSAM is a good thing, but there’s nothing to prevent the tools that Apple has built from being used for other things. For example, suppose the US government puts pressure on Apple to start detecting terrorism-related content. What exactly would that look like, if Apple decided to—or was forced to—comply? What would happen if a law-abiding person’s iCloud account was flagged as being involved in terrorist activity due to false positives on their photos? And what about tracking more prosaic crimes, such as drug use?

I could go on, as there are lots of things that governments of the world—including the US government—might want Apple to track. Although I tend to be willing to extend trust to Apple, this may not be something that is entirely within Apple’s control. They are a US company, and it’s possible for future US law to force Apple to do things their leadership wouldn’t have wanted to do.

We’ve also seen Apple bend to the desires of governments before. For example, Apple has conceded to demands from the government of China that are counter to Apple’s philosophy. Although the cynical point to this as evidence that Apple is more interested in profits from China’s large market (and they’re not entirely wrong) there’s more to it than that. Most of Apple’s manufacturing is done in China, and they’d be in a huge pile of trouble if China decided to shut down Apple’s ability to do business there. This means China has leverage they it use to make Apple bend to its wishes, at least within China.

Why is Apple doing this?

I’m sure there will be a lot of debate and speculation on this topic. Part of it is undoubtedly a desire to protect children and prevent distribution of CSAM. Part of it may be marketing.

To me, though, this all boils down to a political move. Apple has been a fantastic advocate for encryption and privacy, even going to the extreme of refusing the FBI’s demands relating to gaining access to a suspected terrorist’s iPhone.

It’s a common request from law enforcement to tech companies to give them “backdoors.” Essentially, this boils down to some kind of private access to users’ data, in theory accessible only to law enforcement agents. The problem with such backdoors is that they don’t tend to remain secret. Hackers can find them and gain access, or rogue government agents can abuse or even sell their access. There is no such thing as a secure backdoor.

Apple’s refusal to create backdoors for government access has angered many who believe that Apple is preventing law enforcement from doing their jobs. A common refrain for people trying to push for backdoors is the old standby, “but think of the children!” CSAM is frequently brought up as a reason why access to messaging, file storage, etc, is needed. This is actually a somewhat clever argument, by making it seem (falsely) like arguing against backdoors is also an argument in support of pedophiles.

By taking specific action against CSAM, Apple has effectively neutered this argument. Politicians will no longer be able to (in essence) accuse Apple of protecting pedophiles as a means of pushing for legislation to require backdoors.

Conclusion

In the end, this is something that is going to cause a lot of controversy and differences of opinion. Some are in support of Apple’s actions, while others are adamantly in opposition. Apple seems to be trying to do the right thing here, and appears to have put a lot of effort into ensuring that the way this is done is most respectful of privacy, but there are some legitimate reasons to question whether this new feature is a good idea.

Those reasons should not be conflated with support for or opposition to CSAM, which we can all agree is a very bad thing. There’s a lot of discussion that should be had on this topic, but CSAM is a very emotional subject, and we should all try to prevent that from coloring our evaluation of the potential problems with Apple’s approach.

The post Apple’s search for child abuse imagery raises serious privacy questions appeared first on Malwarebytes Labs.

In an attempt to make Edge more secure, the Microsoft Vulnerability Research team has started to experiment with disabling Just-In-Time (JIT) compilation in the browser’s V8 JavaScript engine, to create what it’s calling Super Duper Secure Mode.

The reasoning behind this experiment sounds valid. A little under half of the CVEs issued for V8 are relate to the JIT compiler and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. (Modern versions of Edge are based on the same Chromium code as Google’s Chrome browser, so Chrome exploits also affect Edge.) Microsoft is wondering out loud if the simplest way to deal with such a problematic sub-system is to just disable it and see where it takes them.

Disabling JIT compilation comes at a price though: speed. JIT compilation is a performance feature that speeds up the execution of JavaScript, the most popular programming language used on the web. Because it sits behind so many web applications, the speed that JavaScript runs has a direct effect on how fast and responsive web applications are.

We were curious just how big an effect it would have.

What is JIT compilation?

A good definition of JIT compilation is this one:

“Just-in-time (JIT) compilation … is a way of executing computer code that involves compilation during execution of a program (at run time) rather than before execution.”

The reason to use JIT compilation is simple: speed. JIT compilation combines the speed of compiled code with the flexibility of interpretation. It allows for more optimized code to be generated. And to limit the overhead, many JIT compilers only compile the code paths that are frequently used.

V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. Since Edge is based on Chromium it uses V8 as well.

The speed impact of disabling Edge’s JIT compiler

We ran a few quick tests to see how big the impact of disabling JIT would be. To run these tests we compared the latest official release of Edge (Version 92.0.902.67) with the latest available Microsoft Edge Beta (Version 93.0.961.11) with Super Duper Secure Mode enabled and disabled. We found that the speed differences between the latest official release and the beta were marginal, so we we have left those out of the results.

The tests were done in a VM on a slow connection. As a benchmark we used Sunspider 1.0.2. We wanted to try the more elaborate JetStream2, but for some reason that never made it to the end. (If you get it to work with JetStream2, we’d love to hear from you.)

Sunspider says its benchmarking focusses “on the kinds of actual problems developers solve with JavaScript today”, is “balanced between different areas of the [JavaScript] language”, and runs each test multiple times to determine a 95% confidence interval and whether you have a statistically significant result.

Our results show that enabling the JIT speeds up JavaScript execution in Edge by a factor of 1.88. So disabling JIT compilation makes Edge’s JavaScript processing more secure, but almost twice as slow.

A few remarks I want to make before you do:

• The benchmark tests the core JavaScript language only and many more things affect the speed of the web than JavaScript execution. So this does not mean that normal surfing will be twice as slow!
• I repeated the tests several times and while there were some differences the general comparison was roughly the same every time. (Results varied between a 1.87x and 1.90x speed up when JIT compilation was enabled.)

Microsoft claims it found that users using Super Duper Secure Mode rarely notice a difference in their daily browsing. It will probably depend on the type of site(s) you’re visiting, what else you’re doing at the time etc, but it is worth noting that tools that measure web performance, including Google’s Core Web Vitals, attach great importance to JavaScript because slow JavaScript can have such a profound effect on user experience.

Not without a replacement

Regardless, history teaches us that simply disabling the V8 JIT compiler is not going to be a long-term solution. The first advice anyone would get on a computer forum if they complained about a slow browsing experience is going to sound like “enable JIT”. We think we can predict this with great confidence based on similar experience with anti-virus software.

The general public is not going to trade in speed for security. So Microsoft will eventually have to provide people with an alternative. What are the alternatives? It could decide to fix V8 and address whatever the root cause of the V8 bugs is. If it turns to another JavaScript engine entirely, it has a choice of perhaps four: Chakra or ChakraCore, free and open-source JavaScript engines developed by Microsoft for its Edge Legacy web browser; Duktape; or Moddable.

And there are a few more, but realistically speaking, for Microsoft to adapt or adopt one of these engines for Edge would mean to turn a way from Chromium, which it has only recently turned to. It seems unlikely that it will immediately create a “hard fork” so to speak. For now the goal of the Super Duper Secure Mode experiment is to raise the bar for attackers.

The security problems of JIT compilation

As we mentioned earlier, disabling JIT compilation in Edge reduces the number of options that an attacker has (known as reducing the attack surface). But another problem with JIT compilation is that it is incompatible with some mitigation technologies. The Microsoft Vulnerability Research team mentions a few security features that can’t be used when JIT is enabled:

• Control-flow Enforcement Technology (CET) a hardware-based exploit mitigation from Intel. Intel has been actively collaborating with Microsoft and other industry partners to address control-flow hijacking by using this technology to stop attackers from using existing code running from executable memory in a creative way to change program behavior.
• Arbitrary Code Guard (ACG) helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. Arbitrary code guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers.

We are thrilled that Microsoft is looking at raising the security standard of its Edge Browser. After a unprecedented number of Chrome zero-days in 2021, and a number of high profile security incidents related to several Microsoft products this is a welcome change of pace.

Try it yourself

Users that want to try Super Duper Secure Mode for themselves will have to get hold of one of the Microsoft Edge preview releases (Beta, Dev, or Canary). If you have one of these running your can insert edge://flags/#edge-enable-super-duper-secure-mode into the address bar of the browser and set the new feature to “Enabled”.

Since this is an experiment we don’t have to take the name Super Duper Secure Mode very seriously. It’s probably not here to stay and may be an indication of how likely it is that disabling the JIT compiler without a replacement will become mainstream.

Stay safe, everyone!

The post Edge’s Super Duper Secure Mode benchmarked: How much speed would you trade for security? appeared first on Malwarebytes Labs.

Tor, The Onion Router

Tor (The Onion Router) is free software used to keep your online communications safe and secure from outside observers. It’s designed to block tracking and eavesdropping, resist fingerprinting (where services tie your browser and device information to an identity), and to hide the location of the people using it.

The network of websites and services that are only accessible using Tor is often referred to as “The Dark Web” or, more correctly, “The Dark Net”. Although the Dark Web has a reputation for being a place where criminal activity takes place there is nothing intrinsically bad or criminal about Tor. In fact, it was originally created to keep US intelligence communications safe. If your primary concern online is to try and stay anonymous, this is something you’d turn to.

How Tor works

Tor uses layers of encryption to keep your traffic secure. (It’s called “onion” routing because it has multiple layers, like an onion.) Traffic passes through random servers (or nodes) kept running by, well, anybody. You won’t know who is responsible for running the nodes, and the nodes don’t know, and can’t see, what traffic is passing through them.

By default, traffic passes through three nodes, called a Circuit, and the nodes in the Circuit are changed every ten minutes. Each node peels back one layer of encryption. The encryption ensures that each node is only aware of the node that came before it and the node that comes after it. Tor uses three nodes in a circuit because it’s the smallest number of nodes that ensures no point in the system can know both where your traffic originated and where it’s eventually going.

Tor can either be used to access services on the regular Internet or services that are also hidden behind Tor. If you use Tor to access the Internet your Circuit of three nodes acts like an anonymous and very secure Virtual Private Network (VPN) that hides your IP address from the things you use. If you use Tor to access other services that are also hidden by Tor then neither side of the communication can see the IP address of the other.

There are numerous ways to use Tor. You can configure your computer so that all of its communications use the Tor network, or you can use individual applications that make use of it, like the Tor Messenger, launched in 2015. Most people’s first, and perhaps only, experience of Tor is via the appropriately named Tor browser though, which is used for secure web browsing both on the regular web and the Dark Web. As a result, that’s what we’ll focus on below.

The Tor browser

The Tor Browser, which began development in 2008, is a web browser with multiple security and privacy options built in by default. A modded Firefox browser, it connects to the Internet using Tor, and comes with the NoScript and HTTPS Everywhere plugins pre-installed. It also has a number of security defaults cranked up to eleven, to prevent things like browser fingerprinting. It can be used for browsing regular websites securely, or for browsing websites on the Dark Web.

As far as the default operations of the Tor Browser go, NoScript allows active content for trusted domains only. In practice, what this means is that (for example) a site you’re visiting for the first time won’t be allowed to run JavaScript until you allow it.

HTTPS Everywhere helps by ensuring that you don’t accidentally connect to websites using the unencrypted HTTP protocol.

The Security Level settings, available via the browser’s preferences, allows users to customise a wealth of security options, or choose a default.

The default Standard option enables all Tor browser and website features. Safer disables a number of common website options, such as JavaScript on non-HTTPs sites. Audio and video are click to play. Safest “only allows website features required for static sites and basic services. These changes affect images, media, and scripts. In other words, it’s as bare bones a web experience as you’re likely to have. Many sites simply will not function. There’s a big trade off in functionality for security here, and casual users probably won’t have much interest in this.

Possible risks of using Tor

The fact that anyone can run a Tor node is a feature, but it’s also a possible threat. There’s no guarantee the person running a node isn’t a rogue entity and the total number of nodes is relatively small: Just a few thousand. Although Tor is designed to be resistant to snooping nodes, the last node in a Circuit (known as an Exit node) can be used for spying on traffic that is leaving Tor and joining the regular Internet.

Rogue / snooping exit nodes are definitely a concern. Law enforcement also definitely takes an interest in this area, so temper your expectations appropriately.

Law enforcement or threat actors that are present on a large number of nodes can also theoretically run “correlation attacks”. These undo Tor users’ anonymity by trying to match up traffic entering the Tor network with traffic leaving the Tor network, based on things like timing. Tor isn’t perfect, but it hugely increases the time and effort an adversary would have to expend to spy on you.

One school of thought commonly seen online suggests using Tor in the interest of anonymity makes you stand out and is akin to firing a large “I AM HERE” flare gun into the sky. While this may be true in some cases, for most people using it this probably isn’t an issue.

By comparison, people using a VPN are probably more interested in privacy than anonymity. A VPN is run by a single organisation, as opposed to bouncing you through lots of random nodes maintained by complete strangers. Because Tor uses more nodes and more encryption than a VPN it is normally slower.

VPNs can also be compromised, and user data put up for grabs. Nothing is 100% guaranteed to be secure, and that holds true here whether using VPNs or Tor. It’s up to users to pick the option most suited to their needs, and account for things potentially going wrong.

That isn’t to dissuade you from using either service; if you’re considering using either, there’s likely a valid need for it. In practical terms a little boost in anonymity and / or privacy can only be a good thing, so get a feel for what options are available and stay safe regardless of your ultimate choice.

The post What is Tor? appeared first on Malwarebytes Labs.