IT News

The sheer number of patches (44 security vulnerabilities) should be enough to scare us, but unfortunately we have gotten used to those numbers. In fact, 44 is a low number compared to what we have seen on recent Patch Tuesdays. So what are the most notable vulnerabilities that were patched.

• One actively exploited vulnerability
• One vulnerability that has a CVSS score of 9.9 out of 10
• And yet another attempt to fix PrintNightmare

Let’s go over these worst cases to get an idea of what we are up against.

CVEs

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

Actively exploited

CVE-2021-36948 is an elevation of privilege (EoP) vulnerability in the Windows Update Medic Service. The Windows Update Medic Service is a background service that was introduced with Windows 10 and handles the updating process. Its only purpose is to repair the Windows Update service so that your PC can continue to receive updates unhindered. Besides on Windows 10 it also runs on Windows Server 2019. According to Microsoft CVE-2021-36948 is being actively exploited, but it is not aware of exploit code publicly available. Reportedly, the exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox. The bug is only locally exploitable, but local elevation of privilege is exactly what ransomware gangs will be looking to do after breaching a network, for example.

9.9 out of 10

CVE-2021-34535 is a Remote Code Execution (RCE) vulnerability in Windows TCP/IP. This is remotely exploitable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host. This vulnerability exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.

This vulnerability received a CVSS score of 9.9 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

9.8 out of 10

Another high scorer is CVE-2021-26432, an RCE in the Windows Services for NFS ONCRPC XDR Driver. Open Network Computing (ONC) Remote Procedure Call (RPC) is a remote procedure call system. ONC was originally developed by Sun Microsystems. The NFS protocol is independent of the type of operating system, network architecture, and transport protocols. The Windows service for the driver makes sure that Windows computers can use this protocol. This vulnerability got a high score because it is known to be easy to exploit and can be initiated remotely.

More RDP

CVE-2021-34535 is an RCE in the Remote Desktop Client. Microsoft lists two exploit scenarios for this vulnerability:

• In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.
• In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest.

Since this is a client-side vulnerability, an attacker would have to convince a user to authenticate to a malicious RDP server, where the server could then trigger the bug on the client side. Combined with other RDP weaknesses however, this vulnerability would be easy to chain into a full system take-over.

Never-ending nightmare of PrintNightmare

The Print Spooler service was subject to yet more patching. The researchers behind PrintNightmare predicted that it would be a fertile ground for further discoveries, and they seem to be right. I’d be tempted to advise Microsoft to start from scratch instead of patching patches on a very old chunk of code.

CVE-2021-36936 an RCE vulnerability in Windows Print Spooler. A vulnerability that was publicly disclosed, which may be related to several bugs in Print Spooler that were identified by researchers over the past few months (presumably PrintNightmare).

CVE-2021-34481 and CVE-2021-34527 are RCE vulnerabilities that could allow attackers to run arbitrary code with SYSTEM privileges.

Microsoft said the Print Spooler patch it pushed this time should address all publicly documented security problems with the service. In an unusual step, it has made a breaking change: “Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges.”

To be continued, we suspect.

The post PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday appeared first on Malwarebytes Labs.

Synology PSIRT (Product Security Incident Response Team) has put out a warning that it has recently seen and received reports about an increase in brute-force attacks against Synology devices. PSIRT suspects the botnet commonly known as StealthWorker is responsible for this increase in activity.

Synology

Synology specializes in data storage and most people will know it because of its Networked Attached Storage (NAS) devices. These NAS devices seem to be what the botnet is targeting. The company does not believe the botnet is exploiting vulnerabilities in its software, it’s simply going after weak or default passwords using brute force guessing.

In a brute force guessing attacks, software attempts to find a device’s password with a bit of educated guesswork (typically by using a list of known, common passwords). It tries a password, sees if it works, and if it doesn’t, tries another, and another, and another, until it either guesses a password correctly or exhausts its list and moves on.

In this case, if a password is guessed successfully, the device is infected with malware that will carry out additional attacks on other devices.

StealthWorker

We reported about Trojan.StealthWorker.GO in February of 2019 when it emerged as a brute forcer written in Golang that was discovered to be involved in a rise in attacks against e-commerce websites. Golang is a statically-typed, compiled, general-purpose programming language that we see more often in the current malware landscape. Shortly after the involvement in CMS platforms StealthWorker started to target Linux and Windows machines.

In June 2020, Akamai researchers uncovered a malware campaign spreading Golang-based malicious code that was also attributed to StealthWorker. It was found targeting Windows and Linux servers running popular web services and platforms like WordPress, Drupal, Joomla, and Magento. One significant factoid discovered back then was that cleaning the compromised system was not enough. It would be re-infected within minutes if the password stayed the same. This would indicate either a very efficient brute-force technique or, perhaps more likely, the use of a method to store and retrieve passwords that were once guessed right.

Once deployed on a compromised machine, the malware creates scheduled tasks on both Windows and Linux to gain persistence and, as Synology warned, then deploys second-stage malware payloads. Botnets can be used to spread other malware like cryptojackers and ransomware. Or your device can be used in DDoS or click-fraud campaigns. On CMS platforms the botnet can equip a compromised e-commerce website with an embedded skimmer that steals personal information and payment details when unsuspecting customers enter them into the website.

Mitigation

Synlogy says it is working with multiple CERT organizations worldwide in an attempt to locate and take down the botnet’s command and control servers.

Synology recommends that all users check their system for weak administrative credentials and change them if necessary. Synology also recommends enabling auto block and account protection. Finally, you should set up multi factor authentication (MFA) where possible.

Synology also advises users to enable Snapshot to keep their NAS safe from encryption-based ransomware. This performs a regular, off-site backup. More Synology NAS-specific security advice can be found on its site.

The company’s advice is also valid for any other Internet-facing NAS devices. Synology only reports these attacks are performed on its devices, but that might be because it is where they have a clear picture of what’s going on. It does not mean other devices are being neglected by the botnet. There is no reason for StealthWorker, or other botnets, to pass up on other manufacturer’s devices.

Stay safe, everyone!

The post Check your passwords! Synology NAS devices under attack from StealthWorker appeared first on Malwarebytes Labs.

Last week, The Record broke the news that a self-described “pen tester” for the infamous Conti ransomware gang, who goes by the handle m1Geelka, had leaked manuals, technical guides, and software on the underground forum XSS. According to the screenshot of m1Geelka’s original forum post—and screenshots of later ones from several security researchers being passed around on Twitter—their problem seems to be (surprise, surprise) money: Conti isn’t paying “hard workers” enough of what it extorts.

If you’ve heard of Conti, it’s likely in connection with a devastating attack on Ireland’s Health Service Executive in May. The attack affected the provision of healthcare across the entire country, causing hundreds of thousands of appointments to be scrapped.

m1Geelka’s rant starts:

Dumb divorce, not work. They recruit penetration testers, of course … They recruit guys to test Active Directory networks, they use the Locker – Conti. I merge you their 10-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.

The reference to “their 10-address cobalt servers and type of training materials” refers to the materials m1Geelka leaked on the forum, which included the IP addresses of the Conti gang’s Cobalt Strike command and control servers.

Aside from the tactics, techniques and procedures (TTPs), the leak comes with a few interesting lessons:

Ransomware is an industry

The leak further reinforces something we already knew: That ransomware is a mature criminal business that includes cooperation between groups, the division of labor, the division of work, extensive outsourcing and competition for skilled workers.

According to one observer, Conti’s recruitment on the XSS forum tries to induce potential “pen testers” like m1Geelka with familiar-sounding work conditions, such as fully remote working, a salary of $1,500 plus a percentage of the spoils from attacks, and a five-day work week (yup, you get weekends off).

Others reported that m1Geelka later suffered a case of buyer’s remorse and walked back some of their claims, saying they were never an affiliate of Conti and that they had only leaked data that was already public. Perhaps somebody reminded them that some things are done differently in the underground economy.

Everyone is vulnerable to insider threats

Although some see this leak as an example of there being “no honor among thieves”, it isn’t. Disgruntled employees or contractors exist in all walks of life, and occasionally take out their frustration on employers’ computers, networks, and data. The leak is simply another example of how unexceptional the ransomware economy is.

These kind of incidents happens everywhere—they even happen at the FBI—and, according to the UK’s National Crime Agency, they happened more in 2020 than in 2019 because of the disruption caused by the pandemic.

Which means it can happen to you, and your approach to security should account for it.

Conti cares about your revenue

Modern ransomware attacks are often described as “targeted”, but there is some misunderstanding about what that means. Most of the time it means that attackers focus on one target at a time, rather than attacking as many targets as possible.

A small detail of the Conti leak reported by NBC shows that Conti documentation encourages attackers to investigate potential targets in Google—searching for “WEBSITE + revenue”—and reminds them to check multiple sources, so they get an accurate number.

The advice appears in “MANALS_V2 Active Directory”, listed in a section called “Increasing privileges and collecting information”, and appears to be one of the steps attackers are told to take after breaking into a target’s network. If attackers are discovering this kind of information after they’ve broken in rather than before, it shows they aren’t going after specific targets, merely vulnerable ones.

The post Ransomware turncoat leaks Conti data, lifts the lid on the ransomware business appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• RDP brute force attacks explained
• The 3 biggest threats reaching for your antivirus software’s off switch
• Zoom and gloom? Video comms org agrees to settle for $85m
• COVID-19 vaccine appointment system attacked in Italy
• Chrome casts away the padlock – is it good riddance or farewell?
• NSA issues advice for securing wireless devices
• What is Tor?
• Amazon will pay you $10 for your palm prints. Should you be worried?
• Edge’s Super Duper Secure Mode benchmarked: How much speed would you trade for security?
• Apple’s search for child abuse imagery raises serious privacy questions

Other cybersecurity news:

• New phishing attack “sneakier than usual” (Source: ZDNet)
• Can the public cloud become confidential? (Source: Help Net Security)
• UK’s Ministry of Defence coughs up bug bounties for crowdsourced pentesting (Source: The Register)
• FTC warns of phishing text scam (Source: Infosecurity Magazine)
• Chipotle marketing emails hijacked to spread malware (Source: Security Boulevard)
• Prometheus TDS: The $250 service behind recent malware attacks (Source: Bleeping Computer)
• Raccoon stealer bundles malware, propagates via Google SEO (Source: ThreatPost)
• Microsoft says LemonDuck malware could be tricky to shift (Source: TechRadar)
• Warning over Facebook scam in Redcar (Source: The Northern Echo)
• U.S. Attorney: Providence man turned to social media to help in fraud scheme (Source: The Providence Journal)

Stay safe!

The post A week in security (August 2 – August 8) appeared first on Malwarebytes Labs.

The early bird catches the worm. Unless the worm was early enough to hide.

On August 3, 2021 a vulnerability that was discovered by Tenable was made public. Only two days later, on August 5, Juniper Threat Labs identified some attack patterns that attempted to exploit this vulnerability in the wild. The vulnerability is listed as CVE-2021-20090.

Router firmware

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Under the description of CVE-2021-20090 you will find:

“a path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.”

But during the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. In its synopsis, Tenable lists some 36 devices that have been confirmed to be affected. The list of affected devices include some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.

The path traversal vulnerability means that some files on the devices can be accessed without authentication because they fall under a bypass list. Attackers can use this vulnerability to bypass authentication procedures on the affected routers and modems to enable the Telnet service, which will allow threat actors to connect to devices remotely and take over control of the affected device. The full technical details of the discovery and the Proof-of-Concept (PoC) can be found in the Tenable TechBlog.

Quick response

Once again, the importance of responsible disclosure is demonstrated since it only took threat actors two days after the publication of a PoC to add this vulnerability to their arsenal. The threat actor seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar to those found to be used against devices from vendors like SonicWall, D-Link, Netgear, Cisco, Tenda, MicroFocus, and Netis. This same threat actor was found earlier to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, just hours after vulnerability details were published.

Mirai

Mirai is the name of the malware behind one of the most active and well-known Internet-of-Things (IoT) botnets. It started with Mirai taking advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. In this way, it was able to quickly corral an army of small, Internet-connected “smart” devices, like cameras, into a botnet.

You may remember hearing about this botnet after the massive East Coast internet outage of 2016 when the Mirai botnet was leveraged in a DDoS attack aimed at Dyn, an Internet infrastructure company. Traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.

After the source code of the original Mirai botnet was leaked, this code was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets. These operators are engaged in an ongoing competition to find new victims and hijack devices from each other. The original authors of Mirai were convicted for leasing their botnet out for DDoS attacks and click fraud. But their successors are still very much using the foundations of the first Mirai botnet.

Mitigation

The vulnerability was patched in April and  owners of any of the affected devices listed in the table mentioned above are advised to ask their router vendor for security patches. Tenable reported the issues to the CERT Coordination Center for help with contacting and tracking all the affected vendors.

What is worrying about the current situation is that many of the owners of vulnerable devices are home users that were provided with the device by their internet provider. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.

The post Home routers are being hijacked using vulnerability disclosed just 2 days ago appeared first on Malwarebytes Labs.

The Internet has been on fire since the August 4 discovery (disclosed publicly by Mathew Green) that Apple will be monitoring photos uploaded to iCloud for child sexual abuse material (CSAM). Some see this as a great move by Apple that will protect children. Others view this as a potentially dangerous slide away from privacy that may not actually protect children—and, in fact, could actually cause some children to come to harm.

How does this work?

It’s important to understand that, contrary to what it sounds like, Apple will not be rifling through all your photos on iCloud. All scanning for CSAM material will be done on the device itself, by an artificial intelligence algorithm. That system, called neuralMatch, will perform two functions.

The first is to create a hash of any photos on the device before they are uploaded to iCloud. (A “hash” is a computed value that should be a unique representation of a file, but that cannot be reversed to obtain a copy of the file itself.) This hash will be compared to a database of hashes of known CSAM materials on the device. The result is recorded cryptographically and stored on iCloud alongside the photo. If the user passes some minimum threshold of photos that match known CSAM hashes, Apple will be able to access those photos and the iCloud account will be shut down.

The second function is to protect children under 13 against sending or receiving CSAM images. Apple’s AI will attempt to detect whether images sent or received via iMessage have such content. In such cases, the child will be warned, and if they choose to view or send the content anyway, their parents will be notified. For children between 13 and 18, the same warning will be shown, but parents will apparently not be notified. This all relies on the child’s Apple ID being managed under a family account.

Why should I worry about monitoring a child’s texts?

There are a lot of potential problems with this. This can be a serious violation of a child’s privacy, and the behavior of this feature is predicated on an assumption that may not be true: That a child’s relationship with their parents is a healthy one. This is not always the case. Parents or guardians could be complicit in the creation of CSAM content. Further, an abusive parent could see a warning about a legitimate photo that was falsely identified as CSAM content, and could harm the child based on false information. (Yes, the parent would have the option to view the photo, but it’s possible a parent may choose not to. I certainly wouldn’t want such an image of my child in my head.)

Also, consider the fact that this applies to being sent an image, not just sending an image. Imagine the trouble a bully or scammer could cause by sending CSAM material, or the damage that could be done if a child of an abusive parent were sent a CSAM image and viewed it without fully understanding why it was being blocked or what the consequences would be!

And finally, as the EFF’s Eva Galperin pointed out on Twitter there is also the danger that this well intentioned functionality “is going to out a lot of queer kids to their homophobic parents”.

What’s the problem with monitoring photos uploaded to iCloud?

Although a comparison of a hash to a file has a low chance of false positives, it can definitely happen. Apple claims that there should be a one in one trillion chance of false positives, but it remains to be seen if that is true in practice.

Apple is providing a process to appeal in cases where an account is wrongly closed because of false positives. However, anyone who has been involved in reviews and appeals with Apple knows they don’t always go your way, nor are they always speedy. Sometimes they are, sometimes not. Time will tell how big a problem this is.

What about the privacy issues?

For a company that has constantly talked about protecting users’ privacy, this seems like a reversal. However, Apple has clearly put a lot of thought into this, and is emphasizing the fact that none of this happens on their servers. Apple states that all the processing happens on the device, and that it does not see the images (unless it’s determined that abuse is happening).

Further, CSAM is a big problem. I don’t think there’s anyone—other than pedophiles—who wouldn’t want to see all production of and trafficking in CSAM brought to an end. So many will praise Apple for taking this action.

This doesn’t mean there aren’t issues, though. Many view this as a first step onto a slippery slope. Blocking CSAM is a good thing, but there’s nothing to prevent the tools that Apple has built from being used for other things. For example, suppose the US government puts pressure on Apple to start detecting terrorism-related content. What exactly would that look like, if Apple decided to—or was forced to—comply? What would happen if a law-abiding person’s iCloud account was flagged as being involved in terrorist activity due to false positives on their photos? And what about tracking more prosaic crimes, such as drug use?

I could go on, as there are lots of things that governments of the world—including the US government—might want Apple to track. Although I tend to be willing to extend trust to Apple, this may not be something that is entirely within Apple’s control. They are a US company, and it’s possible for future US law to force Apple to do things their leadership wouldn’t have wanted to do.

We’ve also seen Apple bend to the desires of governments before. For example, Apple has conceded to demands from the government of China that are counter to Apple’s philosophy. Although the cynical point to this as evidence that Apple is more interested in profits from China’s large market (and they’re not entirely wrong) there’s more to it than that. Most of Apple’s manufacturing is done in China, and they’d be in a huge pile of trouble if China decided to shut down Apple’s ability to do business there. This means China has leverage they it use to make Apple bend to its wishes, at least within China.

Why is Apple doing this?

I’m sure there will be a lot of debate and speculation on this topic. Part of it is undoubtedly a desire to protect children and prevent distribution of CSAM. Part of it may be marketing.

To me, though, this all boils down to a political move. Apple has been a fantastic advocate for encryption and privacy, even going to the extreme of refusing the FBI’s demands relating to gaining access to a suspected terrorist’s iPhone.

It’s a common request from law enforcement to tech companies to give them “backdoors.” Essentially, this boils down to some kind of private access to users’ data, in theory accessible only to law enforcement agents. The problem with such backdoors is that they don’t tend to remain secret. Hackers can find them and gain access, or rogue government agents can abuse or even sell their access. There is no such thing as a secure backdoor.

Apple’s refusal to create backdoors for government access has angered many who believe that Apple is preventing law enforcement from doing their jobs. A common refrain for people trying to push for backdoors is the old standby, “but think of the children!” CSAM is frequently brought up as a reason why access to messaging, file storage, etc, is needed. This is actually a somewhat clever argument, by making it seem (falsely) like arguing against backdoors is also an argument in support of pedophiles.

By taking specific action against CSAM, Apple has effectively neutered this argument. Politicians will no longer be able to (in essence) accuse Apple of protecting pedophiles as a means of pushing for legislation to require backdoors.

Conclusion

In the end, this is something that is going to cause a lot of controversy and differences of opinion. Some are in support of Apple’s actions, while others are adamantly in opposition. Apple seems to be trying to do the right thing here, and appears to have put a lot of effort into ensuring that the way this is done is most respectful of privacy, but there are some legitimate reasons to question whether this new feature is a good idea.

Those reasons should not be conflated with support for or opposition to CSAM, which we can all agree is a very bad thing. There’s a lot of discussion that should be had on this topic, but CSAM is a very emotional subject, and we should all try to prevent that from coloring our evaluation of the potential problems with Apple’s approach.

The post Apple’s search for child abuse imagery raises serious privacy questions appeared first on Malwarebytes Labs.

In an attempt to make Edge more secure, the Microsoft Vulnerability Research team has started to experiment with disabling Just-In-Time (JIT) compilation in the browser’s V8 JavaScript engine, to create what it’s calling Super Duper Secure Mode.

The reasoning behind this experiment sounds valid. A little under half of the CVEs issued for V8 are relate to the JIT compiler and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. (Modern versions of Edge are based on the same Chromium code as Google’s Chrome browser, so Chrome exploits also affect Edge.) Microsoft is wondering out loud if the simplest way to deal with such a problematic sub-system is to just disable it and see where it takes them.

Disabling JIT compilation comes at a price though: speed. JIT compilation is a performance feature that speeds up the execution of JavaScript, the most popular programming language used on the web. Because it sits behind so many web applications, the speed that JavaScript runs has a direct effect on how fast and responsive web applications are.

We were curious just how big an effect it would have.

What is JIT compilation?

A good definition of JIT compilation is this one:

“Just-in-time (JIT) compilation … is a way of executing computer code that involves compilation during execution of a program (at run time) rather than before execution.”

The reason to use JIT compilation is simple: speed. JIT compilation combines the speed of compiled code with the flexibility of interpretation. It allows for more optimized code to be generated. And to limit the overhead, many JIT compilers only compile the code paths that are frequently used.

V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. Since Edge is based on Chromium it uses V8 as well.

The speed impact of disabling Edge’s JIT compiler

We ran a few quick tests to see how big the impact of disabling JIT would be. To run these tests we compared the latest official release of Edge (Version 92.0.902.67) with the latest available Microsoft Edge Beta (Version 93.0.961.11) with Super Duper Secure Mode enabled and disabled. We found that the speed differences between the latest official release and the beta were marginal, so we we have left those out of the results.

The tests were done in a VM on a slow connection. As a benchmark we used Sunspider 1.0.2. We wanted to try the more elaborate JetStream2, but for some reason that never made it to the end. (If you get it to work with JetStream2, we’d love to hear from you.)

Sunspider says its benchmarking focusses “on the kinds of actual problems developers solve with JavaScript today”, is “balanced between different areas of the [JavaScript] language”, and runs each test multiple times to determine a 95% confidence interval and whether you have a statistically significant result.

Our results show that enabling the JIT speeds up JavaScript execution in Edge by a factor of 1.88. So disabling JIT compilation makes Edge’s JavaScript processing more secure, but almost twice as slow.

A few remarks I want to make before you do:

• The benchmark tests the core JavaScript language only and many more things affect the speed of the web than JavaScript execution. So this does not mean that normal surfing will be twice as slow!
• I repeated the tests several times and while there were some differences the general comparison was roughly the same every time. (Results varied between a 1.87x and 1.90x speed up when JIT compilation was enabled.)

Microsoft claims it found that users using Super Duper Secure Mode rarely notice a difference in their daily browsing. It will probably depend on the type of site(s) you’re visiting, what else you’re doing at the time etc, but it is worth noting that tools that measure web performance, including Google’s Core Web Vitals, attach great importance to JavaScript because slow JavaScript can have such a profound effect on user experience.

Not without a replacement

Regardless, history teaches us that simply disabling the V8 JIT compiler is not going to be a long-term solution. The first advice anyone would get on a computer forum if they complained about a slow browsing experience is going to sound like “enable JIT”. We think we can predict this with great confidence based on similar experience with anti-virus software.

The general public is not going to trade in speed for security. So Microsoft will eventually have to provide people with an alternative. What are the alternatives? It could decide to fix V8 and address whatever the root cause of the V8 bugs is. If it turns to another JavaScript engine entirely, it has a choice of perhaps four: Chakra or ChakraCore, free and open-source JavaScript engines developed by Microsoft for its Edge Legacy web browser; Duktape; or Moddable.

And there are a few more, but realistically speaking, for Microsoft to adapt or adopt one of these engines for Edge would mean to turn a way from Chromium, which it has only recently turned to. It seems unlikely that it will immediately create a “hard fork” so to speak. For now the goal of the Super Duper Secure Mode experiment is to raise the bar for attackers.

The security problems of JIT compilation

As we mentioned earlier, disabling JIT compilation in Edge reduces the number of options that an attacker has (known as reducing the attack surface). But another problem with JIT compilation is that it is incompatible with some mitigation technologies. The Microsoft Vulnerability Research team mentions a few security features that can’t be used when JIT is enabled:

• Control-flow Enforcement Technology (CET) a hardware-based exploit mitigation from Intel. Intel has been actively collaborating with Microsoft and other industry partners to address control-flow hijacking by using this technology to stop attackers from using existing code running from executable memory in a creative way to change program behavior.
• Arbitrary Code Guard (ACG) helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. Arbitrary code guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers.

We are thrilled that Microsoft is looking at raising the security standard of its Edge Browser. After a unprecedented number of Chrome zero-days in 2021, and a number of high profile security incidents related to several Microsoft products this is a welcome change of pace.

Try it yourself

Users that want to try Super Duper Secure Mode for themselves will have to get hold of one of the Microsoft Edge preview releases (Beta, Dev, or Canary). If you have one of these running your can insert edge://flags/#edge-enable-super-duper-secure-mode into the address bar of the browser and set the new feature to “Enabled”.

Since this is an experiment we don’t have to take the name Super Duper Secure Mode very seriously. It’s probably not here to stay and may be an indication of how likely it is that disabling the JIT compiler without a replacement will become mainstream.

Stay safe, everyone!

The post Edge’s Super Duper Secure Mode benchmarked: How much speed would you trade for security? appeared first on Malwarebytes Labs.

Tor, The Onion Router

Tor (The Onion Router) is free software used to keep your online communications safe and secure from outside observers. It’s designed to block tracking and eavesdropping, resist fingerprinting (where services tie your browser and device information to an identity), and to hide the location of the people using it.

The network of websites and services that are only accessible using Tor is often referred to as “The Dark Web” or, more correctly, “The Dark Net”. Although the Dark Web has a reputation for being a place where criminal activity takes place there is nothing intrinsically bad or criminal about Tor. In fact, it was originally created to keep US intelligence communications safe. If your primary concern online is to try and stay anonymous, this is something you’d turn to.

How Tor works

Tor uses layers of encryption to keep your traffic secure. (It’s called “onion” routing because it has multiple layers, like an onion.) Traffic passes through random servers (or nodes) kept running by, well, anybody. You won’t know who is responsible for running the nodes, and the nodes don’t know, and can’t see, what traffic is passing through them.

By default, traffic passes through three nodes, called a Circuit, and the nodes in the Circuit are changed every ten minutes. Each node peels back one layer of encryption. The encryption ensures that each node is only aware of the node that came before it and the node that comes after it. Tor uses three nodes in a circuit because it’s the smallest number of nodes that ensures no point in the system can know both where your traffic originated and where it’s eventually going.

Tor can either be used to access services on the regular Internet or services that are also hidden behind Tor. If you use Tor to access the Internet your Circuit of three nodes acts like an anonymous and very secure Virtual Private Network (VPN) that hides your IP address from the things you use. If you use Tor to access other services that are also hidden by Tor then neither side of the communication can see the IP address of the other.

There are numerous ways to use Tor. You can configure your computer so that all of its communications use the Tor network, or you can use individual applications that make use of it, like the Tor Messenger, launched in 2015. Most people’s first, and perhaps only, experience of Tor is via the appropriately named Tor browser though, which is used for secure web browsing both on the regular web and the Dark Web. As a result, that’s what we’ll focus on below.

The Tor browser

The Tor Browser, which began development in 2008, is a web browser with multiple security and privacy options built in by default. A modded Firefox browser, it connects to the Internet using Tor, and comes with the NoScript and HTTPS Everywhere plugins pre-installed. It also has a number of security defaults cranked up to eleven, to prevent things like browser fingerprinting. It can be used for browsing regular websites securely, or for browsing websites on the Dark Web.

As far as the default operations of the Tor Browser go, NoScript allows active content for trusted domains only. In practice, what this means is that (for example) a site you’re visiting for the first time won’t be allowed to run JavaScript until you allow it.

HTTPS Everywhere helps by ensuring that you don’t accidentally connect to websites using the unencrypted HTTP protocol.

The Security Level settings, available via the browser’s preferences, allows users to customise a wealth of security options, or choose a default.

The default Standard option enables all Tor browser and website features. Safer disables a number of common website options, such as JavaScript on non-HTTPs sites. Audio and video are click to play. Safest “only allows website features required for static sites and basic services. These changes affect images, media, and scripts. In other words, it’s as bare bones a web experience as you’re likely to have. Many sites simply will not function. There’s a big trade off in functionality for security here, and casual users probably won’t have much interest in this.

Possible risks of using Tor

The fact that anyone can run a Tor node is a feature, but it’s also a possible threat. There’s no guarantee the person running a node isn’t a rogue entity and the total number of nodes is relatively small: Just a few thousand. Although Tor is designed to be resistant to snooping nodes, the last node in a Circuit (known as an Exit node) can be used for spying on traffic that is leaving Tor and joining the regular Internet.

Rogue / snooping exit nodes are definitely a concern. Law enforcement also definitely takes an interest in this area, so temper your expectations appropriately.

Law enforcement or threat actors that are present on a large number of nodes can also theoretically run “correlation attacks”. These undo Tor users’ anonymity by trying to match up traffic entering the Tor network with traffic leaving the Tor network, based on things like timing. Tor isn’t perfect, but it hugely increases the time and effort an adversary would have to expend to spy on you.

One school of thought commonly seen online suggests using Tor in the interest of anonymity makes you stand out and is akin to firing a large “I AM HERE” flare gun into the sky. While this may be true in some cases, for most people using it this probably isn’t an issue.

By comparison, people using a VPN are probably more interested in privacy than anonymity. A VPN is run by a single organisation, as opposed to bouncing you through lots of random nodes maintained by complete strangers. Because Tor uses more nodes and more encryption than a VPN it is normally slower.

VPNs can also be compromised, and user data put up for grabs. Nothing is 100% guaranteed to be secure, and that holds true here whether using VPNs or Tor. It’s up to users to pick the option most suited to their needs, and account for things potentially going wrong.

That isn’t to dissuade you from using either service; if you’re considering using either, there’s likely a valid need for it. In practical terms a little boost in anonymity and / or privacy can only be a good thing, so get a feel for what options are available and stay safe regardless of your ultimate choice.

The post What is Tor? appeared first on Malwarebytes Labs.

Retail giant Amazon recently offered to pay $10 USD for your palm prints. Would you offer them your hand?

Many seem to home in and seethe over the price being too little for something as priceless and unique as their palm print, not realizing that when it does come to registering biometric data in general, everyone gives their prints away for free.

Palm print prices aside, Amazon is definitely encouraging current and potential customers to to enrol their prints using Amazon One, its new contactless identity service.

Amazon One was introduced in September 2020 as (according to Dilip Kumar, Vice President of Physical Retail & Technology for Amazon in an official post) “a quick, reliable, and secure way for people to identify themselves or authorize a transaction while moving seamlessly through their day.” The announcement came in the thick of the Covid-19 pandemic, which seemed to give it a boost due to its non-contact nature.

Since then, Amazon has rolled out Amazon One to more of its stores in the Seattle area and beyond. This biometric scanner can now be found in use in Amazon Books, Amazon Go convenience stores, Amazon Go Grocery, and Amazon 4-star stores in various US states, including Maryland, New Jersey, New York, and Texas.

How does it work?

Amazon says it scans and captures the minutest detail of a palm, which includes ridges, lines, and features under the skin like vein patterns, to create a unique palm signature. Why palm prints, you ask? In the FAQ section here, Amazon claim that “palm recognition is considered more private than some biometric alternatives because you can’t determine a person’s identity by looking at an image of their palm.”

To a degree, this is true. It’s certainly less obviously personally identifiable than face recognition and it’s difficult to take a photo of someone’s palm and use that to spoof anything. But, like fingerprints, latent palm prints can also be lifted or picked up from touched objects, making it a viable way to help identify an individual. In fact, the forensic science community generally accepts palm prints as positive identification.

Palm signatures are created, encrypted, and stored in the cloud. Palm images, card details, and phone numbers are also never stored in the Amazon One device, and (the company further claims) they are “protected at all times, both at rest and in-transit”. How these palm signatures are encrypted, Amazon didn’t specify. They also didn’t say if they comply with current standards for capturing, exchanging, and storing biometric data.

Amazon is well capable of creating a very secure system, but any plan to create a centralized repository of authentication information should give us pause. Particularly if that information is biometrics that can’t be changed if they’re leaked or breached. It is the opposite of the approach being taken by FIDO2, for example, a passwordless authentication scheme that can be used with biometrics without the biometric data ever leaving its owner’s control.

Amazon stores palm data indefinitely, unless someone manually deletes it from their profile or if the member doesn’t use the feature for two years.

Becoming a transactional tool

Critics have pointed out that having our palms scanned for increased convenience and quick(er) closing of transactions is unnecessary when a contactless payment card can do the exact same thing. And, unlike a palm print, a payment card can be easily changed if it’s compromised. Worse, with our biometric data in its hands, Amazon can essentially do what it wants with it—and this could go beyond targeted advertising, considering that Amazon has already opened its doors to third-party companies who are interested in making Amazon One a part of their business.

It’s not a long shot to imagine that the retail giant could very well involve law enforcement once again: either selling them the biometric recognition service/technology or working with them for the purpose of surveillance, both of which Amazon has done in the past.

What particularly concerns Elizabeth Renieris, a lawyer and policy expert on data governance, is how Amazon is tying you as a person, via your palm print, to your shopping habits and purchase history. She said in an interview with The Verge last year: “The closest thing we have now is things like Apple Wallet and Apple Pay and other device-based payments infrastructure, but I just think, philosophically and ethically, there’s extreme value in having a physical separation between your transaction infrastructure and your physical self—your personhood and your body. As we merge the two…a lot of the rights that are based on the boundedness of a person are further threatened.”

“Your physical self is literally becoming a transactional tool,” she said.

The post Amazon will pay you $10 for your palm prints. Should you be worried? appeared first on Malwarebytes Labs.

In another cyberattack on a healthcare system, threat-actors have tried to throw a wrench into the ongoing COVID-19 vaccine roll-out in the region of Lazio, Italy. The large and densely populated region is the country’s second most populous and includes the country’s capital, Rome.

On Sunday the Facebook page of the region informed the public that hackers had disabled the systems of the regional health care agency.

Only 10 hours later the region communicated through the same channel that standing vaccination appointments could proceed as planned. But it was not yet possible to make new appointments. Later it turned out that besides the vaccination appointment system, more of the region’s systems had suffered from the attack.

The attack

Details of the attack are sparse, most likely because the investigation is still ongoing. The Facebook page mentions a “virus” but this could be the result of a common misconception where many people call every malware a virus. But there is no mention anywhere about a ransom either, which you would expect if this was yet another ransomware attack on healthcare or other critical infrastructure. What we do know is that it was labelled as a “powerful” attack that disabled all the region’s systems, including the information site Salute Lazio portal, which was still unreachable at the time of writing.

Unofficial sources claim to know that the attackers managed to get hold of the credentials for an administrator’s account and released a “cryptolocker” which would suggest that this was a ransomware attack, or possibly a “wiper” attack, where attackers use ransomware to scramble a target’s computer, but with no intention of asking for a ransom or providing a way to unscramble them. The investigation will be  done by the Italian Postal and Communications Police Service which is the police department responsible for cybercrime.

Attackers

The region’s officials have called the attackers both criminals and terrorists. The question which of the two qualifications is the most accurate is closely correlated with the nature of the attack. There have been a lot of protests in Italy against the introduction of the so-called Green Pass, which shows people have been vaccinated, tested negative or recovered from COVID-19. Based on the Green Pass, which comes into effect on 6 August, holders will have access to places where non-holders will be barred.

While some see the Green Pass as a way to increase vaccination rates and persuade the undecided, some see it as a step too far. Looking at the number of vaccination requests the persuasion technique seems to work. Which might have triggered this attack on the Lazio region’s systems. But it might just turn out to be the next ransomware or wiper attack (although this scenario would be very surprising).

Recovery

Even though most IT systems were offline, some have been restored, including emergency networks, time-dependent networks, and hospital systems. The local government has reiterated that the vaccination drives would continue in spite of the attack. The vaccination appointment system for the Lazio region has been transferred to the Italian national vaccination to keep the momentum going.

Critical infrastructure

The disruption of Lazio’s vaccine appointment system is just one of a number of notable and disturbing attacks against critical infrastructure in 2021. To learn more about the threat cybercriminals pose to critical infrastructure, Lock and Code podcast host David Ruiz spoke to Lesley Carhart, principal threat hunter with Dragos and a globally-respected expert on the subject.

You can hear their conversation below, or find it on your preferred platform, including Apple Podcasts, Spotify, and Google Podcasts.

The post COVID-19 vaccine appointment system attacked in Italy appeared first on Malwarebytes Labs.