Keybase browser extension weakness discovered

By John E Dunn

Is the Keybase secure messaging browser extension safe to use or not?

Respected researcher Wladimir Palant (of AdBlock Plus fame) is so convinced that it isn’t that he has recommended users “uninstall the Keybase browser extension ASAP,” after he discovered what looks like a gap in its claim to offer end-to-end encryption.

As covered previously, Keybase is a desktop messaging app (Windows, Mac and Linux), which can also be used on mobiles (Android and iOS) and, from last year, through browser extensions for Chrome and Firefox.

The extension is a useful way to connect to other Keybase users by advertising its use through profiles on Facebook, Twitter, GitHub, and Reddit.

If Firefox’s daily stats are anything to go by, this method isn’t hugely popular, with fewer than 2,000 daily users – and Palant’s security assessment is unlikely to help its popularity.

Behind the scenes, every message sent via browser chat is passed to the local desktop app, which is the bit that does the encryption. However, according to Palant, messages are unencrypted as they are sent to the app – hardly the “end-to-end encryption” promised on the Keybase website.

Read more at https://nakedsecurity.sophos.com/2018/09/11/keybase-browser-extension-weakness-discovered/

Microsoft extends security patch support for some Windows 7 users

By Danny Bradbury

Microsoft is offering an olive branch to companies taking too long to upgrade from Windows 7, the company revealed last week. It will provide security updates for another three years as it tries to help business customers migrate to Windows 10 – but they’ll have to pay for the privilege.

Microsoft products go through two support phases. The first is mainstream support, which lasts for five years from the product’s release. Then, it provides another five years of extended support, but with caveats.

While the company continues to offer security updates for its products during the extended support phase, non-security updates are only available on a paid basis, and only for enterprise users, not consumers. At the end of the extended support period, the security updates are also supposed to end, which leaves users with increasingly vulnerable systems unless they migrate to a newer version of Windows.

Mainstream support for Windows 7 ended in 2015, and Microsoft had already warned customers that extended support for that version of the operating system would end in January 2020. However, in a blog post, it acknowledged that “everyone is at a different point in the upgrade process”.

To support late upgraders, the company will charge for Extended Security Updates (ESU) for an additional three years. It will charge for these on a per-device basis, ratcheting up the charge each year.

Read more at https://nakedsecurity.sophos.com/2018/09/11/microsoft-extends-security-patch-support-for-some-windows-7-users/

Apple’s new tool will make it easier for law enforcement to request data

By Danny Bradbury

Apple is planning to create an online portal that will allow law enforcement officials around the world to request information about its users more easily.

The company is seeking to streamline the way that it currently services information to government agencies with the new tool, which will be ready by the end of the year. It outlined the plans in a letter, from Apple’s general counsel Kate Adams to US Senator Sheldon Whitehouse of Rhode Island, according to a report from Reuters.

Sent last week, the letter said that Apple had responded to 14,000 information requests from US law enforcement last year, including 231 “domestic emergency requests” that it addressed within 20 minutes of receipt, regardless of when it received them.

The new portal will make it easier for law enforcement officials to request information about Apple customers. The company previously handled such requests by email, Reuters said.

The revamp to Apple’s government request handling program also extends to training. The company, which has already trained nearly 1,000 law enforcement officers in how to request information, previously did it in person at its headquarters. It will create an online training course to make things more efficient, along with a team of trainers to better serve smaller police departments.

Apple, which has marketed itself as an advocate for customer privacy, infamously got into a spat with the US government over refusing to unlock an iPhone in the San Bernardino shootings in 2016. Nevertheless, the company explains in its privacy policy that it does honor requests from government agencies if it considers them to have a “valid legal basis”. In that case, it complies by providing the “narrowest possible set of data responsive to the request,” it says.

The consumer computing giant will work with law enforcement under certain circumstances to provide information about customers’ Apple devices, it says. It will also deliver information based on financial identifiers such as credit card data.

Read more at https://nakedsecurity.sophos.com/2018/09/10/apples-new-tool-will-make-it-easier-for-law-enforcement-to-request-data/

Supermicro servers fixed after insecure firmware updating discovered

By John E Dunn

Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacenters depend on to manage servers.

According to Eclypsium, the BMC used by one server brand, Supermicro, has an insecure updating process that could allow an attacker to modify its firmware or run malware.

Affecting X8 through X11-generation systems, the BMC code wasn’t carrying out cryptographic signature verification before accepting firmware updates, the company said.

BMCs are like powerful computers-within-the-server, complete with their own CPU and memory, that remain turned on even when the server is not being used (not dissimilar to the Intel Management Engine found inside home computers).

When compromised, an attacker would be able to sneak their own modified firmware onto a server – something that would give admins a very bad day at the office.

This is the privileged layer used to issue server wipes and OS reinstalls, which would hand the same power to attackers to take over the system, or to ‘brick’ it as part of a denial-of-service attack, or possibly move sideways to other parts of the network.

It would also be incredibly difficult to detect, let alone stop once it had started – the attacker would have loaded their own firmware after all.

Read more at https://nakedsecurity.sophos.com/2018/09/10/supermicro-servers-fixed-after-insecure-firmware-updating-discovered/

North Korean programmer charged for Sony, WannaCry attacks and more

By Lisa Vaas

The US Department of Justice (DOJ) announced on Thursday that it had unsealed a criminal complaint (PDF) charging a North Korea regime-backed programmer, Park Jin Hyok, with being part of a team that launched multiple cyberattacks.

Make that big, dreaded, infamous cyberattacks, including unleashing the global WannaCry 2.0 ransomware in 2017, the 2014 attack on Sony Pictures, and the 2016 $81m cyber heist that drained Bangladesh’s central bank.

Beyond those headline-grabbing cyber assaults, the encyclopedic, 127-page complaint details the hacking team’s other malicious activities, including attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The complaint alleges that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).

Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specified Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from the Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security’s (DHS’s) National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Read more at https://nakedsecurity.sophos.com/2018/09/10/north-korean-programmer-charged-for-sony-wannacry-attacks-and-more/

‘Only paper ballots by 2020!’ call experts after election tampering

By Lisa Vaas

An expert panel at the National Academy of Sciences has called for sweeping election reforms, including one, specific recommendation that should come as no surprise: use paper.

From Thursday’s announcement about the report’s release:

All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.

And what about the mid-terms, right around the corner in November? Yes, let’s try to get paper ballots for that one, too, the panel said. Let’s try our best to stay away from all the technologies that we’ve got in place now, because they’re full of holes:

Ballots that have been marked by voters should not be returned over the internet or any network connected to it, because no current technology can guarantee their secrecy, security, and verifiability.

Michael McRobbie, president of Indiana University and co-chair of the committee that conducted the two-year study and wrote the report, called the 2016 election a “watershed” moment:

The 2016 presidential election was a watershed moment in the history of elections – one that exposed new challenges and vulnerabilities that require the immediate attention of state and local governments, the federal government, researchers, and the American public.

Lee Bollinger, president of Columbia University and co-chair of the panel, called the threat from foreign actors “extraordinary”, according to the AP:

The extraordinary threat from foreign actors has profound implications for the future of voting and obliges us to examine, re-examine seriously, both the conduct of elections in the United States and the role of the federal and state governments in securing our elections.

According to the report, the US intelligence community found that “actors sponsored by the Russian government” obtained and maintained access to elements of multiple US state or local election systems. Those intrusions made clear that the country’s election infrastructure is clunky at best, even in the most well-resourced jurisdictions. For small jurisdictions without a lot of money to invest, things are even more grim.

Read more at https://nakedsecurity.sophos.com/2018/09/10/only-paper-ballots-by-2020-call-experts-after-election-tampering/