Looking for silver linings in the CVE-2020-0601 crypto vulnerability

By Chester Wisniewski

The scene stealer in January’s Patch Tuesday updates from Microsoft was CVE-2020-0601, a very serious vulnerability in the crypt32.dll library used by more recent versions of Windows.

The flaw, which also goes by the names Chain of Fools and Curveball, allows an attacker to fool Windows into believing that malicious software and websites have been digitally vouched for by one of the root certificate authorities that Windows trusts (including Microsoft itself).

An attacker could exploit the flaw to disguise malware as legitimate – Microsoft-approved – software, to conduct silent Man-in-the-Middle attacks or to create more realistic phishing websites.

The vulnerability is undoubtedly very serious, but in the days since its disclosure I have started to wonder if there is a silver lining to this cloud.

Fortunately, there may be a few.

First, it appears this vulnerability only affects the latest editions of Windows, including Windows 10, Windows Server 2016, Windows Server 2019 and their derivatives. It doesn’t affect older versions of Windows, nor does it impact users of MacOS, Linux or Unix variants.

Second, the vulnerability can be detected both in the network and at the endpoint. This means you may have a heads-up from patched machines or network security devices, even if some of your endpoints may not yet have the January 2020 updates.

It would also seem that the most important thing, Windows updates themselves, are unaffected by the vulnerability. Windows Update uses a pinned certificate chain with RSA certificates, which are not affected by CVE 2020-0601. This means you can safely update systems without fear of someone booby-trapping your updates.

Read more at https://nakedsecurity.sophos.com/2020/01/23/looking-for-silver-linings-in-the-cve-2020-0601-crypto-vulnerability/

UN report alleges that Saudi crown prince hacked Jeff Bezos’s phone

By Lisa Vaas

A forensic examination of Amazon CEO Jeff Bezos’s mobile phone has pointed to it having allegedly been infected by personal-message-exfiltrating malware – likely NSO Group’s notorious Pegasus mobile spyware – that came from Saudi Arabia’s Crown Prince Mohammed bin Salman’s personal WhatsApp account.

The United Nations backed up the allegation by releasing details of the evidence on Wednesday.

The UN’s report said that full details from the digital forensic exam of Bezos’s phone were made available to its special rapporteurs. The release of the report followed a story about the hack from The Guardian that was published earlier on Wednesday.

The report was drafted by Agnes Callamard, a UN expert on extrajudicial killings who’s been probing the murder of The Washington Post columnist Jamal Khashoggi, and by David Kaye, who’s been investigating violations of press freedom. Bezos owns The Washington Post.

Khashoggi was killed in October 2018 by agents of the Saudi government after they allegedly used Pegasus to hack his friend’s phone.

According to the UN’s report, the crown prince’s WhatsApp account sent Bezos a taunting message a month after Khashoggi was murdered. From the report:

A single photograph is texted to Mr. Bezos from the Crown Prince’s WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.

The richest man in the world had been having a seemingly friendly WhatsApp conversation with bin Salman when, on 1 May 2018, an unsolicited file was sent from the crown prince’s phone.

Within hours, a trove of data was exfiltrated from Bezos’s phone, although the forensic exam did not reveal what was in the messages.

Read more at https://nakedsecurity.sophos.com/2020/01/23/un-report-alleges-that-saudi-crown-prince-hacked-jeff-bezoss-phone/

Apple allegedly made nice with FBI by dropping iCloud encryption plan

By Lisa Vaas

In spite of Apple having turned over the shooter’s iCloud backups in the case of the Pensacola, Florida mass shooting last month, the US government has been raking it over the coals for supposedly not helping law enforcement in investigations.

But according to a new allegation, Apple has been far more accommodating than the FBI has been willing to admit. Specifically, according to six sources – Reuters relied on the input of one current and three former FBI officials and one current and one former Apple employee – a few years ago, Apple, under pressure from the FBI, backed off of plans to let iPhones users have end-to-end encryption on their iCloud backups.

The bureau had griped that such encryption would gum up its investigations.

Last week, US Attorney General William Barr fumed at Apple over its refusal to break encryption per FBI request:

So far, Apple has not given any substantive assistance.

President Donald Trump piled on, tweeting that Apple refuses to unlock phones used by “killers, drug dealers and other violent criminal elements.”

But if the recent allegation proves true, it means that Apple has been far more accommodating to US law enforcement than headlines, politicians’ ire, and Apple’s marketing would indicate.

Its sources told Reuters that more than two years ago, Apple told the FBI that it planned to offer end-to-end encryption for iCloud backups, primarily as a way to thwart hackers. If it had gone through with the plan, it would have meant that Apple wouldn’t have a key to unlock encrypted data and would thus be unable to turn over content in readable form, even if served with a court order to do so.

Read more at https://nakedsecurity.sophos.com/2020/01/23/apple-allegedly-made-nice-with-fbi-by-dropping-icloud-encryption-plan/

Sonos’s tone-deaf legacy product policy angers customers

By Danny Bradbury

When you buy a cloud-connected appliance, how long should the vendor support it for with software updates? That’s the question that home audio company Sonos raised this week when it dropped some unwelcome news on its customers.

The company has announced that it will discontinue software updates for older products in May this year (here’s a list of products that it marks as legacy). Stopping software updates for legacy kit is nothing new, but it’s the way the company has done it that has Sonos customers’ hackles up.

Sonos points out that it supports software updates on products for at least five years after it stops selling them. However, the issue here is that all products in a Sonos network must run on the same software, meaning that any newer (‘non-legacy’) equipment connected to the speakers will also stop downloading new software updates. The only way around this for Sonos users is to disconnect their new equipment from their legacy kit and run them independently of each other.

From Sonos’s email to customers:

Please note that because Sonos is a system, all products operate on the same software. If modern products remain connected to legacy products after May, they also will not receive software updates and new features.

This carries service implications for users, because while products will continue working without software updates, it doesn’t mean that they will work as well. Sonos explains that as third-party connected cloud partners change their own services, they may become incompatible with the legacy software.

This isn’t just a product service issue; it’s a cybersecurity problem. Any cloud-connected equipment is potentially vulnerable to attack, and researchers frequently discover new exploits. Ugo Vallauri is co-founder and policy lead of the Restart Project, a European organization that promotes user repairs of consumer electronics in a bid to cut down on e-waste. He told us:

A big issue is the lack of separation between security updates and software updates. While we can’t expect a product’s software to be improved indefinitely, security updates should be ensured for as long as possible. In this case, Sonos is not even mentioning security updates when suggesting that “legacy” products could continue to be used.

When we asked Sonos about this, it replied:

We take our customer’s security seriously and will work to maintain the existing experience and conduct critical bug fixes where the computing hardware will allow.

So perhaps there’s hope, but there’s no official policy that tells you exactly what to expect in terms of cybersecurity fixes.

Read more at https://nakedsecurity.sophos.com/2020/01/23/sonoss-tone-deaf-legacy-product-policy-angers-customers/

FBI issues warning about lucrative fake job scams

By John E Dunn

What’s the difference between a real job and the horde of fake ones found on the internet?

It’s even more basic than the fact that one is fake – fake jobs are suspiciously easy to get interviews for.

These hiring scams sound like child’s play. Post fake employment opportunities on legitimate job sites, which link to spoofed sites impersonating known brands, which in turn leads to an email offering a teleconference ‘interview’ from an imaginary HR department.

Next comes the job offer, but only after collecting the applicant’s social security number, a scan of their driving license and – the important bit – a credit-card fee to cover the recruitment, training, or background checks they are told will be reimbursed by their new employer.

That never happens because there is no employer to pay them back, and of course, no job.

These scams date back to the earliest days of the internet but seem to be getting, if not more common, then a lot more ambitious.

This week the FBI’s Internet Crime Complaint Center (IC3) put out its latest warning about the fake job problem about which it has received numerous complaints over the past year.

What’s surprising is that financial losses now run to almost $3,000 per victim, plus the loss of personally identifiable information (PII) which can be abused for years.

But why do people keep falling for them?

It’s a matter of speculation but one possibility is the widespread notion that the internet has created plenty of quick-and-dirty jobs that only get advertised on unusual channels.

Read more at https://nakedsecurity.sophos.com/2020/01/23/fbi-issues-warning-about-lucrative-fake-job-scams/

Big Microsoft data breach – 250 million records exposed

By Paul Ducklin

Microsoft has today announced a data breach that affected one of its customer databases.

The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.

Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claims it was to the order of 250 million records containing:

…logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.

According to Comparitech, that same data was accessible on five Elasticsearch servers.

The company informed Microsoft, and Microsoft quickly secured the data.

Microsoft’s official statement states that “the vast majority of records were cleared of personal information,” meaning that it used automated tools to look for and remove private data.

However, some private data that was supposed to be redacted was missed and remained visible in the exposed information.

Microsoft didn’t say what type of personal information was involved, or which data fields ended up un-anonymized.

It did, however, give one example of data that would have been left behind: email addresses with spaces added by mistake were not recognized as personal data and therefore escaped anonymization.

So, if your email address were recorded as “name@example.com” your data would have been converted into a harmless form, whereas “name[space]@example.com” (an easy mistake for a support staffer to make when capturing data) would have been left alone.

Read more at https://nakedsecurity.sophos.com/2020/01/22/big-microsoft-data-breach-250-million-records-exposed/