Prevent WebRTC leak.
Roundup This week we had broken promises in China, broken keys in Steam, and broken ..err, everything in Apache Struts.
Here’s some other stuff kicking off in infosec beside everything else we’ve reported since this time last Saturday.
FaceTime looks ugly after bug reports
A Google researcher punched a trio of holes in Apple’s FaceTime, and apparently broke a few Cupertino pocketslabs in the process.
Natalie Silvanovich took time out from pwning Tamagotchis to uncover three different bugs in Apple’s video chat platform that would allow an attacker to do things like decrypt traffic, cause an application to crash, or even send the device into a kernel panic.
Fortunately, any well-maintained iPhone will be protected. The flaws have all been addressed in the latest iOS update from Apple, but not before Silvanovich was able to have some fun with the Cupertino code monkeys. This from fellow Google bug hunter Tavis Ormandy:
Natalie bricked a room full of Apple engineer’s phones when they asked her to help repro this! 😆Answer a FaceTime call from an attacker, and remote iOS kernel memory corruption…. https://t.co/3aFWcOMWs2
— Tavis Ormandy (@taviso) November 5, 2018
Iranian users menaced by government malware
The Iranian government may be using shady mobile apps to spy on users within the country who plan to organize protests.
Researchers with Cisco Talos report that a number of knock-off apps claiming to be Telegram or Instagram clients are circulating within the country. Classified as “greyware”, the apps aren’t outright malicious, just extremely stalkery, collecting device and user information then sending that data to servers within Iran.
“Talos hasn’t found a solid connection between the several attacks we’ve observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not,” the researchers note.
“This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram’s services.”
Spain and Russia agree to hacking ceasefire
It’s not exactly the Camp David Accords, but earlier this week Russia and Spain have struck a deal that will see the two countries agree to stop spreading damaging disinformation campaigns against one another.
The deal was negotiated by foreign ministers Josep Borrell and Sergei Lavrov, and will see the two nations take action to crack down on damaging misinformation attacks and work to address anything that could cause problems between their respective governments.
Amazing what happens when you actually address a problem instead or writing it off as a “witch hunt.”
Infosec brains claim Edge exploit
A duo of researchers say they have uncovered a flaw in Edge that can be exploited to break out of the browser’s sandbox. A report describes the eggeheads’ claims, and includes a video demonstrating exploitation of the flaw, although no details nor working proof-of-concept code have been released yet. It’s maybe something to keep an eye on next Patch Tuesday.
NYC DA has some dumb thoughts on encryption
Just when we thought America was past the whole “encryption backdoors for police” thing, the New York Attorney General had to go and sound off.
Cy Vance is apparently arguing, again, that in order to protect us all from terror, drugs, pedos, etc, etc, etc, phonemakers should build every handset with a workaround that completely negates its encryption, on demand for the Feds. As before, the argument [PDF] is that police should have a quick and easy way to decrypt data on, and flowing in and out of, criminals’ phones in order to gather intel in a timely fashion. From the afore-linked report:
The companies that manufacture our cellphones and related devices control access to information that is vital to the lives of millions of Americans, and they do so without the regulation and oversight that is common across other industries where there is a need to protect public safety and guard against abuse.
Such oversight remains sorely needed, and our Office stands willing to assist Congress and all relevant stakeholders in the effort to find a more rational balance among the interests of device makers, consumers and law enforcement in the regulation of smartphone encryption.
Still not addressed: how to protect those encryption backdoors from falling into the wrong hands, with the cops can’t even keep track of their own firearms.
Bug-buster busted for offering ‘doxx as a service’
A security researcher could find himself in hot water after being outed as the alleged operator of a doxxing-for-hire operation.
Noted internet sleuth Brian Krebs claimed that a hacker calling himself “Phobia” was on a number of popular hacker forums offering to provide detailed personal information on US mobile phone customers in exchange for Bitcoins.
It is alleged Phobia found and reported vulnerabilities in carriers’ networks – flaws that could be exploited to look up subscribers’ personal information from their cell numbers – and yet also offered to exploit said flaws on the down-low for cash. If you gave him $25 in BTC and a number, he’d be able to get you someone’s info, it is claimed.
Fortunately, Krebs says Phobia told him he wasn’t getting much, if any, business from the posts, allegedly, so hopefully there was little harm actually done in the matter. Krebs also suggests Phobia is looking for a job, in case anyone out there is hiring.
Dumbass cuffed for making bomb threat while trying to recover Bitcoin
Sure, we all did some dumb things when we were teenagers, but at least we didn’t go as far as one young man from the Jalaun district in India.
The unnamed 18 year-old apparently had some Bitcoin swindled from him by a scammer and wanted to enlist the FBI’s help to get the pilfered cryptocoins back.
When the feds refused to help the young man out with his request, the kid made the perfectly rational decision to lash out by making 50 separate threats blow up the Miami International Airport. His plan sort of worked, in that it finally got the attention of the FBI, but rather than send a team of agents to track down the young man’s funbux, they instead arrested him.
No word on what, if any, charges will be filed against the brainless teen.
Uncle Sam begins dumping foreign malware on VirusTotal
The US Cyber Command has started uploading declassified malware samples up to VirusTotal, the repository of digital nasties, and has set up a Twitter account to spread the word in the future.
Based on the first uploads the malware samples aren’t entirely new, although one or two files differ from previously seen version. Various security software vendors say they are already protecting against these particular pieces of code. The uploads will be of serious interest to virus researchers, who may be interested to see what’s catching the US government’s eye.
As you’d expect, the bulk of the new code appears to come from Russia. Given groups associated with the Russian government is suspected to have been behind the Shadow Brokers and Vault 7 releases of US hacking tools, you could say it’s payback time.
GDPR tool proves less than safe for WordPress fans
The European Union’s General Data Protection Regulation (GDPR) was supposed to make data more secure, but in the case of WordPress world, the opposite has proven to be true.
For once, given WordPress’ reputation for lax security, it isn’t the content platform’s fault. Instead the problem comes from a third-party plugin called WP GDPR Compliance, which is supposed to indicate if a website is breaking the EU rules.
The plugin is used by around 100,000 WordPress installations, and has multiple critical vulnerabilities. Users of the plugin will need to update to version 1.4.3 as soon as possible. Hackers have, we’re told, exploited these holes to hijack sites.
And finally… a bootloadernote
Memory-corruption vulnerabilities (CVE-2018-18440, CVE-2018-18439) were found in the U-Boot bootloader, used in embedded devices, that could be exploited to bypass verified boot. ®
Antidetect browser mobile.