Cyber Security

Think about you went to the moon – how would you show it? [Audio + Text] – Bare Safety

Think about you went to the moon – how would you show it? [Audio + Text] – Bare Safety
Written by admin


With Doug Aamoth and Paul Ducklin.

DOUG.  Deadbolt – it’s again!

Patches galore!

And timezones… sure, timezones.

All that, and extra, on the Bare Safety Podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I’m Doug Aamoth.

With me, as all the time, is Paul Ducklin.

Paul, a really blissful a centesimal episode to you, my pal!


DUCK.  Wow, Doug!

You recognize, once I began my listing construction for Collection 3, I boldly used -001 for the primary episode.


DOUG.  I didn’t. [LAUGHS]


DUCK.  Not -1 or -01.


DOUG.  Sensible…


DUCK.  I had nice religion!

And once I save as we speak’s file, I’m going to be rejoicing in it.


DOUG.  Sure, and I can be dreading it as a result of it’ll pop as much as the highest.

Effectively, I’m going to should take care of that later…


DUCK.  [LAUGHS] You might rename all the opposite stuff.


DOUG.  I do know, I do know.

[MUTTERING] Not trying ahead to that… there goes my Wednesday.

Anyway, let’s begin the present with some Tech Historical past.

This week, on 12 September 1959, Luna 2, often known as the Second Soviet Cosmic Rocket, grew to become the primary spacecraft to succeed in the floor of the Moon, and the primary human-made object to make contact with one other celestial physique.

Very cool.


DUCK.  What was that lengthy identify?

“The Second Soviet Cosmic Rocket”?


DOUG.  Sure.


DUCK.  Luna Two is a lot better.


DOUG.  Sure, a lot better!


DUCK.  Apparently, as you possibly can think about, on condition that it was the space-race period, there was some concern of, “How will we all know they’ve really completed it? They might simply say they’ve landed on the Moon, and possibly they’re making it up.”

Apparently, they devised a protocol that may permit impartial remark.

They predicted the time that it could arrive on the Moon, to crash into the Moon, they usually despatched the precise time that they anticipated this to an astronomer within the UK.

And he noticed independently, to see whether or not what they mentioned *would* occur at the moment *did* occur.

In order that they even considered, “How do you confirm one thing like this?”


DOUG.  Effectively, with regards to sophisticated issues, we now have patches from Microsoft and Apple.

So what’s notable right here on this newest spherical?


DUCK.  We definitely do – it’s patch Tuesday this week, the second Tuesday of the month.

There are two vulnerabilities in Patch Tuesday that had been notable to me.

One is notable as a result of it’s apparently within the wild – in different phrases, it was a zero-day.

And though it’s not distant code execution, it’s a little worrying as a result of it’s a [COUGHS APOLOGETICALLY] log file vulnerability, Doug!

It’s not fairly as dangerous as Log4J, the place you would not solely get the logger to misbehave, you would additionally get it to run arbitrary code for you.

However it appears that evidently if you happen to ship some sort of malformed information into the Home windows Frequent Log File System driver, the CLFS, then you possibly can trick the system into selling you to system privileges.

At all times dangerous if you happen to’ve obtained in as a visitor person, and you’re then capable of flip your self right into a sysadmin…


DOUG.  [LAUGHS] Sure!


DUCK.  That’s CVE-2022-37969.

And the opposite one which I discovered attention-grabbing…

…luckily not within the wild, however that is the one which you actually need to patch, as a result of I guess you it’s the one which cybercriminals can be specializing in reverse engineering:

“Home windows TCP/IP distant code execution vulnerability”, CVE-2022-34718.

If you happen to bear in mind Code Purple, and SQL Slammer, and people naughty worms of the previous, the place they simply arrived in a community packet, and jammed their method into the system….

That is a fair decrease stage than that.

Apparently, the bug’s within the dealing with of sure IPv6 packets.

So something the place IPv6 is listening, which is just about any Home windows pc, may very well be in danger from this.

Like I mentioned, that one will not be within the wild, so the crooks haven’t discovered it but, however I don’t doubt that they are going to be taking the patch and making an attempt to determine if they will reverse engineer an exploit from it, to catch out individuals who haven’t patched but.

As a result of if something says, “Whoa! What if somebody wrote a worm that used this?”… that’s the one I’d be fearful about.


DOUG.  OK.

After which to Apple…


DUCK.  We’ve written two tales about Apple patches just lately, the place, out of the blue, out of the blue, there have been patches for iPhones and iPads and Macs in opposition to two in-the-wild zero-days.

One was a browser bug, or a browsing-related bug, in order that you would wander into an innocent-looking web site and malware may land in your pc, plus one other one which gave you kernel-level management…

…which, as I mentioned within the final podcast, smells like spyware and adware to me – one thing {that a} spyware and adware vendor or a extremely severe “surveillance cybercrook” could be fascinated about.

Then there was a second replace, to our shock, for iOS 12, which all of us thought had been lengthy deserted.

There, a kind of bugs (the browser associated one which allowed crooks to interrupt in) obtained a patch.

After which, simply once I was anticipating iOS 16, all these emails out of the blue began touchdown in my inbox – proper after I checked, “Is iOS 16 out but? Can I replace to it?”

It wasn’t there, however then I obtained all these emails saying, “We’ve simply up to date iOS 15, and macOS Monterey, and Large Sur, and iPadOS 15″…

… and it turned on the market had been a complete bunch of updates, plus a model new kernel zero-day this time as nicely.

And the fascinating factor is that, after I obtained the notifications, I assumed, “Effectively, let me verify once more…”

(So you possibly can bear in mind, it’s Settings > Common > Software program Replace in your iPhone or iPad.)

Lo and behold, I used to be being provided an replace to iOS 15, which I already had, *or* I may bounce all the way in which to iOS 16.

And iOS 16 additionally had this zero-day repair in it (regardless that iOS 16 theoretically wasn’t out but), so I assume the bug additionally existed within the beta.

It wasn’t listed as formally being a zero-day in Apple’s bulletin for iOS 16, however we are able to’t inform whether or not that’s as a result of the exploit Apple noticed didn’t fairly work correctly on iOS 16, or whether or not it’s not thought of a zero-day as a result of iOS 16 was solely simply popping out.


DOUG.  Sure, I used to be going to say: nobody has it but. [LAUGHTER]


DUCK.  That was the massive information from Apple.

And the vital factor is that once you go to your cellphone, and also you say, “Oh, iOS 16 is offered”… if you happen to’re not fascinated about iOS 16 but, you continue to must ensure you’ve obtained that iOS 15 replace, due to the kernel zero-day.

Kernel zero days are all the time an issue as a result of it means any person on the market is aware of methods to bypass the much-vaunted safety settings in your iPhone.

The bug additionally applies to macOS Monterey and macOS Large Sur – that’s the earlier model, macOS 11.

In actual fact, to not be outdone, Large Sur really has *two* kernel zero-day bugs within the wild.

No information about iOS 12, which is sort of what I anticipated, and nothing to this point for macOS Catalina.

Catalina is macOS 10, the pre-previous model, and as soon as once more, we don’t know whether or not that replace will come later, or whether or not it’s fallen off the sting of the world and gained’t be getting updates anyway.

Sadly, Apple doesn’t say, so we don’t know.

Now, most Apple customers may have automated updates turned on, however, as we all the time say, do go and verify (whether or not you’ve obtained a Mac or an iPhone or an iPad), as a result of the worst factor is simply to imagine that your automated updates labored and saved you secure…

…when actually, one thing went unsuitable.


DOUG.  OK, superb.

Now, one thing I’ve been trying ahead to, transferring proper alongside, is: “What do timezones should do with IT safety?”


DUCK.  Effectively, quite a bit, it seems, Doug.


DOUG.  [LAUGHING] Yessir!


DUCK.  Timezones are quite simple in idea.

They’re very handy for working our lives in order that our clocks roughly match what’s occurring within the sky – so it’s darkish at evening and light-weight within the day. (Let’s ignore daylight saving, and let’s simply assume that we solely have one-hour timezones all around the globe in order that all the pieces is actually easy.)

The issue comes once you’re really holding system logs in an organisation the place a few of your servers, a few of your customers, some elements of your community, a few of your prospects, are in different elements of the world.

Whenever you write to the log file, do you write the time with the timezone factored in?

Whenever you’re writing your log, Doug, do you subtract the 5 hours (or 4 hours in the intervening time) that you simply want since you’re in Boston, whereas I add one hour as a result of I’m on London time, nevertheless it’s summer time?

Do I write that within the log in order that it is smart to *me* once I learn the log again?

Or do I write a extra canonical, unambiguous time utilizing the identical timezone for *all people*, so once I evaluate logs that come from completely different computer systems, completely different customers, completely different elements of the world on my community, I can really line up occasions?

It’s actually vital to line occasions up, Doug, notably if you happen to’re doing risk response in a cyberattack.

You really want to know what got here first.

And if you happen to say, “Oh, it didn’t occur till 3pm”, that doesn’t assist me if I’m in Sydney, as a result of my 3pm occurred yesterday in comparison with your 3pm.

So, I wrote an article on Bare Safety about some methods which you could take care of this downside once you log information.

My private suggestion is to make use of a simplified timestamp format known as RFC 3339, the place you set a 4 digit 12 months, sprint [hyphen character, ASCII 0x2D], two digit month, sprint, two digit day, and so forth, in order that your timestamps really type alphabetically properly.

And that you simply report all of your time zones as a tme zone generally known as Z (zed or zee), brief for Zulu time.

Which means principally UTC or Coordinated Common Time.

That’s nearly-but-not-quite Greenwich Imply Time, and it’s the time that just about each pc’s or cellphone’s clock is definitely set to internally nowadays.

Don’t attempt to compensate for timezones once you’re writing to the log, as a result of then somebody should decompensate once they’re making an attempt to line up your log with all people else’s – and there’s many a slip twixt the cup and the lip, Doug.

Hold it easy.

Use a canonical, easy textual content format that delineates precisely the date and time, proper right down to the second – or, nowadays, timestamps may even go down nowadays to the nanosecond in order for you.

And eliminate timezones out of your logs; eliminate daylight saving out of your logs; and simply report all the pieces, for my part, in Coordinated Common Time…

…confusingly abbreviated UTC, as a result of the identify’s in English however the abbreviation’s in French – one thing of an irony.


DOUG.  Sure.


DUCK.  
I’m tempted to say, “Not that I really feel strongly about it, once more”, as I often do, laughingly…

…nevertheless it actually is vital to get issues in the best order, notably once you’re making an attempt to trace down cyber criminals.


DOUG.  All proper, that’s good – nice recommendation.

And if we stick with regards to cybercriminals, you’ve heard of Manipulator-in-the-Center assaults; you’ve heard of Manipulator-in-the-Browser assaults…

..now prepare for Browser-in-the-Browser assaults.


DUCK.  Sure, this can be a new time period that we’re seeing.

I needed to jot down this up as a result of researchers at a risk intelligence firm known as Group-IB just lately wrote an article about this, and the media began speaking about, “Hey, Browser-in-the-Browser assaults, be very afraid”, or no matter…

You’re pondering, “Effectively, I’m wondering how many individuals really know what is supposed by a Browser-in-the-Browser assault?”

And the annoying factor about these assaults, Doug, is that technologically, they’re terribly easy.

It’s such a easy concept.


DOUG.  They’re nearly creative.


DUCK.  Sure!

It’s not likely science and expertise, it’s artwork and design, isn’t it?

Mainly, if you happen to’ve ever completed any JavaScript programming (for good or for evil), you’ll know that one of many issues about stuff that you simply stick into an online web page is that it’s meant to be constrained to that internet web page.

So, if you happen to pop up a model new window, then you definately’d count on it to get a model new browser context.

And if it masses its web page from a model new website, say a phishing website, then it gained’t have entry to all of the JavaScript variables, context, cookies and all the pieces that the primary window had.

So, if you happen to open a separate window, you’re sort of limiting your hacking talents if you happen to’re a criminal.

But if you happen to open one thing within the present window, then you definately’re considerably restricted as to how thrilling and “system-like” you may make it look, aren’t you?

As a result of you possibly can’t overwrite the tackle bar… that’s by design.

You possibly can’t write something exterior the browser window, so you possibly can’t sneakily put a window that appears like wallpaper on the desktop, prefer it’s been there all alongside.

In different phrases, you’re corralled contained in the browser window that you simply began with.

So the thought of a Browser-in-the-Browser assault is that you simply begin with an everyday web site, and then you definately create, contained in the browser window you’ve already obtained, an online web page that itself seems precisely like an working system browser window.

Mainly, you present somebody a *image* of the actual factor, and persuade them it *is* the actual factor.

It’s that easy at coronary heart, Doug!

However the issue is that with a bit little bit of cautious work, notably if you happen to’ve obtained good CSS expertise, you *can* really make one thing that’s inside an present browser window appear like a browser window of its personal.

And with a little bit of JavaScript, you possibly can even make it in order that it could possibly resize, and in order that it could possibly transfer round on the display, and you’ll populate it with HTML that you simply fetch from a 3rd occasion web site.

Now, you could marvel… if the crooks get it useless proper, how on earth are you able to ever inform?

And the excellent news is that there’s a fully easy factor you are able to do.

If you happen to see what seems like an working system window and you’re suspicious of it in any method (it could basically seem to pop up over your browser window, as a result of it must be inside it)…

…attempt transferring it *off the actual browser window*, and if it’s “imprisoned” contained in the browser, it’s not the actual deal!

The attention-grabbing factor in regards to the report from the Group-IB researchers is that once they got here throughout this, the crooks had been really utilizing it in opposition to gamers of Steam video games.

And, in fact, it desires you to log into your Steam account…

…and if you happen to had been fooled by the primary web page, then it could even comply with up with Steam’s two-factor authentication verification.

And the trick was that if these actually *had been* separate home windows, you would have dragged them to 1 facet of your foremost browser window, however they weren’t.

On this case, luckily, the cooks had not completed their CSS very nicely.

Their art work was shoddy.

However, as you and I’ve spoken about many instances on the podcast, Doug, generally there are crooks who will put within the effort to make issues look pixel-perfect.

With CSS, you actually can place particular person pixels, can’t you?


DOUG.  CSS is attention-grabbing.

It’s Cascading Model Sheets… a language you employ to type HTML paperwork, and it’s very easy to study and it’s even tougher to grasp.


DUCK.  [LAUGHS] Appears like IT, for certain.


DOUG.  [LAUGHS] Sure, it’s like many issues!

However it’s one of many first belongings you study when you study HTML.

If you happen to’re pondering, “I wish to make this internet web page look higher”, you study CSS.

So, a few of these examples of the supply doc that you simply linked to from the article, you possibly can inform it’s going to be actually laborious to do a extremely good pretend, except you’re actually good at CSS.

However if you happen to do it proper, it’s going to be actually laborious to determine that it’s a pretend doc…

…except you do as you say: attempt to pull it out of a window and transfer it round your desktop, stuff like that.

That leads into your second level right here: study suspect home windows fastidiously.

A variety of them are in all probability not going to cross the attention take a look at, but when they do, it’s going to be actually robust to identify.

Which leads us to the third factor…

“If unsure/Don’t give it out.”

If it simply doesn’t fairly look proper, and also you’re not capable of definitively inform that one thing is unusual is afoot, simply comply with the rhyme!


DUCK.  And it’s value being suspicious of unknown web sites, web sites you haven’t used earlier than, that out of the blue say, “OK,we’re going to ask you to log in along with your Google account in a Google Window, or Fb in a Fb window.”

Or Steam in a Steam window.


DOUG.  Sure.

I hate to make use of the B-word right here, however that is nearly sensible in its simplicity.

However once more, it’s going to be actually laborious to drag off a pixel excellent match utilizing CSS and stuff like that.


DUCK.  I feel the vital factor to recollect is that, as a result of a part of the simulation is the “chrome” [jargon for the browser’s user interface components] of the browser, the tackle bar will look proper.

It could even look excellent.

However the factor is, it isn’t an tackle bar…

…it’s a *image* of an tackle bar.


DOUG.  Precisely!

All proper, cautious on the market, everybody!

And, talking of issues that aren’t what they appear, I’m studying about DEADBOLT ransomware, and QNAP NAS gadgets, and it feels to me like we simply mentioned this precise story not way back.


DUCK.  Sure, we’ve written about this a number of instances on Bare Safety to this point this 12 months, sadly.

It’s a kind of instances the place what labored for the crooks as soon as seems to have labored twice, thrice, 4 instances, 5 instances.

And NAS, or Community Connected Storage gadgets, are, if you happen to like, black-box servers which you could go and purchase – they usually run some sort of Linux kernel.

The thought is that as a substitute of getting to purchase a Home windows licence, or study Linux, set up Samba, set it up, discover ways to do file sharing in your community…

…you simply plug on this machine and, “Bingo”, it begins working.

It’s a web-accessible file server and, sadly, if there’s a vulnerability within the file server and you’ve got (accidentally or design) made it accessible over the web, then crooks could possibly exploit that vulnerability, if there’s one in that NAS machine, from a distance.

They are able to scramble all of the recordsdata on the important thing storage location to your community, whether or not it’s a house community or small enterprise community, and principally maintain you to ransom with out ever having to fret about attacking particular person different gadgets like laptops and telephones in your community.

So, they don’t must fiddle with malware that infects your laptop computer, they usually don’t want to interrupt into your community and wander round like conventional ransomware criminals.

They principally scramble all of your recordsdata, after which – to current the ransom observe – they simply change (I shouldn’t giggle, Doug)… they simply change the login web page in your NAS machine.

So, once you discover all of your recordsdata are tousled and also you suppose, “That’s humorous”, and also you bounce in along with your internet browser and join there, you don’t get a password immediate!

You get a warning: “Your recordsdata have been locked by DEADBOLT. What occurred? All of your recordsdata have been encrypted.”

After which come the directions on methods to pay up.


DOUG.  They usually have additionally kindly provided that QNAP may put up a princely sum to unlock the recordsdata for everyone.


DUCK.  The screenshots I’ve within the newest article on nakedsecurity.­sophos.com present:

1. Particular person decryptions at 0.03 bitcoins, initially about US$1200 when this factor first grew to become widespread, now about US$600.

2. A BTC 5.00 choice, the place QNAP get instructed in regards to the vulnerability to allow them to repair it, which clearly they’re not going to pay as a result of they already know in regards to the vulnerability. (That’s why there’s a patch out on this specific case.)

3. As you say, there’s a BTC 50 choice (that’s $1m now; it was $2m when this primary story first broke). Apparently if QNAP pay the $1,000,000 on behalf of anyone who might need been contaminated, the crooks will present a grasp decryption key, if you happen to don’t thoughts.

And if you happen to take a look at their JavaScript, it really checks whether or not the password you set in matches considered one of *two* hashes.

One is exclusive to your an infection – the crooks customise it each time, so the JavaScript has the hash in it, and doesn’t give away the password.

And there’s one other hash that, if you happen to can crack it, seems as if it could get better the grasp password for everybody on the planet…

… I feel that was simply the crooks thumbing their noses at all people.


DOUG.  It’s attention-grabbing too that the $600 bitcoin ransom for every person is… I don’t wish to say “not outrageous”, however if you happen to look within the feedback part of this text, there are a number of people who find themselves not solely speaking about having paid the ransom…

…however let’s skip forward to our reader query right here.

Reader Michael shares his expertise with this assault, and he’s not alone – there are different folks on this remark part which can be reporting related issues.

Throughout a few feedback, he says (I’m going to sort of make a frankencomment out of that):

“I’ve been by way of this, and got here out OK after paying the ransom. Discovering the precise return code with my decryption key was the toughest half. Discovered essentially the most precious lesson.”

In his subsequent remark he goes by way of all of the steps he needed to take to truly get issues to work once more.

And he dismounts with:

“I’m embarrassed to say I work in IT, have been for 20+ years, and obtained bitten by this QNAP uPNP bug. Glad to be by way of it.”


DUCK.  Wow, sure, that’s fairly a press release, isn’t it?

Virtually as if he’s saying, “I’d have backed myself in opposition to these crooks, however I misplaced the guess and it price me $600 and a complete load of time.”

Aaargh!


DOUG.  What does he imply by “the precise return code along with his description key”?


DUCK.  Ah, sure, that could be a very attention-grabbing… very intriguing. (I’m making an attempt to not say amazing-slash-brilliant right here.) [LAUGHTER]

I don’t wish to use the C-word, and say it’s “intelligent”, however kind-of it’s.

How do you contact these crooks? Do they want an electronic mail tackle? May that be traced? Do they want a darkweb website?

These crooks don’t.

As a result of, bear in mind, there’s one machine, and the malware is customised and packaged when it assaults that machine in order that has a singular Bitcoin tackle in it.

And, principally, you talk with these crooks by paying the desired quantity of bitcoin into their pockets.

I assume that’s why they’ve saved the quantity comparatively modest…

…I don’t wish to recommend that everybody’s obtained $600 to throw away on a ransom, nevertheless it’s not such as you’re negotiating up entrance to resolve whether or not you’re going to pay $100,000 or $80,000 or $42,000.

You pay them the quantity… no negotiation, no chat, no electronic mail, no on the spot messaging, no assist discussion board.

You simply ship the cash to the designated bitcoin tackle, they usually’ll clearly have a listing of these bitcoin addresses they’re monitoring.

When the cash arrives, they usually see it’s arrived, they know that you simply (and also you alone) paid up, as a result of that pockets code is exclusive.

They usually then do what’s, successfully (I’m utilizing the largest air-quotes on the planet) a “refund” on the blockchain, utilizing a bitcoin transaction to the quantity, Doug, of zero {dollars}.

And that reply, that transaction, really features a remark. (Keep in mind the Poly Networks hack? They had been utilizing Ethereum blockchain feedback to attempt to say, “Pricey, Mr. White Hat, gained’t you give us all the cash again?”)

So that you pay the crooks, thus giving the message that you simply wish to have interaction with them, they usually pay you again $0 plus a 32-hexadecimal character remark…

…which is 16 uncooked binary bytes, which is the 128 bit decryption key you want.

That’s the way you speak to them.

And, apparently, they’ve obtained this right down to a T – like Michael mentioned, the rip-off does work.

And the one downside Michael had was that he wasn’t used to purchasing bitcoins, or working with blockchain information and extracting that return code, which is principally the remark within the transaction “cost” that he will get again for $0.

So, they’re utilizing expertise in very devious methods.

Mainly, they’re utilizing the blockchain each as a cost automobile and as a communications instrument.


DOUG.  All proper, a really attention-grabbing story certainly.

We are going to control that.

And thanks very a lot, Michael, for sending in that remark.

In case you have an attention-grabbing story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.

You possibly can electronic mail ideas@sophos.com, you possibly can touch upon any considered one of our articles, or you possibly can hit us up on social: @NakedSecurity.

That’s our present for as we speak – thanks very a lot for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, till subsequent time, to…


BOTH.  Keep safe.

[MUSICAL MODEM]

About the author

admin

Leave a Comment