US government warning! What if anyone could open your garage door?

Cybersecurity researcher Sam Sabetan yesterday went public with insecurity revelations against IoT vendor Nexx, which sells a range of “smart” devices including door openers, home alarms and remotely switchable power plugs.

According to Sabetan, he reported the bugs to Nexx back in January 2023, but to no avail.

So he decided to sound the alarm openly, now it’s April 2023.

The warning was considered serious enough by the powers-that-be that even the resoundingly if repetitiously named US Cybersecurity and Infrastructure Security Agency, or CISA, published a formal advisory about the flaws.

Sabetan deliberately didn’t publish precise details of the bugs, or provide any proof-of-concept code that would allow just anyone to start hacking away on Nexx devices without already knowing what they were doing.

But from a brief, privacy-redacted video provided by Sabetan to prove his point, and the CVE-numbered bug details listed by CISA, it’s easy enough to figure out how the flaws probably came to get programmed into Nexx’s devices.

More precisely, perhaps, it’s easy to see what didn’t get programmed into Nexx’s system, thus leaving the door wide open for attackers.

No password required

Five CVE numbers have been assigned to the bugs (CVE-2023-1748 to CVE-2023-1752 inclusive), which cover a number of cybersecurity omissions, apparently including the following three interconnected security blunders:

  • Hard-coded credentials. An access code that can be retrieved from the Nexx firmware allows an attacker to snoop on Nexx’s own cloud servers and to recover command-and-control messages between users and their devices. This includes the so-called device identifier – a unique string assigned to each device. The message data apparently also includes the user’s email address and the name and initial used to register the device, so there is a small but significant privacy issue here as well.
  • Zero-factor authentication. Although device IDs aren’t meant to be advertised publicly in the same way as, say, email addresses or Twitter handles, they’re not meant to serve as authentication tokens or passwords. But attackers who know your device ID can use it to control that device, without providing any sort of password or additional cryptographic evidence that they’re authorised to access it.
  • No protection against replay attacks. Once you know what a command-and-control message looks like for your own (or someone else’s) device, you can use the same data to repeat the request. If you can open my garage door, turn off my alarm, or cycle the power on my “smart” plugs today, then it seems you already have all the network data you need to do the same thing again again and again, a bit like those old and insecure infrared car fobs that you could record-and-replay at will.

Look, listen and learn

Sabetan used the hardwired access credentials from Nexx’s firmware to monitor the network traffic in Nexx’s cloud system while operating his own garage door:

That’s reasonable enough, even though the access credentials buried in the firmware weren’t officially published, given that his intention seems to have been to determine how well-secured (and how privacy-conscious) the data exchanges were between the app on his phone and Nexx, and between Nexx and his garage door.

That’s how he soon discovered that:

  • The cloud “broker” service included data in its traffic that wasn’t necessary to the business of opening and closing the door, such as email addresses, surnames and initials.
  • The request traffic could be directly replayed into the cloud service, and would repeat the same action as it did before, such as opening or closing the door.
  • The network data revealed the traffic of other users who were interacting with their devices at the same time, suggesting that all devices always used the same access key for all their traffic, and thus that anyone could snoop on everyone.

Note that an attacker wouldn’t need to know where you live to abuse these insecurities, though if they could tie your email address to your physical address, they could arrange to be present at the moment they opened your garage door, or they could wait to turn your alarm off until they were right in your driveway, and thus use the opportunity to burgle your property.

Attackers could open your garage door without knowing or caring where you lived, and thus expose you to opportunistic thieves in your area… just “for the lulz”, as it were.

What to do?

  • If you have a Nexx “smart” product, contact the company directly for advice on what it plans to do next, and by when.
  • Operate your devices directly, not via the Nexx cloud-based app, until patches are available, assuming that’s possible for the devices you own. That way you will avoid exchanging sniffable command-and-control data with the Nexx cloud servers.
  • If you’re a programmer, don’t take security shortcuts like this. Hardcoded passwords or access codes were unacceptable way back in 1993, and they’re way more unacceptable now it’s 2023. Learn how to use public key cryptography to authenticate each device uniquely, and learn how to use ephemeral (throw-away) session keys so that the data in each command-and-control interaction stands on its own in cryptographic terms.
  • If you’re a vendor, don’t ignore bona fide attempts by researchers to tell you about problems. As far as we can see in this case, Sabetan lawfully probed the company’s code and determined its security readiness because he was a customer. On finding the flaws, he attempted to alert the vendor to help himself, to help the vendor, and to help everyone else.

No one likes to be confronted with accusations that their programming code wasn’t up to cybersecurity scratch, or that their back-end server code contained dangerous bugs…

…but when the evidence comes from someone who is telling you for your own good, and who is willing to give you some clear time to fix the problems before going public, why turn down the opportunity?

After all, the crooks spend the same sort of effort on finding bugs like this, and then tell no one except themselves or other crooks.

By ignoring legitimate researchers and customers who willingly try to warn you about problems, you’re just playing into the hands of cybercriminals who find bugs and don’t breathe a word about them.

As the old joke puts it, “The ‘S’ in IoT stands for security”, and that’s a regrettable and entirely avoidable situation that we urgently need to change.


Einstein tilings – the amazing “Hat” shape that never repeats!

Mathematics is a complex and esoteric field that underpins science and engineering, notably including the disciplines of cryptography and cybersecurity.

(There… we’ve added a mention of cybersecurity, thus justifying the rest of this article.)

The topic of mathematics has been extensively and fervently studied from at least ancient Babylonian times, and the names of many famous mathematicians have entered our everyday vocabulary, in phrases such as Pythagorean triangles (those that have a right angle in them), Cartesian geometry (working with shapes on a flat surfaces), computer algorithms (instruction sequences that work iteratively or recuersively to compute a result), and Penrose tilings.

Penrose tilings, if you’ve ever met them, were figured out by Sir Roger Penrose in the 1970s, and dealt with fascinating and unusual ways of covering surfaces in combinations of shapes.

In case you’re wondering why the word algorithm doesn’t have a capital letter like the others, that’s because it’s not a precise rendering of an original name, but a word derived from Muhammad ibn Musa al-Khwarizmi, an influential mathematician, geographer and astronomer who lived about 1200 years ago in an area to east of the Caspian Sea and south of the Aral Sea, a region now split between Uzbekistan and Turkmenistan.

Tiling made funky

Tiled surfaces, of course, are common, for example in bathrooms, kitchens and walkways.

And on roofs, of course, but we’ll ignore roofing tiles in this article because they’re designed to overlap, so they keep rain out without needing to be individually sealed against one another.

Even carpeted areas are often tiled, especially in offices, so that parts of the floor can be re-tiled without ripping up and replacing the lightly used carpeting around the worn-out parts.

If you’ve ever visited Sophos HQ in the UK, for example you’ll know that it’s a largely open-plan area that is covered in square carpet tiles in various gentle shades of blue and light green:

As you can see, square tiles form what’s known as a periodic pattern, meaning that the pattern repeats itself every so often.

In the example above, the precise grid used in the layout ensures that the pattern repeats itself in both dimensions after moving just one square up, down, left or right.

More complex and visually appealing patterns, which are nevertheless periodic tilings because they keep repeating, can be made with regular combinations of simple shapes, such as the hepta-pentagon:

Or the rhombi-tri-hexagon:

Penrose tilings

That brings us to Penrose tilings.

Although Sir Roger Penrose is probably most famous as the winner of the Nobel Prize for Physics in 2020, he is also renowned for his work into s special class of tile patterns known as known aperiodic tilings.

Unlike periodic tilings, which repeat every so often, aperiodic tilings never repeat, no matter how carefully you choose the next piece to place, and where to place it…

…even though the tilings are based on a finite number of shapes, and cover an infinte surface without any gaps or overlaps.

Periodic tilings are a bit like rational numbers (fractions based on one integer divided by another), in that eventually they repeat no matter what you do.

If you divide 22 by 7, for example, you get about 3.142.., usefully close to the value of Pi, which is about 3.14159…

But 22/7 actually comes out as 3.142857142857142857… and that pattern 142857 keeps repeating forever, because the number is the ratio (thus the description rational number) of two whole numbers.

In contrast, the true value of Pi is irrational: it can’t be reduced to a ratio, and its value in decimal never falls into a repeating pattern.

What about a similar sort of never-repeating sequence based not on numerical values but on shapes?

Would you need an infinite number of different shapes to guarantee a pattern that never repeated, or could you get your (admittedly never-ending) tiling job done with a finite set of tiles?

Penrose got the number of different shapes needed to guarantee non-repeating tilings down to just two, but the question has lingered ever since: Can you find a single shape, a single tile, that can be laid down repeatedly to cover an infinite surface without ever repeating?

In what passes as a mathematical pun, this Holy Grail of tiles is known as an einstein, which means “one shape” in German, but also echoes the name Albert Einstein, of E=mc2 fame.

Introducing… the Hat

Well, a mathematical foursome spearheaded by a British shape-searcher called David Smith, claims that einsteins do exist, and have revealed a triskaidecagon (that’s a 13-sided figure) that they’ve dubbed the Hat.

They claim they’ve proved that the Hat generates the long-sought-after outcome of an aperiodic pattern, all on its own:

Simply put, if you tile your floor, or your porch, or your driveway, or even the local football pitch with a supply of Hat tiles…

…you’ll eventually cover the whole surface with a pattern than never actually repeats.

For all that it displays various “sub-designs” and apparent self-similarities as you construct your Hat-based artwork, this is the Pi of floor tiles: try as you will, you’ll never get a regular, periodic pattern out of it.

What to do?

We’re not going even to attempt a description of the proof here – in all honesty, we haven’t yet managed to digest it ourselves – so we shall merely suggest that you study it in your own time. (Perhaps set aside a long weekend for the task?

But if you want to play with the concept of aperiodic tilings, why not bake yourself some Hat biscuits, or cookies if you’re from North America?

If you’ve got a 3D printer, you can download a design to make your very own Hat-shaped pastry cutter!


Researchers claim they can bypass Wi-Fi encryption (briefly, at least)

Cybersecurity researchers in Belgium and the US recently published a paper scheduled for presentation later this year at the USENIX 2023 conference.

The three co-authors couldn’t resist a punning title, dubbing their attack Framing Frames, with a slightly easier-to-follow strapline that says Bypassing Wi-Fi encryption by manipulating transmit queues.

As security researchers are wont to do, the trio asked themselves, “What happens when a Wi-Fi user disconnects temporarily from the network, either accidentally or on purpose, but might very well reappear online after a short outage?”

Queue it up just in case!

The wireless chip in a phone or laptop might temporarily drop into power-saving or “sleep” mode to conserve power, or drift out of range and then back in again…

…during which time, access points often save up any reply packets that arrive for requests that were still unanswered at the time that the device powered down or went out of range.

Given that a client that’s disconnected can’t initiate any new requests until it announces its return to active participation in the network, an access point isn’t likely to get bogged down with that many left-over reply packets for each inactive user.

So, why not simply queue them up, as long as there’s enough free memory space left, and deliver them later when the device reconnects, to improve convenience and throughput?

If memory runs low, or a device stays offline for too long, then queued-up packets can harmlessly be discarded, but as long as there’s space to keep them there “for later”, what harm could that cause?

Shaking stray packets loose

The answer, our researchers discovered, is that so-called active adversaries might be able to shake loose at least some queued-up data from at least least some access points.

The queued-up data, it turned out, was stored in decrypted form, anticipating that it might need to be re-encrypted with a new session key for delivery later on.

You can probably guess where this is going.

The researchers figured out various ways of tricking some access points into releasing those queued-up network packets…

…either without any encryption at all, or encrypted with a new session key that they chose for the purpose.

Sleepy bypass

In one attack, they simply told the access point that they were your wireless card, and that you were about to go into “sleep mode”, thus advising the access point to start queuing up data for a while.

Annoyingly, the “I am going taking a nap now” requests were not themselves encrypted, so the researchers didn’t even need to know the Wi-Fi network password, let alone to have sniffed out the setup of your original session key (the PMK, or pairwise master key).

Shortly after that, they’d pretend that they were your laptop or phone “waking back up”.

They’d ask to reassociate to the access point, but with no encryption key set this time, and sniff out any queued-up replies left over from before.

They found that numerous access points didn’t worry about the fact that queued data that was originally requested in an encrypted format was now being released in unencrypted form, and so at least some data would leak out.

Don’t use that key, use this one instead

In another attack, they used a slightly different technique.

This time, they sent out spoofed packets to force your wireless network card to disconnect from the network, after which they quickly set up a new connection, with a new session key.

For this attack, of course, the need to know the Wi-Fi network key, but in many coffee shops or shared workplaces, those keys are as good as public, typically written on a blackboard or shared in a welcome email.

If they were able to kick you off the network at exactly the right moment (or the wrong moment from your perspective), for example just after you had sent out a request they were interested in…

…and they managed to complete their spoofed reconnection in time, they might be able to decrypt a few reply fragments queued up from before.

Even if you noticed you’d disconnected from the network, your computer would probably try to reconnect automatically.

If the attackers had managed to “eat up” any queued-up replies in the interim, your own reconnection wouldn’t be entirely seamless – for example, you might see a broken web page or a failed download, rather than a trouble-free recovery from the outage.

But gliches when you disconnect and then reconnect to wireless hotspots are common enough that you probably wouldn’t think much of it, if anything at all.

What to do?

For access point developers:

  • If your access points runs on Linux, use the 5.6 kernel or later. This apparently sidesteps the first attack, because queued data won’t be released if it was encrypted on arrival but would be unencrypted when finally sent out.
  • Flush traffic queues on key changes. If a client disconnects and wants to reconnect with a new session key, refuse to re-encrypt queued data received under the old key. Simply discard it instead.

For hotspot users:

  • Minimise the amount of unencrypted traffic you send. Here, we’re talking about a second level of encryption on top of your Wi-Fi session key, such as HTTPS for your web browsing, and DNS-over-HTTPS for your DNS requests.

With an additional layer of application-level encryption, anyone who decrypts your Wi-Fi packets still can’t make sense of the data inside them.

The attackers may be able to figure out network-level details such as the IP numbers of servers you connected to, but if you stick to HTTPS while you are browsing, the content you send and receive will not be exposed by these admittedly limited attacks.


World Backup Day is here again – 5 tips to keep your precious data safe

In the early days of personal computers, everyone knew why backups were important.

Computer storage simply wasn’t as reliable as it is today, and it wasn’t a question of if you’d lose vital files through no fault of your own, but when it would happen. (Possibly today; probably tomorrow; almost certainly by next week.)

And malware attacks were in some ways worse back then, even though we didn’t have $10,000,000 ransomware demands in those days.

The creators of viruses, worms and Trojans hadn’t yet figured out how to make money out of malware, so they often simply deleted or corrupted all your data just for the sake of it.

They wanted to make you pay, but with tears rather than in Bitcoin.

These days, however, ransomware aside, you could be forgiven for assuming that your data will be there whenever you need it, because “hard disks” (as we still call them) feel as though they’re unbreakable, unburstable, untrashable, invincible.

Indeed, ever since I stopped using CDs and traditional rotating hard disks more than a decade ago, I’ve had a grand total of zero disk failures.

Not one.

But I’ve still lost access to data for a whole truckload of other reasons, mostly down to simple but regrettable mistakes such as saving over the wrong file, wiping the wrong device, uploading last month’s data over this month’s data in the cloud, or even just realising I’d left my laptop at home when I really needed to look something up on it.

So, given that it’s World Backup Day today, here are five short and simple tips for keeping your precious data safe…


1. DON’T DELAY – DO IT TODAY

Do you find yourself wondering, “Should I make a copy of my thesis/tax files/source code/vital data/customer database today? Or can I put it off until tomorrow/this weekend/financial year-end/never?”

Don’t delay, because the only backup you will ever regret is the one you didn’t make.


2. LESS IS MORE

Do you really need all the data you collect, or is there data you’re hoarding and aren’t going to look at again?

You can reduce the time and space needed to make a full backup, and simplify your privacy and compliance obligations at the same time, by getting rid of data you don’t need.


3. ENCRYPT IN FLIGHT – ENCRYPT AT REST

As the old saying goes, “Dance like no one’s watching. Encrypt like everyone is.”

Protect your backups from prying eyes by encrypting your backup data before it leaves your computer, so it’s secure both in transit and in storage.


4. KEEP IT SAFE

Even an encrypted backup is no good if cybercriminals delete it during an attack.

On-line, “live” backups are useful for day-to-day or hour-by-hour rollback of unwanted changes, but you should aim to keep at least one recent backup that’s off-line and ideally also off-site.


5. RESTORE IS PART OF BACKUP

Do you know not only how to recover the right version of a single lost file in an emergency, but also how to rebuild entire systems in case of a ransomware disaster?

Practice makes perfect, because a backup that you can’t restore in time isn’t a backup at all.


Remember, World Backup Day isn’t the one day every year when you do a backup.

It’s the day you build a backup plan into your digital lifestyle, to be sure, to be sure.


S3 Ep128: So you want to be a cyber­criminal? [Audio + Text]

HOW TO TURN YOURSELF IN

No audio player below? Listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.   Honeypots, patches and the passing of an icon.

All that and more on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I’m Doug Aamoth; he is Paul Ducklin.

Paul, how do you do?


DUCK.   Very well, Douglas.

Welcome back from your vacation!


DOUG.   It’s good to be back… I do have a little surprise for you.

We start the show with the This Week in Tech History segment, and some weeks there are so many possible topics to choose from (just a little peek behind the curtain for everyone) that we have to go back and forth and decide which one we’re going to choose.

So I took the liberty of building a Topic Wheel that we can spin, and whatever topic it lands on…

…that’s the topic we discuss.

On the wheel this week, we have a ton of topics.

We’ve got the first computer convention, the Altar Convention in 1976; we’ve got the Melissa virus from 1999; we’ve got the first long distance phone call in 1884; the invention of the phototransistor in 1950; the unveiling of the UNIVAC in 1951; the first city to go to full electric lighting in 1880; and Microsoft Bob in 1995.

So I’m just going to give the wheel a spin, and wherever it lands – that’s the topic.

[SPINS WHEEL]

[FX: Click-click-click-click]


DUCK.   This is Wheel of Fortune stuff, is it?


DOUG.   Yes.

Wheel is spinning…

[FX: Click-click-click (gradually slowing down)]


DUCK.   I know where I want it to stop, Doug!


DOUG.   And it has landed on [EXCITED] the Melissa virus!

[FX: Dramatic chord]

It’s right in our wheelhouse….


DUCK.   I was secretly hoping for Microsoft Bob.

Because we have spoken about it before, and it was a great opportunity for me to have a very slight rant/complaint, and to introduce Clippy.

But I can’t mention either of those again, Doug.


DOUG.   Alright, well, the wheel has spoken.

This week, in 1999, the world felt the wrath of the Melissa virus, a mass-mailing macro virus targeting Microsoft Word and Outlook users.

The message emailed itself, along with a poisoned Word document, to the first 50 people in the victim’s Outlook contact list, while at the same time disabling protective features of both programs.

The Melissa virus was eventually connected to David L. Smith of New Jersey, who spent 20 months in federal prison and paid a $5,000 fine.

And Paul, you were there, man.


DUCK.   [SIGHS] Oh, dear, yes.

This wasn’t the first mailing malware – we’ve already spoken about CHRISTMAS EXEC haven’t we, which was 10 years before that, on IBM mainframes.

The CHRISTMA EXEC network worm – 35 years and counting!

But this was a sign that now we were all connected, and a lot of us were using Microsoft Word with its macro programming language, and we were relying heavily on email…

…things could go a bit pear-shaped if there was a virus.

The problem was it wasn’t 50 people, it was the first 50 *addresses*.

Most people ,somewhere shortly after Aamoth, Doug and Aardvark, Christopher had somebody called, for example, All Users, or something to that effect.

[LAUGHTER]

So, yes, it was an absolutely huge thing.

It had a Bart Simpson reference, didn’t it?


DOUG.   Yes… KWYJIBO. [FAKE SCRABBLE WORD ONCE USED BY BART SIMPSON]


DUCK.   Occasionally it would actually stick that into a document, wouldn’t it?

David Smith fell foul of the law because he quite simply should have predicted the level of disruption that it caused.

So, as you say, 20 months in federal prison, and the beginning of a dramatic era of mass-mailing malware.


DOUG.   Alright, let’s move from macros to Moore.

Rest in peace, Gordon Moore, 94 years young, Paul.

In Memoriam – Gordon Moore, who put the more in “Moore’s Law”


DUCK.   Yes.

I had a strange conversation over the weekend when I bumped into someone over coffee and they said, “Oh, what have you been doing on the weekend so far?”

I said, “Actually, I’ve just been at work; I was writing an RIP, an In Memoriam piece for a very, very famous person in the IT industry. Gordon Moore has died at 94.”

And this person looked at me and said, “Oh, I’ve never heard of him.”


DOUG.   [LOUD GASP OF DISBELIEF]


DUCK.   And I said, “But you’ve heard of Moore’s Law?”

“Oh, yes, of course. Moore’s Law, I know about that.”

And I said, “Well, same Moore.”

And so I hope they rushed off to read the article!

I republished the graphs that he put in his original little piece that led to Moore’s Law.

That was before he founded Intel, actually.


DOUG.   Yes, he was so much… more, if you catch my drift.


DUCK.   [NOT QUITE AS AMUSED AS DOUG HOPED] Yes.

It’s a fascinating little paper.

It was published in… essentially in a popular magazine as a short piece – just a few pages in Electronics magazine in 1965.

It was almost jocular in that he was saying, “You know what we’ve noticed at Fairchild?” [COMPANY CO-FOUNDED BY MOORE BEFORE INTEL]

In 1962-63-64-65, if you take the number of transistors on the chips that we’re building each time (the chips are roughly the same size), and you take the logarithm base 2 of the number of transistors, and you draw a graph, you get a straight line.

Which means exponential growth.

In other words, you can’t just keep making the chips bigger and bigger and bigger because they start failing…

..you have to learn how to change the manufacturing process as well, so you can basically get more transistors in there.

And the paper is called Cramming more Components onto Integrated Circuits. [LAUGHTER]

Literally cramming more in.

And you see that, by 1975, 10 years into the future, it would suggest that you might have single circuits that could have as many as 65,000 (or 216) transistors on them, Douglas.

Unbelievable.

That was his theory about how we might innovate.

It didn’t quite work out like that… by 1975, he said, “It doesn’t look like the doubling every year is going to continue, but it could be roughly doubling every two years.”

And even though we haven’t quite doubled every two years, we’re not far off.

Because if you go from 1978, when the 8086 came out, that had about 215 transistors on it.

And 22 doublings (44 years) later, the Apple M2 chip came out, so that should have roughly 237 transistors on it, which is well over 100 billion.

Isn’t that impossible?

Not far off: 20 billion transistors on an Apple M2 chip.

Amazingly prescient, Doug.


DOUG.   Indeed.

Alright. The Windows 10 Snip & Sketch app has been patched, and the Windows 11 Snipping Tool has been patched.

Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store


DUCK.   Just to revisit, in case you missed this story, this started with a bug in the Google Pixel photo cropping tool.

You could crop an image (a photo or a screenshot that you already had on the phone), and just hit [Save] over the original, and you’d get the brand new file…

…followed by the leftover content from the previous image.

Which you wouldn’t notice when you loaded the image back, because inside the data that was written back over the old file is a marker that says, “You can stop here.”

So a tester who cropped a file and loaded it back would find that it looked correct, but it potentially had left-over cropped data.

So it’s exactly the bug you don’t want, isn’t it?

Google Pixel phones had a serious data leakage bug – here’s what to do!

And, of course, the bug was nothing specific to Google, or Pixel phones, or Android programming, or Java run-time libraries.

It turns out that some Windows image and screenshot cropping tools had exactly the same bug, albeit for different reasons.

What we don’t know, Doug, is how many *other* apps of this sort (they may not be image editors; they might be video editors or audio editors, or whatever) have a similar sort of problem.

If you go to Microsoft Store and you go and update your Snipping Tool, you will get a version that no longer behaves this way.

And if you have Windows 10, what’s it called there, Doug?


DOUG.   Snip & Sketch.

I’m happy to report I do use the Snipping Tool all the time, and I’m happy to report that mine has been updated.

I didn’t do it manually, so it either got rolled into a previous update or was updated automatically.

But it’s always good to check.


DUCK.   Yes, we put a link to Microsoft’s article about it, along with the new version numbers to look for, in the Naked Security article.

Because, Doug, I didn’t quite agree with Microsoft’s assessment of this.

I don’t know what you thought…

They said it was a low severity bug because, and I’m quoting, “Successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control”.

And the problem to me with that statement is that this isn’t about someone attacking you or trying to trick you into revealing an image that you didn’t intend to.

The problem is that you’re editing the image specifically to remove something that you don’t want in there, and the data that you visibly had removed *did not get removed*.


DOUG.   Speaking of removing things, we have something called [GRUFF VOICE] Operation PowerOFF.

Is it fair to call this a DDoS honeypot?

Cops use fake DDoS services to take aim at wannabe cybercriminals


DUCK.   I think it is, Doug.

It’s a multinational thing – as far as I know, at least the FBI, the Dutch police, the German Bundeskriminalamt, and the UK’s National Crime Agency are involved in this.

As far as I know, he idea is to try and provide what you might call “high pressure discouragement” to youngsters who think it would be cool to hang out on the fringes of cybercrime. [LAUGHTER]

It seems pretty well established that quite a lot of youngsters who want to dip their toes in the water of operating on the Dark Side tend to get drawn towards what are called DDoS (or booter, or stresser) services.

And these are pay-as-you-go services run by other crooks, where you can essentially take vengeance on someone’s website.

You don’t fling malware at it; you don’t try and hack into it; you don’t try and steal data.

So it kind of feels like a very low level of criminality: “I’m just paying to have a whole load of random computers around the world gang up on a website, ask for the homepage all at the same time and it won’t be able to cope. And that’ll teach them.”

And so, as you say, what Operation PowerOFF was about… was essentially a honeypot.

“Hey, are you interested in getting into booting and stressing? Are you toying on the fringes of cybercrime? Sign up here!”

And of course, you weren’t signing up with cybercrooks; you were actually signing up with the cops.

And after a little while, when enough people have signed up, then the site suddenly goes dead and then you get contacted…

…and you get to have, how can I put it, a “special discussion” [LAUGHTER], which I think is meant to dissuade you from doing this.

As funny as it might seem to you, neither the owner of the site, nor the police, nor the magistrates are going to find it amusing if you get hauled into court, because it does affect people’s businesses and their livelihoods.

And the other thing that the cops say that they’re keen to do is essentially sewing some kind of discord among the cybercrime community.

When you sign up for one of these dark web services, how do you know whether you’re signing up with fellow criminals, or with undercover cops?


DOUG.   This is the danger of when people hear about botnets or zombie networks…

…maybe an old computer I have that’s unpatched, that’s turned on in my closet or whatever and I’m not really paying attention to.

If it can be leveraged into a bot network or a zombie network, it can be used for things like this.

Even though I don’t mean to, and I don’t want to take any site down, if I have an infected computer, it can be used for stuff like this.


DUCK.   Absolutely.

That’s why, if you’re still running XP, if you haven’t patched your home router for three years…

…you are part of the problem, not the solution.

Because your computer or your router could be used in this way.


DOUG.   On the subject of time-wasting, lest you think penetration testing is a waste of time, we’ve got a penetration testing win for e-commerce giant WooCommerce.

WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!


DUCK.   Yes – fortunately, that’s the way round it worked.

They haven’t disclosed any real details about the bug, for obvious reasons, because then anyone who hasn’t patched… you’d be giving away the secret for people to jump in.

It sounds like an unauthenticated remote code execution where you could trigger some PHP script, and while you were about it, you could grab admin privileges on the site.

Now, if someone’s breaking into your WordPress site and they might then suddenly start putting up bogus links or printing fake news, that’s bad enough.

But when the WordPress site you’re talking about is in fact one that deals with online payments, which is what WooCommerce is all about, then it gets very serious indeed!

As you say, fortunately this was disclosed responsibly, and it was patched.

WordPress and the Automattic team (the people who run WordPress) were informed, and for most people, patches were pushed out automatically.

But it’s really important, if you run a WooCommerce site, that you go and make sure you’re up to date.

Because if you aren’t, there’s a possibility that crooks may come looking for this backdoor hole that allows them to get admin access.

And, of course, once they’re in, they can get all sorts of stuff, including hashed login passwords, and what are known as API keys or authentication tokens.

In other words, those magic strings of characters that you can put in future web requests that allow you to interact with the site as if you were pre-authorised.


DOUG.   And how do we feel about the verbiage?

These passwords were salted and hashed, so “it’s unlikely that your password was compromised”.

How does that make the hair on the back of your neck?

Is it standing up or is it still lying down?


DUCK.   You put it more dramatically than I was willing to do in print in the article, Doug… [LAUGHTER]

…but I think you’ve hit the nail on the head.


DOUG.   Yes, I’m going to change my password just in case.


DUCK.   Yes, they sort of said, “Well, the passwords were hashed.”

They didn’t say exactly how, and they didn’t give any details of how hard it might be to crack them by trying a massive dictionary against them.

And they said, “So you probably don’t need to change your password.”

Surely this is a very good reason to change your password?

The idea of hashing passwords is if they get stolen, the fact that the hashes do need cracking first, and that might take days, weeks or months or even years…

…it gives everybody time to go and change their passwords.

So I would have thought they’d just say, “Go and change your password.”

In fact, I was almost expecting to see those weird words “out of an abundance of caution”, Doug!


DOUG.   Yes, exactly. [LAUGHTER]


DUCK.   So I don’t agree with that.

I think this is *exactly* the sort of reason why you would go and change your password.

And, as you have said many times, if you have a password manager and you only have to change one password, it really should be quite a quick process.

The one thing WooCommerce did say, and this you absolutely must do, is this: you do need to go and invalidate all those so called API keys.

You need to get rid of those and regenerate them for all the software that you use that interacts with your WooCommerce accounts.

And WooCommerce have advice on how to do that; we’ve put the link in the Naked Security article.


DOUG.   OK.

And last, but certainly not least… I get great joy out of when you do this in a headline; you just say “Apple patches everything”, and you mean everything.

This includes a zero-day fix for iOS 15 users, as well.

Apple patches everything, including a zero-day fix for iOS 15 users


DUCK.   Yes, that was the curious part of it.

There are fixes for the three supported versions of macOS: Big Sur, Monterey, and Ventura.

There are patches for tvOS and for watchOS.

There’s even a patch, Doug, for the Apple Studio Display…


DOUG.   [LAUGHING] Of course!


DUCK.   …which is a cool, groovy screen, because it’s not just a screen, it’s got a webcam and all kinds of stuff in there.

You have to plug the screen in in order to apply the patch.

It basically downloads the firmware into your screen.

The bug in the firmware on the screen could allow a crook to reach into the operating system on your Mac and actually get kernel level code execution access.


DOUG.   Oooh, that’s bad.


DUCK.   That is pretty weird, isn’t it? [LAUGHS]

But the outlier, or the super-important update, was for iOS 15.

Those of you have older iPhones and iPads: their updates include a WebKit zero-day, a remote code execution attack that some crooks, somewhere, are already exploiting.

So if you’ve got an older iPhone and you’re running iOS 15, absolutely it is “Do not delay/Do it today”.

But I would recommend that for anything you’ve got that has the Apple logo on it.

Because, when you look at the range of bugs that they have (fortunately) proactively fixed, they do cover a wide range of sins.

So they include things like (as we said with the display) kernel level remote code execution; data stealing; the ability to send a boobyptrapped Bluetooth packet that then lets the attacker snoop on your other Bluetooth data; the ability to bypass Apple download quarantine checks; and an intriguing bug that just says “Unauthorized access to your Hidden Photos album”.

I’ve not used the Hidden Photos album, but I imagine they are the photos that you wish to keep, but you definitely don’t want anyone else to see!


DOUG.   [IRONIC] Probably, yes. [LAUGHTER]


DUCK.   The hint’s in the name, Doug. [LAUGHTER]

And also a bug relating to luring you to a booby-trapped website, after which your browsing habits might be tracked online.

So, lots of good reasons to apply the patches.


DOUG.   Alright, and we’ve got a very powerful yet succinct comment, as it’s time to hear from one of our readers on the Naked Security podcast.

And at first I was very tickled by this comment, but then I got to thinking, “If you have a bunch of different Apple devices; if you’re an Apple person… it’s actually hard to track all these bugs.”

Paul, you do a very good job of just getting them all in one place for people to see.

And on this Apple article, Naked Security reader Bart comments, and I quote: “Thanks.”


DUCK.   I would like to think of that comment figuratively, if not literally, as being two words, because it’s “Thanks. Excalamtion mark.”


DOUG.   [LAUGHS] I did leave that out of the quote…


DUCK.   As you say, it all gets a bit bitty on Apple’s site, because you click on one link and you think, “Oh, golly, I wonder what’s the important stuff here?”

So the reason for writing them up on Naked Security is to try and distill that information, of which there’s pages and pages and pages, into a list of links all in one place that actually gives you the version number you need after you’ve done the update (so you can verify that you’ve got it) *and* something that tells you, “Here are the really, really important things; here are the bugs that the crooks are already exploiting; these are the bugs that the crooks could have found, but fortunately, if you patch, you can get ahead.”


DOUG.   Alright, thank you very much, Bart, for sending that in.

And if you have an interesting story, comment or question or… I suppose, in this case, an interjection you’d like to submit, we’d love to read on the podcast.


DUCK.   [DELIGHTED] That is *exactly* the part of speech that it is, isn’t it?


DOUG.   It is… an interjection!

It shows excitement or emotion. [LAUGHS]


DUCK.   Or both!


DOUG.   Or both. [LAUGHS]

You can email tips@sophos.com, you can comment on one of our articles, or hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…


BOTH.   Stay secure.

[MUSICAL MODEM]


go top