Perpetual IT

Usually, when Safer Internet Day comes around, the cybersecurity situation hasn’t changed much from the year before, so it doesn’t feel like much of a reason to do anything special.

But that’s not the case in 2021, thanks to the lifestyle changes that the coronavirus pandemic has brought around the world.

In the US, for example, the Wall Street Journal reported that internet usage increased 25% in just a few days in mid-March 2020.

On the other side of the Atlantic, Ofcom, the UK’s communication services regulator, reported that internet usage hit an all-time high in the year. By June 2020, Britons were, on average, spending more than a quarter of their waking hours online.

That’s hardly surprising.

For most of us, the internet has been a godsend over the last year. It’s enabled us to continue working, studying, shopping, socialising and being entertained when we couldn’t do it in person.

At the same time, however, the crooks have regularly exploited the health-related fears and anxieties of all of us – as home users, employees and employers – to lure us into their criminal traps.

With all this in mind, why not take advantage of SAFER INTERNET DAY 2021 to check your online security practices and make sure you, your family and your friends are as safe as possible?

1. IF YOU OWN A WEBSITE, MAKE SURE IT’S SECURE

For many small businesses in countries with strict lockdown, online sales are the only way to keep trade alive at all, due to “click-and-collect” regulations.

As a result, many small businesses have enabled online purchasing for the first time over the last year, with web developers reporting a rush to implement online payment mechanisms in the first months of the pandemic.

If your business has a website, even if it’s only a modest one, go back and review the security of the site and any payment collection services you work with or connect to.

If you can afford it, get a third-party to do the review so you get an independent opinion of what has been set up well, which parts could be improved, and which parts, if any, need urgent attention. (You can be sure that the crooks are regularly “testing” your server, even if you are not.)

If you are running a website via HTTP only, perhaps because the information you’re providing is public anyway and you don’t think it needs encrypting, please upgrade to HTTPS for the greater good of all.

If you don’t manage your own website, speak to your hosting service – any reputable provider will be happy to answer your questions, and won’t get in the way of an independent security assessment.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

2. IF YOU SHOP ONLINE, TAKE CARE BEFORE YOU SHARE

Read our 6 tips for online safety that we published over Thanksgiving weekend 2020 for the peak of the 2020 retail season known as Black Friday.

These tips apply all year round, and they’re easy to do.

From applying a credit freeze to using extra steps of authentication, we explain how to protect yourself from risk when you shop online.

3. EDUCATE YOUR FRIENDS AND FAMILY

Lots of occasional web users have become heavy consumers almost overnight. Many people who previously just used the internet to read the news or check emails are now using it in multiple ways every day, including for meeting up for chats with groups of people they don’t know well, if at all.

Talk with your friends and family about good online security practices. Advise them on how to spot scams no matter how they arrive.

Cybercriminals are taking advantage of people being at home to make predatory phone calls; are abusing home deliveries to send scams via SMS; and are taking advantage of people trying to download health advice or set up vaccine appointments.

Read the threat articles listed above and you will get an excellent idea of how cybercrooks think and operate, which makes it easier to outwit them.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

4. SECURE THE DEVICES YOU USE TO ACCESS THE INTERNET

Check out our tips for homeschooling. These tips are useful even if you don’t have children, because they explain how to stay safe now that most home networks have basically become small business networks in their own right.

Also check out our home Wi-Fi tips to help you lock down your network from outside snooping or surveillance.

Don’t wait until after something bad has happened to figure out how to protect against it!

Google announced a critical bug in Chrome last week – a bug that affected Edge as well.

But the company kept details of the bug secret, presumably to avoid having thousands of crooks simultaneously figuring out, “Ah, so that’s where to look!”

All we were told was that it involved a zero-day exploit against a vulnerability caused by a Javascript bug…

…and that was so many jargon words in such a short statement that we thought, “Why not explain all that jargon in plain English?”

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

Good news, everybody!

Two weeks ago, we wrote that the well-known and widely-used domain perl.com had been taken over by persons unknown.

Perl, now more than 30 years young, is amongst the most popular and prevalent programming languages out there, and websites that serve the world of Perl are therefore popular, too.

So, even though the official home of the language itself is perl.org, the perl.com website has been a well-known companion in the Perl community for many years.

You can imagine why, if the original owner had allowed their registration of the domain to lapse, either by mistake or because they felt they no longer needed it, a new owner might be keen to snap it up.

(Indeed, four-letter dot-COM domains are rare and expensive these days if they don’t spell out a well-known word, and even if they can’t be pronounced as a word at all.)

In this case, however, the domain’s takeover was as unlikely as it was unexpected.

That’s because perl.com had been registered for years to widely respected US-based Perl guru Tom Christiansen, and it hadn’t expired.

So it was difficult to figure out how any domain registrar would have been inclined to believe that Christiansen, or tchrist as he is widely known, would voluntarily have relinquished the domain…

…especially to someone who immediately redirected the domain to pretty much nothing at all:

Yet that is what happened at the end of January 2021, when the domain registration suddenly switched to a privacy-protected registrant based in Moldova:

[WHOIS data for PERL.COM, retrieved 2021-01-29] Domain Name: perl.com
Registry Domain ID: 432086_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.rrpproxy.net
Registrar URL: http://www.key-systems.net
Updated Date: 2021-01-27T12:43:15Z
Creation Date: 1994-08-16T04:00:00Z
Registrar Registration Expiration Date: 2031-01-26T15:26:42Z
Registrar: Key-Systems GmbH
[...]
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY
[...]
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Chisinau
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: MD [Moldova]
[...]
Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY
[...]]
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY

For a short while after the domain takeover, according to reporters at IT news site The Register, domain name reseller Afternic was offering the suddenly blanked-out perl.com domain for sale for the impressive sum of $190,000.

(By the time we looked, on the day after The Register published its report, the domain was still out of tchrist‘s control but no longer up for sale on any publicly visibly domain broker’s site we could find.)

The good news

We don’t know exactly how this takeover was achieved, and what collateral was used to convince the relevant domain registrars to authorise the transfer, but we are pleased to report that normal service has been resumed.

The perl.com domain is now back under tchrist‘s control, and the registration details are no longer hidden behind a privacy shield, so you can check them out for yourself:

[WHOIS data for PERL.COM, retrieved 2021-02-07] Domain Name: PERL.COM
Registry Domain ID: Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2021-02-05T19:59:16Z
Creation Date: 1994-08-16T04:00:00Z
Registrar Registration Expiration Date: 2031-02-05T16:54:08Z
Registrar: Network Solutions, LLC
[...]
Registry Registrant ID: Registrant Name: Tom Christiansen Perl Consultancy
Registrant Organization: Tom Christiansen Perl Consultancy
[...]
Registrant City: BOULDER
Registrant State/Province: CO
Registrant Postal Code: 80304-1022
Registrant Country: US
[...]
Admin Name: Tom Christiansen Perl Consultancy
Admin Organization: Tom Christiansen Perl Consultancy
[...]
Admin City: BOULDER
Admin State/Province: CO
Admin Postal Code: 80304-1022
Admin Country: US

And, of course, the site is back to normal:

During the domain takeover, the perl.org site leapt to the rescue by serving the content of perl.com via perldotcom.perl.org (try reading that sentence out aloud quickly!), and that “emergency” URL still works, but it is once again safe to visit perl.com directly.

Result!

Google, whose Project Zero bug-hunting team is often surprisingly vocal when describing and discussing software vulnerabilities, has taken a very quiet approach to a just-patched bug in its Chrome browser.

In this case, the low-key announcement is understandable, because the patch fixes a hole that cybercrooks are apparently already abusing:

 Stable Channel Update for Desktop Thursday, February 4, 2021 CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24 Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.

The phrase “exploit exists in the wild” is shorthand for “the crooks found this vulnerability before we did and are already using it in real-life attacks”.

This situation is also known as a zero day, or 0-day as you may see it written, because there were zero days in the past on which even the most diligent user could have patched ahead of the crooks.

Simply put, the word exploit refers to any trick that allows an attacker actively to abuse a software vulnerability and thereby to pull off some sort of unauthorised activity.

Remote code execution

Fortunately, even though all buffer overflows and similar bugs can be considered vulnerabilities, not all of them can reliably be exploited.

For example, many (if not most) buffer overflows could cause a program to exit unexpectedly with an error, or even to crash without a proper error message, but nothing more dangerous than that.

Sometimes, however, a buffer overflow can be abused not only to crash the affected program but also to take over its flow of execution before the operating system, or any other security software, can detect and control the crash.

That’s known as remote code execution, or RCE, and RCE exploits against browsers are worth a lot of money these days in the cyberunderworld, because they provide an ideal conduit for cybercrime.

That’s because browsers spend most of their time downloading, decoding, rendering and displaying unknown and untrusted files from anywhere and everwhere on the internet.

Crooks with access to a reliable browser RCE exploit – for example, one that can be triggered by a deliberately booby-trapped image file or a purposefully malformed HTML document – have a powerul and treacherous way of injecting unauthorised program code into your browser.

By simply luring you to a web page that contains a suitably booby-trapped exploit file, the crooks can trick your browser into downloading, processing, and choking on, their exploit.

This sort of attack, which you will sometimes hear referred to as a drive-by because it can be triggered merely by viewing a malicious web page, bypasses any of the telltale “are you sure” warnings or popups that would otherwise alert you to malicious activity.

Once the crooks get that far, you have to assume that they can pull off a variety of additional attacks, such as reading private browser data, including authentication cookies; snooping on your browsing activity; modifying the pages served up by other websites; and implanting malware that will keep on running even after you exit the subverted browser process.

In this case, we’re assuming that the exploit is triggered using booby-trapped JavaScript files, given that the buffer overflow bug exists in V8, which is the name of the JavaScript processing code used by Chrome and Chromium-based browsers.

What to do?

To check what version you have, click the three-lines icon (the “hamburger menu”) in the top right corner. For Chrome, go to Help > About Chrome. For Chromium simply click About Chromium.

(In either browser, you can also put the special URL chrome://settings/help into the address bar.)

The version you are looking for is 88.0.4324.150 or above.

If you aren’t up-to-date, use the Update Google Chrome option on Windows or Mac to force an update.

If you’re on Linux and your version of Chrome or Chromium is provided by your distro maker, check back with your distro for update details.

Apple pushed out an iOS update in something of a hurry to shut down a serious 0-day bug. The GnuPG team scrambled to fix an ironic vulnerability that could be exploited during the very process of checking if the data you just received could be trusted. And Europol reported on a successful takedown operation against the notorious Emotet malware.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.