(Watch directly on YouTube if the video won’t play here.)
For a regular reminder of the articles we write on the day we write them, why not sign up for our newsletter to make sure you don’t miss anything?
You can easily unsubscribe if you decide you no longer want it.
If you’re interested in cybersecurity you’ve probably read any number of reports in recent years about the often tenuous state of security in consumer devices.
From insecure doorbells to webcams, and from light bulbs to home routers, we’ve written our own share of horror stories in recent years.
That’s disappointing, but hardly surprising.
Computing gear of this sort – a market segment often referred to as the Internet of Things (IoT), because the devices are typically tiny and don’t look or feel like traditional computers – is generally simple to use, and thanks to a highly competitive market is usually built down to a price, which is good news for consumers…
…but it doesn’t leave a whole lot of time or money for vendors to expend on security.
IoT devices also typically have limited memory, disk and processing capacity, for reasons of size and weight as much as price, so their software is often stripped down to fit.
That can work out well, because the more features you leave out, the fewer places there are for bugs to lurk; but it can also end badly because what gets omitted often includes security checks that might otherwise have been included, or implemented more thoroughly.
Nevertheless, some vendors of low-cost devices are responsive to bug reports and publish security fixes promptly, which leads to another problem with the IoT ecosystem, namely that many consumers take a “set and forget” attitude to these devices.
So even if your home router gets updated reguarly with security improvements, when was the last time you went and checked if your device actually has the latest firmware version installed?
Well, if you have an ASUS RT-AC1900P home router – a high-end, high-bandwidth home device – then we recommend that you do an update check now.
Researchers at Trustwave found security holes in this router’s firmware late in 2019, which ASUS duly patched, and those researchers have now gone public with a security advisory that details their findings.
Ironically, the bugs related to the router’s firmware update process, so the update actually patches the update system itself.
Trustwave found two vulnerabilities, dubbed CVE-2020-15498 and CVE-2020-15499, that could have allowed crooks to pull off a double-barrelled attack:
The first bug seems to have been a simple oversight – perhaps code added for testing that was never removed, or an insecure option left over from years ago that was never revisited and reviewed.
Simply put, the router – which runs Linux and standard Linux tools, like many IoT devices – used the well-known wget command utility to organise its downloads, and correctly used an HTTPS (secure) web link…
…but added the non-default command line option --no-check-certificate so that a download from a bogus site would not be detected.
As the wget documentation explains, this option tells the software:
Don’t check the server certificate against the available certificate authorities. Also don’t require the URL host name to match the common name presented by the certificate.
The second bug relied on what’s known as cross-site scripting.
That’s where a web server puts data that you originally provided, typically text, into a web page it sends back to you, but accidentally allows the text to include JavaScript commands.
In other words, by putting booby-trapped JavaScript in your release notes, you could provoke the server to include your script in a page that was served up under one of its own URLs.
Injecting JavaScript into a page that’s served up by someone else is basically as good as hacking their server and uploading your own JavaScript to it.
In both cases the JavaScript comes with the imprimatur of that server, and can therefore access any saved JavaScript resources – cookies, web storage and autentication tokens, for example, that are supposed to be private to that server.
If you own an affected ASUS model, check your firmware version.
According to Trustwave, these bugs are fixed if your version is 3.0.0.4.385_20253 or later.
If you are a programmer, whether of IoT devices or anything else:
If you were about to spend more than a million dollars, how careful would you be about where you sent the money?
More importantly, how would you check with the recipient of the money – and how would they check with you – that both ends of the transaction were lined up correctly, with no treachery in between?
It’s quite likely you’d have been emailing them back and forth for some time, negotiating the deal, agreeing terms and finalising payment…
…and therefore it’s quite likely that you’d email each other one last time before it all went through.
And if there were a last-minute change in payment details, you might be really relieved to hear about that, especially if the deal were time-critical, like a house purchase, a stock offer…
…or a £1,000,000 payment as part of a player transfer in the English Premier League – the richest soccer competition in the world, and the most-watched sports franchise on the planet. (Probably, although NFL, NHL, MLB and IPL fans may wish to disagree.)
After all, transfer windows are short, and transfer negotiations are complicated, so a payment that failed to go through at the last step could ruin a deal that had been months in the offing.
Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.
Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.
Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.
As you can probably guess, that scam was what’s known as BEC, short for business email compromise.
BEC is something of a special category in the world of online crime – in fact, it’s probably better to refer to it as ‘internet-enabled crime’ than simply as cybercrime.
The criminals behind it don’t have to be programming wizards or malware authors; they don’t need elite hacking or exploit creating skills; and they don’t need the know-how to carry out network intrusions, lateral movements and so on.
What they do have is patience, persistence, self-belief and what you might call sociopathic-level skills in social engineering.
In old-school terminology, you’d call them confidence tricksters, though they are generally using the internet to manipulate victims, not their in-person charisma.
The basic idea behind BEC crime is surprisingly simple: get hold of the email password of someone of importance in the organisation, read all their email before they do, learn how they operate, find out what the company is up to and learn when big payments are coming up, in or out…
…and then take on the persona of the employee whose email was compromised in order to misdirect other employees, as well as creditors and debtors.
Thus the name business mail compromise, sometimes called CEO fraud or CFO fraud because those are the staff members whose email accounts typically deliver the most dramatic results for the crooks.
We try to avoid the terms CEO fraud and CFO fraud these days because those names wrongly imply that BEC depends specifically on the CEO or CFO getting hacked, and therefore if their accounts are intact, the company is safe. Many organisations don’t even use the job titles CEO and CFO, yet they too are at risk of exactly this sort of fraud.
As you can imagine, the typical corporate manipulation performed by BEC crooks is to get debtors to pay outstanding invoices into “new” bank accounts that belong to the criminal gang, or to instruct staff inside the company to pay outgoing invoices to phoney accounts instead of to genuine creditors, thus stealing money from both sides of the balance sheet.
BEC criminals use technology to help them misdirect humans, and once they have their operation running inside a company, they aim to keep the midirection going for as long as possible by mixing social engineering skills with their insider knowledge.
If a crook is inside your email, remember that they can not only send emails in your name, they can also: delete those emails from your outbox so you don’t even see they were sent; intercept and remove or modify any replies from colleagues who become suspicious and ask questions; mollify others in the company who are trying to raise the alarm; and threaten those who try to get in the way.
Of course, this raises the tricky question, “If a crook has already snuck in, got into someone’s email, and is lying low looking for a chance to swindle the whole company, how on earth do you spot the fake emails that shoudln’t be there amongst all the real ones that are still flowing normally?”
Here are six tips to help you detect and prevent this sort of corporate manipulation:
By the way, if you’re wondering how much money is involved in BEC criminality, take a look at the story behind the recent arrest of an alleged BEC scammer in the USA who went by the name “Hushpuppi.”
Don’t let it happen to you!
VPNs are all the rage these days, because they’re supposed to boost your privacy and stop you being tracked.
In fact, “VPN” has become a word in its own right, pronounced vee-pee-en, and it’s a crowded market with companies advertising online, on TV and even in print media to compete for your consumer dollars.
Most VPNs have a free app you can download, but you typically need a paid subscription to make it work or to unlock premium services.
The app will scramble all the network traffic between your device and the company’s servers, and unscramble it and release it onto the internet from there – perhaps even in a different country – which does indeed disguise the true source of your data packets, and therefore makes you harder to trace.
But the connection with privacy, and by association, with anonymity, comes from the fact that VPN is short for virtual private network, which has the word “private” right there in the name.
In truth, the “private” part of a VPN isn’t really about you being anonymous or pretending to be someone else.
The P in VPN really just refers to the idea of using a public network to transmit traffic that in the olden days would have gone across a private circuit or a leased line, and was therefore considered and managed as part of your company’s LAN, or local area network.
In fact, if you’ve ever used a company VPN – and in this era of coronavirus lockdown, it’s very likely you have – you will be well aware that your corporate VPN makes you identify yourself exactly, perhaps with a password and a 2FA token, so the company knows who you are before you connect.
Your traffic is private from surveillance as it traverses the public network, because VPNs use encryption to shield the raw network packets from being sniffed out, but your traffic is not anonymous once you are inside the virtual castle of the company network.
In short, the VPN itself knows who you are and sees what you get up to, even if the routers through which your encrypted VPN packets travel do not.
And that’s a good thing, because it means that you’re only sharing that company network with other people who are supposed to be there (you hope!) and who can be held accountable for their behaviour, rather than with a random bunch of unknown strangers.
As we mentioned above, consumer VPNs can arrange to decrypt your traffic and surface it onto the public internet far away from where you are, so they not only disguise your physical location (which does indeed improve your privacy somewhat), but also let you disguise your country of residence.
For many people, that is the primary value of a personal VPN service – it lets them bypass censorship that may be applied by ISPs in their own country, and it also lets them bypass so-called geoblocking that stops them watching overseas TV shows and movies or accessing other region-limited content.
But it also means that you are putting an awful lot of trust in the VPN provider, because that provider essentially becomes your new ISP, so you need to be aware of the extent to which they do (or don’t) follow the surveillance and monitoring laws in the various countries where they operate.
Many VPNs tell you that “they don’t keep any logs at all”, and therefore that they would have nothing on you that they could hand over to law enforcement even if they wanted to.
But many countries have legal mechanisms whereby various authorities – with without a warrant, depending on the jurisdiction – can compel a service provider not only to start keeping logs for specific individuals, but also to keep quiet about the fact – in other words, they have to keep logs of your traffic, but they are gagged from warning you up front, and they can’t tell you even if you ask.
This legal peculiarity led to a trend, a few years ago, of so-called “warrant canaries“, which were like canaries in coal mines that signalled dangerous gases by falling unconscious and dropping off their perches. Companies would regularly put notices into web pages or documents to say that they were not currently under any sort of gagging order. The idea was that removing the “negative gag” notice, which would essentially be a legal requirement if a gag order were applied, would therefore act as if the company had added a “positive gag” notice. This would therefore comply with the letter of the law, if not exactly its spirit. This sort of legal sophistry is not widely used any more, not least because it turned out to be quite confusing.
Of course, some VPNs will assure you that this can’t happen to them (and therefore indirectly to you) because their companies are registered in countries where such legal provisions don’t exist.
But any VPN knows where you are and, to some extent at least, who you are while you’re using the system, and may even need to keep what amount to in-memory logs – ephemeral data, to use the jargon term – for some or all of each session, just to make the service work reliably.
What you have to assume, therefore, is that anything they know about your traffic for the purposes of handling it while you are online never gets saved anywhere permanent, whether by accident or design.
And history suggests that ephemeral data – stuff that should evaporate forever from memory once it is no longer needed, and never get written to disk or forwarded to another server – has a way of surviving when it shouldn’t.
After all, in recent memory, both Google and Facebook admitted that, sometimes, passwords you had typed in during the login process – data that was only ever supposed to be held in RAM and get scrubbed after it had been validated – had accidentally been sent off in plaintext and saved in logfiles deep in their respective systems.
Facebook discovered in 2019 that it had committed hundreds of millions of passwords to disk, and set about finding and purging them; Google also admitted that it had incorrectly been saving away some passwords – we don’t know how many, but we know that the data went back for 14 years to 2005.
In other words, logging the unloggable is easy to do even if you genuinely set out not to do it, and even if you are two of the biggest internet companies out there, with large and well-funded cybersecurity teams.
According to a report published last week by VPNMentor (note: VPNMentor earns affiliate revenue from links to and coupons for selected VPN companies that it recommends), its researchers stumbled across copious user logs from seven VPNs operating out of Hong Kong.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.)
Further digging suggests that these seven products were all rebranded from one main provider – software and IT services are often sold in this way, with the same (or very similar) code and back-end systems forming the core of offerings from several different licensees.
As you have probably guessed by now, this data wasn’t supposed to be publicly accessible, but was exposed via a cloud database – ElasticSearch, in this case – that had not been correctly configured.
According to VPNMentor, about 1 billion database entries relating to approximately 20 million users (so that’s an average of 50 items per user) were exposed, including various data fields including:
Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links.
So not only did these VPNs collect data that they ought not to have retained at all, such as plaintext passwords, but they inadvertently exposed it publicly.
Furthermore, VPNMentor claims that “[a]ccording to their respective websites, every VPN [on the list] provides military-grade security features and zero logs policies to reinforce their users’ information security.”
Or, it would seem, don’t follow “zero logs” processes at all.
The burning question here, especially with many of us working away from the office these days, is, “Do I need a VPN now I’m working from home?”
We discussed this topic in our weekly Naked Security Live video, back in April 2020 when UK and US lockdowns first started:
Watch directly on YouTube if the video won’t play here.
Don’t forget that you can use the cog icon to turn on captions.
When it comes to updates, Apple doesn’t do “predictable”.
Other organisations such as Microsoft, Mozilla and Adobe are well-known for publishing updates not only frequently but also regularly.
Indeed, with those companies, you don’t just get updates at least once a month (or once every four weeks for Mozilla), but the pre-announced ones are always scheduled to arrive on Tuesdays.
Never Mondays, because some big organisations have IT rules that set Mondays aside for clearing up any crises that might have happened over the immediately preceding weekend.
Never Fridays, in case of any crises that might arise in the immediately following weekend as a result.
And never Wednesdays or Thursdays, because Tuesday gives you the longest clear run of spare weekdays before Friday arrives and shuts down the so-called “change window” once again.
Apple, on the other hand, follows a more reclusive approach, so that macOS and iOS updates – with very occasional exceptions – show up unexpectedly, with no pre-announcement of the nature, scale or importance of what’s getting fixed:
For the protection of our customers, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.
The idea seems to be to give cybercriminals the fewest hints about where the latest bugs might be, and the least amount of advance warning about where to start looking.
In other words, the crooks have very little to go on except what they can glean from reverse engineering the patches and comparing the new code to the old, and they only find out for sure what the patches look like at the same time that the rest of us can download and deploy them.
On the other hand, Apple’s cone of silence can sometimes be annoying and hard to understand, because it means that concerned users can never be quite sure when already-known bugs in open source components that ship with Apple’s products are going to be fixed.
For example, the latest update includes a patch on older macOS versions for CVE-2019-20807, a remote code execution bug in Vim, an open source text editor that ships as part of the macOS distribution and is extremely popular and widely used in the technical community:
[Update to] Vim Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed with improved checks. CVE-2019-20807: Guilherme de Almeida Suckevicz
That bug has been well-documented since early 2020, and clearly dates back to 2019, so Apple’s policy of not saying whether it’s looking into already-known vulnerabilities or not, but of keeping quiet unless and until an update turns up, leaves users uncertain as to whether:
Of course, we know now that Apple did know about the abovemntioned Vim issue, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns…
…but keeping silent even about bugs that are already well-known – as well as documented and fixed by other vendors – seems a strange choice.
A few of the macOS fixes caught our eye:
Note that even if a bug exists in a file type that you never use, such as an arcane image or video format, you are still at risk from booby-trapped web downloads or email attachments.
After all, the operating system knows what file types it can handle and will typically choose which file processing code to use automatically, so the crooks don’t have to rely on you jumping through hoops to figure out how to infect yourself by mistake when they send you files with extensions you’ve never heard of.
There are also a bunch of fixes in Safari, including patches for remote code execution vulnerabilities, that you need to download separately if you are still using macOS Mojave or High Sierra. (On the latest version, macOS Catalina, the Safari update arrives along with the main macOS patches.)
Users of iOS 13 on iPhones and iPads get an update to 13.6 covering many of the bugs listed above, given that macOS and iOS share a huge amount of code.
The iOS 12.4.8 update, however which is the only pre-13 iOS version still supported, “has no published CVE entries”, according to Apple, which implies that it received little more than a touch of spit-and-polish.
Get the updates while they’re hot!
There’s nothing here that sounds anywhere near as dramatic as Microsoft’s just-patched “SIGRed” bug in its DNS server, but that bug admittedly attracted special attention as much because of its funky name (dramatically channeling the “Code Red” worm of 2001) as because of its current danger.
Kernel-level remote code execution risks like the ones listed above are always worth patching as quickly as you can, because they can be considered trophy bugs for any cybercriminal.
A crook who figured out a working exploit for any of the kernel holes mentioned would almost certainly (and immediately) find any number of willing buyers on the dark web.
On a Mac, go to Apple menu > System Preferences > Software Update.
On iPhones and iPads, it’s Settings > General > Software Update.
After the update, depending how many Apple devices you have, you should be on some, many or all of: iOS 12.4.8, iOS 13.6, macOS 10.15.5 (if you are on Catalina), macOS 10.13.6 with Security Update 2020-004 (High Sierra), macOS 10.14.6 with Security Update 2020-004 (Mojave), and Safari 13.1.2.
