Perpetual IT

This month’s Bug With An Impressive Name, or BWAIN for short, is Thunderspy.

As well as a cool name, Thunderspy also has its own logo, its own domain name, its own website and a “recorded live” video showing a Thunderspy attack in action.

There’s also a technical paper that’s detailed but nevertheless readable, by security researcher Björn Ruytenberg from Eindhoven University of Technology in The Netherlands.

As you’ve probably guessed, Thunderspy gets its name from Thunderbolt, a type of hardware interconnection system for plugging high-performance external devices into your computer.

You might wonder why Thunderbolt ever came along in a world that already has USB, Display Port, HDMI and other methods of connecting almost any peripheral to your computer that you might want, including microphones, webcams, headphones, screens, keyboards, mobile phones, scanners, printers, memory sticks and hard disks.

The answer, as with so many features in modern devices, is performance.

Thunderbolt doesn’t just let you plug devices into your computers so they can communicate with one another – it pretty much lets you hook up devices directly to the internal memory bus of the computer, as if you had taken the lid off your gaming desktop and plugged a PCI card directly into one of the slots on the motherboard.

Whatever you can do with USB (and these days, that is plenty) you can do even faster with Thunderbolt, all without needing to open up your computer and find a free bus slot – which also means you can use Thunderbolt on laptops that aren’t meant to be opened up and don’t have internal expansion slots anyway.

Interestingly, Thunderbolt was originally designed to use fibre optics to improve data throughput, and was known as Light Peak.

During development, however, it was adapted to run over regular copper wires, which meant that Thunderbolt ports could easily carry both data and power, making them more convenient for use in portable devices such as high-speed hard disks or video capture cards.

To avoid introducing yet another connector, the first two incarnations of Thunderbolt use Display Port connectors, while the latest Thunderbolt 3 connectors are the same as USB-C – those thin, round-ended USB cables that have identical, symmetrical connectors on each end and can therefore very conveniently be plugged in either way up and either way around.

The major difference between Thunderbolt and USB is that Thunderbolt ports support what’s called DMA, short for direct memory access, which means that a Thunderbolt device, if suitably configured and authorised, can read data straight out of system memory at blindingly fast speeds, without having to defer to the computer’s own processor or operating system.

Data can flow in the other direction too, so Thunderbolt devices, in theory at least, can poke blocks of data straight into system memory for the operating system to consume later on.

That’s immensely powerful, and gives astonishing data throughput results…

…but it comes with a security risk, namely that an untrusted device that was accepted by your computer might be able to bypass pretty much all the security enforced by your operating system.

Indeed, DMA has also been a boon to law enforcement over the years, right back to the risky old days when computers were electrically less resilient that they are now, and before Thunderbolt brought direct-to-RAM connectivity out to a small and convenient external port.

Forensic investigators who could get access to computers while the power was still on could plunge PCI cards right into a bus slots on live motherboards to grab data from the running system for subsequent analysis.

But in regular life, you don’t want just anyone to be able to sneakily plug a Thunderbolt cable into your laptop while your back is turned and quietly suck out the memory contents of all your running apps onto a storage device in their pocket.

As a result, Thunderbolt-equipped computers come with numerous hardware-level protections that let you limit the ease with which external devices can get access to the computer’s RAM.

Circumventing the checks

Ruytenberg describes in his paper, however, how an attacker with physical access to your computer could work around several of these hardware protections.

This means that even if you have set your Thunderbolt security to prevent unauthorised passers-by from plugging in memory-scraping hardware tools…

…then a crook might, admittedly with some difficulty and a few minutes of hard-to-disguise fiddling, be able to turn off the security settings and attack your computer via the Thunderbolt port anyway.

The attack shown in his video relies on a series of steps something like this:

• Wait for the victim’s laptop to go into sleep mode and then open it up with a screwdriver. (Fairly easy and under a minute’s work on some models.)
• Remove the back of the computer and find the flash chip (permanent storage) that contains the Thunderbolt firmware. (Not too difficult on many laptops.)
• Connect a piggy-back connector to the pins on the flash chip and read out its contents. (No desoldering required.)
• Put the laptop back together. (Not needed if you have plenty of time and won’t get spotted with the computer in pieces.)
• Take the firmware image away and, at your leisure, modify its internal data, for example so that it now trusts devices with different hardware identifiers, or so that it runs with its security controls at the most liberal level.
• Repeat the first four steps but this time write the modified firmware back to the Thunderbolt flash chip.
• Later on, at your lesisure, plug in a rogue Thunderbolt direct memory access device and profit.

In particular, Ruytenberg’s proof-of-concept video shows a rogue Thunderbolt device being used on a laptop that, when woken from sleep, was stuck (apparently safely) at the Windows lock screen.

The rogue hardware device, which would normally have been ignored by the computer thanks to the Thunderbolt hardware settings, was given direct access to system memory, at which point it implanted a rogue software driver directly into the Windows operating system kernel that skipped past the lockscreen without needing a the password.

Bingo, passwordless access to a locked computer!

What went wrong?

Interestingly, as Ruytenberg points out in his paper, this sort of attack really shouldn’t work, not least because the Thunderbolt system includes cryptographic protection that is supposed to stop unauthorised firmware from being accepted by the motherboard.

After tweaking the firmware in step 5 above, which invalidated its digital signature, Ruytenberg couldn’t re-authorise it because he would have needed a private signing key known only to Intel.

However, he found that the firmware certificates are apparently verified only when the firmware is updated via official means, e.g. via the computer’s BIOS.

The certificates aren’t re-validated every time the computer wakes up from sleep mode, or even every time it’s booted up, so that when the computer woke up with the Thunderbolt ports less secure than when it shut down, it didn’t notice.

Ruytenberg’s article also details numerous other related weaknesses that could allow unauthorised tampering with the Thunderbolt system.

What to do?

The Thunderspy name makes this situation sound pretty dramatic, but it’s important to remember that the attacks that Ruytenberg describes can’t be pulled off remotely, so phishing attacks and rogue websites can’t use them – unless a website could persuade you to open up your own laptop and hack it yourself.

However, if you’re worried about how vulnerable you might be when coronavirus lockdown ends and you are back on the road with your laptop, there is one simple change you can make to your digital lifestyle: shut your computer down when you travel instead of just putting it into sleep mode.

It’s less convenient, to be sure, but it’s much more secure – and with a bit of effort, you should be able to get a modern laptop’s boot-up-from-cold time down to a few seconds rather than a few minutes.

After all, Ruytenberg’s lock screen bypass only makes sense if the hard disk decryption password has already been entered, the operating system is already running, and there is a lock screen to bypass in the first place.

Thunderspy or no Thunderspy, a powered-on computer that can be woken from sleep just by touching a key inevitably has its RAM chips packed full of juicy secrets.

Secrets in your laptop’s RAM can’t be read out, by fair means or foul, if they aren’t there in the first place.

---

Latest Naked Security podcast

Ransomware might be a dreadful enterprise, but nobody could accuse the criminals behind these attacks of being weak on customer service.

They’re always easy to communicate with – just email the address on the screen. And while it’s true they don’t offer many payment options, the one they do, Bitcoin, is fast and reliable to transact in.

Best of all, according to The State of Ransomware 2020 global study conducted earlier this year on behalf of Sophos, organisations that decide to pay to get their data back, do so in an efficient 94% of cases.

What’s the catch? Only greater expense in the long run, major business disruption, the possibility of ongoing regulatory oversight for years, and the small matter of public humiliation and lost business should an attack come to light (which increasingly it does thanks to the attackers).

The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.

That’s a healthy sample size, whose results underline one of the most interesting facts about ransomware that can get lost in the headlines – it now affects anyone, anywhere.

It doesn’t seem to matter how big an organisation is, nor which sector or country you look at. Ransomware is ubiquitous, with half of organisations in the research having experienced an attack during 2019, three quarters of which had their data encrypted.

Ironically, this is despite organisations tightening security to reduce trivial attacks.

How did ransomware respond? By spending more time targeting companies by researching less obvious weaknesses, looking to exploit several at the same time.

Overall, the research found that while a malicious file download or link was still the biggest danger (29% of successful attacks), other methods such as remote attacks on servers (21%), unsecured Remote Desktop Protocol (9%), external suppliers (9%), and infected USB drives (7%) were also popular.

Cloud repositories and applications are another big target, with 59% of those successfully attacked mentioning that cloud data was targeted in some form.

Only one in four victims decides to pay the ransom, which is most often done by a cyber-insurance company rather than the victim. However, only around two thirds of US victims find they can claim on insurance, with 20% of organisations paying for coverage they end up being unable to activate.

Don’t pay ransoms

Importantly, research found that paying ransoms costs more than reinstating data using backups.

Some might doubt that – downtime is often said to be the most expensive part of a ransomware attack – but the reason is simply that the cost of recovery is always high at an average of $732,000.  Paying the ransom on top of that simply doubles the bill.

Now you can see why ransomware attacks almost always send back encryption keys when paid – any doubt in the mind of victims would quickly destroy the whole extortion racket as companies knuckled down to do the hard work themselves.

Anxiety over this might explain why more and more ransomware attackers have recently started threatening to leak sensitive data stolen during attack as a an extra inventive to pay up.

What to do

Far from being a counsel of despair, it’s clear that organisations can limit the effect of ransomware attacks by assuming an attack is inevitable and planning for it.

Our advice:

• Make and test a backup plan, including storing data offsite where attackers can’t locate it.
• If you’re buying cyber-insurance, make sure it covers ransomware.
• Don’t forget to protect data in the cloud as well as central data.
• Use dedicated anti-ransomware protection. Twenty-four percent of survey respondents that were hit by ransomware were able to stop the attack before the data could be encrypted.
• Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Pick strong passwords and use multi-factor authentication as often as possible. And don’t re-use passwords, ever.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.

It’s also worth reading Naked Security’s advice on common mistakes that make ransomware easier to pull off from the attacker’s point of view. For more detailed advice, please check out our end of ransomware page.

---

Latest Naked Security podcast

Today’s big ransomware story is a star-studded affair, according to entertainment news website Variety.com.

Variety says that the law firm Grubman Shire Meiselas & Sacks, or just gsmlaw.com for short, has experienced a ransomware attack that apparently involved the appropriately named REvil malware.

Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, too – allegedly more than 750GB in total including contracts, contact information and “personal correspondence”.

The gsmlaw.com website is as good as offline right now [2020-05-11T14:15Z], with just a logo on display and the main menu of the website commented out entirely (the green text below denotes HTML comments):

Variety’s headline drops the names Lady Gaga, Madonna, Bruce Springsteen as customers who were affected, but the article itself lists many more:

Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC. Facebook also is on the hackers’ hit list.

REVil, also known as Sodin or Sodinokibi, isn’t just operating on the old-school ransomware model of “scramble your files and offer to sell you back the decryption key”.

The latest trend in ransomware attacks is to use a double-barrelled weapon that gives victims two reasons to pay up.

The original criminal plot behind ransomware was that if you didn’t have reliable backups that you could restore quickly, then you might have little choice but to pay up to decrypt all your scrambled files and get your business moving again.

Indeed, by breaking into your network first and taking time to prepare an attack that scrambles most or all of a your computers at the same time, cybercriminals aim to cause the most significant disruption that they can.

That has led to some eye-watering ransom amounts, with demands over $1,000,000 very common these days.

In recent months, however, the crooks have doubled down on their leverage.

Before scrambling all your files as a way of grabbing your attention, the crooks quietly upload huge troves of so-called “trophy data” that they use to blackmail anyone who is hesitant to pay up.

In other words, the financial extortion is no longer just a “kidnap ransom” to get your files back, but also a blackmail demand to stop the crooks leaking your data – or, worse still, your customers’ data – to the world.

The modus operandi seems to be to leak what you might call a proof-of-concept sample first, as a way of convincing the victim that the data really did get exfiltrated…

…and then let more and more go as part of the “bargaining” process to persuade the victim into negotiating.

Indeed, the REvil crew has already followed through on its threats to embarrass victims who don’t pay

Less star-studded but no less worrying is a simulataneous report that global mailing equipment company Pitney Bowes has experienced an attack by the Maze ransomware.

Maze is another cybercrime gang that goes in for huge ransoms and threatens to expose stolen data, infamously demanding about $6,000,000 last year from cable and wire manufacturer Southwire.

Southwire hit back by filing a so-called John Doe (the name used in the USA where defendants haven’t yet been identified) civil lawsuit against the as-yet-uknown unknown criminals behind Maze.

What to do?

Given that ransomware crooks are no longer just keeping you away from your data but also threatening to put the rest of the world in touch with it, prevention is very much better than cure.

Our tops tips are:

• Patch early, patch often. Crooks who pull off all-your-network-at-once attacks can afford to spend time probing for any existing holes they know about. Make it harder for them by patching known bugs as soon as you can.
• Check that you don’t have unexpected ways into your network. It’s OK to use technologies such as RDP and SSH for remote administration – just make sure your only remote login portals are where you expect them to be and are set up as you intended, for example within a VPN (virtual private network).
• Watch your logs. Ransomware attacks that steal masses of data first, and where the crooks carefully learn their way around your network, very often leave telltale signs that someone is hanging around where they shouldn’t.
• Set up an early-warning email address for staff. Crooks often use phishing emails to dig for passwords or data they arent’t supposed to have in order to find their way in. The crooks very rarely send emails to a single person in an organisation, so one alert staffer who raises the alarm could warn 50 colleagues who might otherwise be in harm’s way.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

---

Latest Naked Security podcast

Clearview AI – the web-scraping, faceprint-amassing biometrics company that’s being sued over collecting biometrics without informed consent – says it’s no longer going to sell access to its program to a) private entities or b) any entity whatsoever that’s located in Illinois.

Clearview’s artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Clearview AI founder and CEO Hoan Ton-That has claimed that the results are 99.6% accurate.

The company’s change of heart was revealed in court documents submitted during the course of a class action suit against Clearview that was filed in Illinois in January. It’s just one of multiple suits: Clearview’s also up against similar lawsuits in Vermont, New York and California.

The Illinois suit charges the company with breaking the nation’s strictest biometrics privacy law – Illinois’s Biometric Information Privacy Act (BIPA) – by scraping some 3 billion faceprints from the web to sell to law enforcement and to what’s turned out to be a motley collection of private entities, including Macy’s, Walmart, Bank of America, Target, and Major League Baseball team The Chicago Cubs.

From a court declaration made by Clearview legal counsel Thomas Mulclaire and filed on Wednesday:

Clearview is in the process of cancelling the accounts of every remaining user who was not either a law enforcement body or other federal, state, or local government department, office or agency. At the same time, Clearview is in the process of cancelling all user accounts belonging to any entity located in Illinois.

The suit contends that Clearview violated BIPA by using biometric data for commercial purposes and is seeking a temporary injunction that would prevent the company from using the information of current and past Illinois residents for its facial recognition program.

BuzzFeed investigations have shown that Clearview’s been happy to try to drum up new business by handing out free trials to friends, potential political allies, and hundreds of private companies, some of which converted to paying customers.

In February, BuzzFeed reported that at the time, Clearview was working with more than 2,200 law enforcement agencies, companies, and individuals around the world, including the US Justice Department, the US Immigration and Customs Enforcement (ICE), the FBI, US Customs and Border Protection (CBP), Interpol, hundreds of local police departments, and the National Basketball Association (NBA).

In other words, at least up until things started getting sticky with legal and regulatory matters, Clearview threw its technology at anybody and everybody, in spite of Ton-That having said that …

It’s strictly for law enforcement.

As of February, BuzzFeed was reporting that Clearview had been aggressively pursuing clients outside of law enforcement, including in law, retail, banking, and gaming, and that the company had been trying to gain traction outside of the US and Canada by pushing into Europe, South America, Asia Pacific, and the Middle East.

Small wonder that the company’s turning tail and running from the land where biometrics companies are being forced to their knees over privacy issues. Facebook, for one, has had to face the BIPA music to the tune of $550 million.

That’s how much it agreed to pay to settle a BIPA suit brought over the platform’s practice of scanning a user’s face in photos and offering tagging suggestions. Vimeo is also facing a BIPA lawsuit for storing people’s photos without their say-so.

How do you block out Illinois? Clearview’s attorneys told the Illinois court that the company has blocked all photos that were geotagged as having been uploaded in the state, or that have metadata (known as EXIF data) associating them with a geolocation within Illinois. They won’t appear in any search results, the company promised, nor can anybody query the database in a way that will return Illinois images, outside of document retention guidelines relevant to court requirements.

But as BuzzFeed notes, it’s unclear how Clearview will manage to sequester Illinois residents from searches on its database, given that many of the social media websites that have fattened its database with their images—such as Instagram, Facebook, and Twitter—typically strip metadata from photos once they’re posted. As it is, many of those companies – including Facebook, Google and YouTube – have ordered Clearview to stop scraping their sites.

On Wednesday, Clearview also said, in an 18-page memo to oppose the preliminary injunction, that it would no longer collect biometric data from images stored on servers that are displaying Illinois IP addresses or from websites with URLs containing keywords such as “Chicago” or “Illinois.” The company says it’s also implementing an opt-out mechanism to enable people to have their photos excluded from its database.

It’s taking these voluntary steps to comply with state law, it said, so the judge has no need to grant the injunction ordering it to leave Illinois residents in peace, free from its faceprint hoovering.

Latest Naked Security podcast

Microsoft really wants to secure the Internet of Things (IoT), and it’s enlisting citizen hackers’ help to do it. The company has launched a $100,000 bug bounty for people who can break into Azure Sphere, its security system for IoT devices.

Microsoft first announced Sphere at the RSA conference in April 2018. It’s an IoT ecosystem encompassing both connected devices and the cloud service that controls them.

In August the following year, it launched the Azure Security Lab, which offers resources to ethical hackers and runs regular security research challenges. The latest, the Sphere Security Research Challenge, lets bug hunters talk directly to Microsoft’s technical team as they try to break into Sphere.

Microsoft Sphere consists of three parts. The first is Sphere OS, a hardened custom version of Linux produced by Microsoft. It runs on the second component, custom silicon produced by Microsoft partners including MediaTek, NXP, and Qualcomm. It communicates with the third part, which is a Sphere security service running in the Azure cloud that manages security across a fleet of connected devices. That cloud-based service uses digital certificates to authenticate connected devices, and also manages secure device update services.

IoT manufacturers can build the chip and the Sphere OS into their own devices (which you might do if you were going to produce a brand new device for mass deployment) or they can connect existing IoT hardware through a Sphere-based gateway module that Microsoft developed.

There are two $100,000 prizes. The first goes to anyone who can execute code on Pluton, which is the security subsystem providing a root of trust on the Sphere microcontroller. This system, which features security measures that Microsoft learned while building the XBox chip, runs a secure boot process that loads other software components before providing runtime services.

The second $100,000 prize goes to anyone who can run code in Secure World. This is one of two operating modes for Sphere devices, and is a restricted access mode that only runs Microsoft-supplied code. The Security Monitor that runs in Secure World brokers access to Pluton and protects sensitive hardware like memory. User applications run in a less restricted area of the Sphere OS known as Normal World.

This isn’t a free-for-all bug bounty. It’s a three-month initiative running from 1 June until 31 August and it’s open only by application. Interested parties must apply by 15 May 2020. The attack scenarios are also restricted (you can’t physically attack the device, for example).

Sphere challenge also lists several attacks that won’t win the $100,000 prize but which will trigger payouts under Microsoft’s existing bug bounty program for Azure, with bonus payments of up to 20%. These include running code on networkd (a Linux networking daemon), spoofing device authentication, or unexpected elevation of privilege. If you can alter software and configuration options that you’re not supposed to, or alter the firewall built into the microprocessor hardware and cause a Sphere device to communicate with an unauthorised destination, that’ll also earn a payout.

Latest Naked Security podcast