Perpetual IT

Five alleged members of hacking group InfinityBlack got some unexpected visitors last week when Polish law enforcement arrested them.

InfinityBlack was a hacking group that specialised in stealing and distributing sets of online credentials known as combos, especially for loyalty rewards points accounts. It would sell them to other gangs who would then exchange the points for products, said a Europol press release announcing the arrests.

The hackers ran the operation like a business, with different teams handling individual functions. The whole thing was fronted by an online service selling subscriptions to access stolen data. The development team created tools to test the quality of the stolen data, and a testing team analysed its suitability for distribution, said Europol. A project management team handled the business end, distributing subscriptions for cryptocurrency payments and converting the data into digital cash.

Someone in the group – we’re guessing the developers – wrote a script that compromised customer accounts in Switzerland. They sold the data on to Swiss users, some of whom were minors, who then tried to use them in shops. Swiss police collared them in five arrests in between 30 April and 2 May. After searching seized computers, they obtained enough data to trace the sale back to the Polish hackers. They passed on the information to Polish police, who made the arrests on their side.

The police seized over €100,000 in assets during raids across five regions in the country. That included electronic equipment, external hard drives and hardware cryptocurrency wallets. Police also closed down two platforms with over 170 million records.

The stolen data hadn’t all been used. Europol estimates that €50,000 in loyalty points had been lost (presumably spent) already, but the compromised accounts contained around €610,000 in points overall, it said.

Some of the combos sold by Infinity Black seem to have turned up in #Collection 1, an 87Gb collection of 1.16bn combos that surfaced online in January 2019. One online criminal claimed to have leaked the data after seeing it for sale elsewhere. He reportedly said:

I leaked whole of it because seller shared my infinity black combos in that storage[sic]

The arrests are a palpable hit for the European police, who are fighting a Sisyphean battle against online crooks. In its October 2019 report on internet organised crime, Europol recommended improved coordination of undercover online investigations to help track down dark market sellers, who it said are becoming increasingly fragmented and difficult to follow.

Latest Naked Security podcast

Firefox just published its latest now-every-fourth-Tuesday release, bringing numerous security fixes, including three denoted critical.

The 76.0 release also comes with fanfare for new features that have been added to Firefox’s own password manager, with the coronavirus pandemic clearly being the unstated reason for trumpeting these features now:

There’s no doubt that during the last couple of weeks you’ve been signing up for new online services like streaming movies and shows, ordering takeout or getting produce delivered to your home. All of those new accounts need unique, strong passwords to be secure, which you can now generate, manage and protect more easily with Firefox Lockwise.

Lockwise is Firefox’s combined mobile phone and browser-based password manager that now alerts you if it thinks you may have been affected by a data breach.

Mozilla says that Firefox will tell you automatically if it thinks one of the websites where you have an account has been hit by a data breach.

Unsurprisingly, that’s called a Website Breach warning and it’s triggered if the last time you changed your password on a website was before the breach happened:

Also making its debut is a Vulnerable Password warning, something that none of us should need but many of us could probably nevertheless do with:

That tells you if any of your other passwords match the password you were using on a site that “was likely in a data breach”.

Ideally, we’d like to see that warning come up every time you start your browser when any two of your passwords are the same, so that you get a regular and firm prod to change both of them to something fresh, complex, and unique.

But Firefox’s slightly gentler approach is probably a better place to start.

(We’re guessing that if you have one password you use on lots of accounts, it’s because you think they are “throwaways” and so you probably use a short and obvious password too – but there’s no need to choose a trivial password when your password manager can generate and remember complex ones easily.)

Of course, if you already have a password manager you’re happy with, or you have an incredible memory for c0MPlic4ted sTR!nZ OV unu5$l t3KSt, then you won’t be interested in these new features, but you need the upate anyway for the security fixes in it.

As we mentioned above, three of the 11 CVE-numbered security fixes are dubbed critical:

• CVE-2020-12387: Use-after-free during worker shutdown. This is listed as causing “a potentially exploitable crash”, which suggests that with enough skill, a crook might be able to use this bug to implant malware.
• CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens. A sandbox escape means that rogue content on a web page might be able to escape from the security controls by which the browser keeps data from different websites apart, and stops untrusted web pages interacting with trusted parts of your computer such as data stored on your hard disk.
• CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8. This is Firefox’s usual “catchall” vulnerability and this one covers eight different bugs found during the routine security reviews and testing that Mozillans carry out.

Note that the second vulnerability above is specific to Firefox on Windows, though please don’t use that as a reason to defer the update if you have a Mac or a Linux/Unix computer.

There’s a separate entry, CVE-2020-12395, flagged high rather than critical, covering five bugs that were found in Firefox 75 but not in 68.7 Extended Support Release (ESR), reminding us all that new features sometimes do bring new bugs.

The Tor Browser, which is based on Firefox ESR, also gets an update, somewhat confusingly moving from 9.0.9 to 9.0.10.

(If you are a Tor user, you can check which Firefox release your current Tor is based on in the About Tor Browser dialog.)

What to do?

Same as usual: go to Help > About Firefox (or About Tor Browser) to see if you are up to date.

If not, the update will be fetched for you and you’ll prompted to update – restarting Firefox will automatically apply the update and reload the new version.

If you’re a Linux or xBSD user with a Firefox build that is provided by your distro, you’ll need to check back with your own distro’s update servers to find and fetch any available Firefox fixes.

Latest Naked Security podcast

Researchers have poked another small hole in air gapped security by showing how the electronics inside computer power supply units (PSUs) can be turned into covert data transmission devices.

Normally, if a computer is physically isolated from other computers it is seen as being more secure because there is no channel for data to be transmitted in or out of the device.

Used for decades by the military, today the concept is now often used to secure computers used for secure tasks such as internal bank transfers, or to isolate medical equipment controlled by software such as MRI scanners.

However, the famous Stuxnet attack on Iran in 2010 showed how air gapping could be beaten using infected USB sticks, since when researchers have started exploring more unusual methods to achieve the same end.

The latest technique, called POWER-SUPPLaY by Mordechai Guri of Ben-Gurion University of the Negev in Israel, involved malware manipulating the current in the PSU’s electrical components to generate ultrasonic sound waves.

This, apparently, is the phenomenon of the “singing capacitor”, through which the PSU can be turned into a speaker of sorts.

Although the volume of data that can be communicated in this way is a tiny 50 bits/sec, Guri has posted a video as a simple proof-of-concept that demonstrates how even this modest throughput can still transmit characters, including passwords, typed on the target computer to a nearby smartphone.

[embedded content]

None of this would be audible to someone using the target computer, or detectable by conventional security, which might be useful in specific types of attack scenario:

This technique allows sonic and ultrasonic audio tones to be generated from a various types of computers and devices even when audio hardware is blocked, disabled, or not present.

A big limitation is that the range is as small as the data throughput – barely five metres at most – which would surely limit its usefulness. Background noise would limit this even more.

It was also beyond the scope of the research to come up with a way of sneaking the malware that generates the signal on to the air gapped computer.

What the research does achieve, however, is to add to the lengthening and ever more ingenious methods researchers at Ben-Gurion University of the Negev have found to sneak data out of computers using almost any component.

This includes using speakers, PSU fans, hard drive LEDs, keyboard LEDs, infrared cameras, and even a technique for exfiltrating data from devices inside Faraday cages that block all electromagnetic signals – and this list is by no means exhaustive.

It seems no air gap is good enough to stop these researchers even if all of them would be difficult to use in real-world scenarios.

Where does this leave air gaps as a concept?

The US Defense Advanced Research Projects Agency (DARPA) is now concerned enough about the attacks to fund research into how computer isolation could be re-thought.

The fundamental problem is that computing devices are now too complex at every level of their design and operation for air to offer the isolation it once did.

There are too many components with unusual properties, while even simple devices such as those found on Internet of Things (IoT) networks can run complex software.

Finding ways to beat air gaps might seem like an esoteric subject but understanding the possibilities could yet redefine how the next generation of hopefully ultra-secure computers is specified.

Latest Naked Security podcast

Web hosting behemoth GoDaddy just filed a data breach notification with the US state of California.

The breach letter that’s now part of the public record is just a template, with blanks for the name of the recipient and for a phone number relevant to their region, but it sets out what’s known so far.

If you’re a GoDaddy customer, you’ll know if you were on the list of affected accounts if you see a message like this:

Subject: Security Incident Impacting Your GoDaddy Web Hosting Account
[…]
We need to inform you of a security incident impacting your GoDaddy web hosting account credentials. We recently identified suspicious activity on a subset of our servers and immediately began an investigation.

The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.

There’s more, including a warning that your account information was reset and how to get back into your account, but from a technical point of view – what actually happened and how the breach was detected – there is only the above text to go on.

Clearly this isn’t just a case of credential stuffing, where accounts were accessed because their passwords were the same as the passwords used on other services that had already been breached, or GoDaddy wouldn’t have filed a breach notification.

Also, what’s not obvious from the breach letter (though it is stated on the State of California’s website), is that the breach dates back to October 2019.

In other words, even though resetting your account at this stage was something that GoDaddy needed to do, any crook or crooks who knew your login details could, in theory, have been riffling through your stuff for more than six months.

That’s why GoDaddy also “recommend[s] you conduct an audit of your hosting account”.

That should include looking through your logs for modifications you didn’t expect, especially changes to or additions of files such as PHP scripts, HTML pages, JavaScripts and server plugins.

(When you’re doing an audit for one reason, you might as well be on the lookout for trouble that could have started for other reasons while you’re about it – such as unpatched software or incorrectly configured server options.)

What we can’t tell you is how the “unauthorized individual” mentioned above got access to the illicit data, what that “login information” actually entailed, and what sort of access they actually effected, if any.

We are assuming that GoDaddy’s suggestions that no files “were added or modified” is reasonable – no matter how little else is known as this stage of the investigation, we suspect that unlawful alterations would have been detectable in some way, somwhere in the company’s logs.

We don’t know how many files, if any, the intruder was able to riffle through and perhaps even to make off with, but we’re assuming that GoDaddy may have more findings to reveal in the future.

Figuring out all the many things that could have happened but didn’t is often the hardest part of any follow-up, and GoDaddy’s investigation is still going on.

What next?

GoDaddy is offering affected customers access to some of its add-on services for free, namely the products it calls Website Security Deluxe and Express Malware Removal.

You might as well try them out – if you end up not using them you have lost nothing, but you might find that they find problems you would otherwise have missed, such as long-outdated web server plugins or software that you forgot to patch.

Latest Naked Security podcast