This week on the Naked Security podcast, we discuss a TikTok flaw, why sextortion scammers are rearing their heads again and whether single sign-on is better than having loads of different passwords.
Host Anna Brading is joined by Sophos experts Mark Stockey, Paul Ducklin and me.
Listen now!
Google has kicked 49 malicious Chrome browser extensions out of its Web Store that were posing as cryptocurrency wallets in order to drain the contents of bona fide wallets.
The extensions were discovered by researchers from MyCrypto – an open-source interface for the blockchain that helps store, send and receive cryptocurrency – and from PhishFort, which sells anti-phishing protection.
On Tuesday, Harry Denley, MyCrypto Director of Security, said that malicious browser extensions aren’t new, but the targets in this campaign are: they include the cryptocurrency wallets Ledger (57% of the bad extensions targeted this wallet, making it the most targeted of all the wallets, for whatever reason), Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.
Denley said that essentially, “the extensions are phishing for secrets,” including users’ mnemonic phrases, private keys, and keystore files, which are security files used for things like identifying app developers or in SSL encryption.
Denley said that once a user entered those secrets, the malicious extensions sent an HTTP POST request to the backend, which is where the bad actors got their hands on the secrets and used them to vacuum out wallets.
MyCrypt identified 14 unique command-and-control servers (C2s) receiving data from compromised systems. After running fingerprinting analysis on the servers, the researchers found that some of them were linked. That means they likely had common bad actors pulling multiple servers’ levers.
While some of them sent the phished data back to a GoogleDocs form, most hosted their own backend with custom PHP scripts, Denley said. You can see a list of the servers here on his post.
Most of the domains are brand new: 80% of them were registered in March and April. The oldest domain, ledger.productions, is the most interconnected to other servers. That gives researchers some indication of the same backend kit or the same actors running the campaign for most of the extensions.
One of the servers gave off a few clues about the campaign, if in fact those clues can be taken at face value. For one thing, it looks like the crypto wallet raiding campaign could have roots in Russia, given that an admin’s email ends in “r.ru”.
MyCrypt published the following video to show how a malicious extension targeting MyEtherWallet users works.
Denley said that the process mimics a typical MyEtherWallet experience, until a user types in their secrets. The malicious app sends them back to the C2s, then routes the user back to the default view, and then does … absolutely nothing.
That results in either a frustrated user who submits their secrets again, or maybe even feeds the malware new secrets; or a user uninstalling the extension and forgetting about it until their wallet has been drained dry. The “drained dry” outcome is likely to happen only after the extension has been removed from the store, meaning that a ripped-off user can’t investigate where their security hole was, Denley said.
Some of these nasty extensions have been rated up by a network of bogus reviewers dishing out fake 5-star reviews. The reviews were cursory and low-quality, such as “good,” “helpful app,” or “legit extension.”
Denley says that one extension – MyEtherWallet – had the same “copypasta”, with the same review posted about 8 times and purportedly authored by different users. All of the reviews shared an introduction into what Bitcoin is and an explanation of why the (malicious) MyEtherWallet was their preferred browser extension.
The researchers sent funds to a few addresses and submitted secrets to the malicious extensions. They weren’t automatically swept, however, perhaps because the bad actors are only interested in high-value accounts, or maybe because they have to manually sweep accounts.
Although the researchers didn’t lose their secrets to the malicious extensions, others have publicly posted about losing funds to the extensions on the Chrome support forum, Reddit and Toshi Times.
Google swept the trashy extensions from the Chrome store within 24 hours of getting a heads-up.
Back in February, Google abruptly yanked 500 Chrome extensions off its Web Store after researchers discovered they were stealing browsing data, pulling off click fraud and serving up malvertising. The extensions had installed themselves on millions of users’ computers.
At the time, our advice was to not assume that, just because an extension is hosted from an official web store, it’s safe to use. The cryptocurrency-draining malicious extensions are just the latest of a long string of examples. The best advice:
Denley had other helpful advice, as well, which you can find on his post. One of his tips is to consider creating a separate browser user that you use solely for cryptocurrency data in order to limit your attack surface, and to separate your personal and cryptocurrency profiles so as to increase the privacy related to your cryptocurrency profile.
The COVID-19 pandemic might be causing delays to software schedules, but it’s not managed to stop Microsoft’s April Patch Tuesday update arriving on time this week.
That’s just as well because the update’s star fixes address three urgent zero-day flaws that Microsoft says are being exploited in the wild.
In total, the Windows 10, Windows 8.1, Windows 7 and Windows Server haul includes 113 CVE-level flaws, 19 of which are labelled critical.
The zero-day flaws are slightly confusing to unwrap, in the first instance because Microsoft initially said there were four of them before deciding that CVE-2020-0968, a critical Internet Explorer 11 scripting engine issue, wasn’t being exploited yet (but soon might be).
The most straightforward of the zero days is CVE-2020-1027, an elevation of privilege vulnerability affecting Windows kernel which Microsoft confirmed as “exploitation detected.”
Meanwhile, a second CVE-2020-1020 is a remote code execution (RCE) vulnerability affecting the integrated Adobe Type Manager (ATM) OpenType Library that was originally made public in late March without an identifying CVE.
Except that it now turns out to be not one but two CVEs, with a second RCE flaw in the same software, CVE-2020-0938, joining it.
Microsoft hasn’t said how or by whom these flaws are being exploited beyond describing them as being connected to “limited targeted attacks.” That’s code for a flaw that’s being used by one threat group that will eventually spread to others.
There is also one other public but as yet unexploited flaw marked important, CVE-2020-0935, an elevation of privilege issue in OneDrive. The urgency here is that OneDrive is on large numbers of PCs and will make an inviting target for any cybercriminal. While it has its own updating mechanism, it’s still worth checking that this has happened.
Ironically, the three zero days above are also marked ‘important’, which is why some admins will pay as much attention to those marked critical such as CVE-2020-0910, a Hyper-V Hypervisor RCE.
SharePoint gets fixes for four urgent RCEs, CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, and CVE-2020-0974 plus CVE-2020-0927, a cross-site scripting (XSS) vulnerability.
A vulnerability in the way the Windows Media Foundation handles objects in memory receives three fixes, CVE-2020-0948, CVE-2020-0949, and CVE-2020-0950.
After a long fix list in March, there’s only a handful of CVE-level fixes for ColdFusion, After Effects, and Digital Editions. That said, the company does sometimes issue more urgent fixes between Patch Tuesday updates. Last month it even missed the deadline entirely and issued patches a week later.
Timed to coincide with Patch Tuesday, Intel has released nine security fixes across a range of products. Two of these are rated critical, a flaw in the company’s NUC mini PC firmware (CVE-2020-0600), and in the Intel Modular Server Compute Module (CVE-2020-0578). Arguably the most wide-ranging is CVE-2020-0557, affecting a long list of the company’s PROSet/Wireless WiFi products.
Last is Oracle, which hoses its user base with 405 security fixes, many falling into the top end of critical.
You’ve almost certainly heard of Zoom over the past few weeks – Zoom, more properly Zoom Video Communications, Inc., lets you run remote meetings and webinars, with audio and video for all participants, right from your browser.
The service is surprisingly easy to use, so the company has seen demand for its services surge during the coronavirus lockdown.
With journalists, teachers, personal trainers, yoga classes, families, businesses and even places of worship “going virtual” to keep people in contact even though physical meetups are no longer allowed, Zoom bandwith usage has expanded enormously.
As you can imagine, this expansion hasn’t been hassle-free.
Unfortunately, the biggest problems that many new users seem to be having with Zoom have nothing to do with Zoom’s programming or its service – in other words, they’re mistakes that Zoom itself can’t easily stop people from making.
The first big-news story about anti-social behaviour in the world of Zoom added a new word to the English language – ZoomBombing.
That’s where someone opens up a meeting to anyone who’d like to attend, typically as an open-hearted chance for people to join in and hang out during the lockdown…
…only to find that one or more of the “participants” joined in specifically to put the “ax” into “chillaxing”.
ZoomBombers typically start out by sharing what seems like an innocent feed from their webcam, only to “upgrade” their “contribution” to the meeting by suddenly and unexpectedly sharing their own screens after filling then with… well, you can imagine the sort of stuff that might get shoved in your face.
One poor journalist recently ran an open-to-all “Happy Hour” Zoom call and invited his own parents along as guests of honour – only for his session to get ZoomBombed with hard-core porn, and for the bomber to keep returning with new aliases after being kicked out.
We published a guide entitled 5 things you can do today to make Zooming safer that gives you some easy-to-follow tips on how to avoid unpleasant surprises before, during or after your online meetings – simply put, how to keep the good stuff in, and the bad guys out.
But there’s a sixth tip we need to add, one that we were worried might be repetitious if we’d included it last time, but that we’re going to add now even though you’ve heard it umpteen times before.
We’re sure you can guess what it is: PICK PROPER PASSWORDS!
A boutique cybersecurity intelligence firm callde Cyble out of the Asia-Pacific region recently proved to itself, and to everyone else, that many Zoom newcomers simply aren’t taking care when they join the service.
Thousands, perhaps hundreds of thousands, of new adopters of Zoom are apparently as good as letting the crooks in for free by using passwords that have already been hacked or cracked elsewhere.
Fascinatingly, Zoom accounts don’t seem to be worth much to cybercrooks – or, at least, these ones weren’t worth much.
According to one report, Cyble claimed to have acquired 530,000 accounts and passwords from a Russian-speaking hacker at a rate that was almost literally ten-a-penny.
(The figure we saw was $0.002 each; if we assume Australian dollars because Cyble’s Twitter account says @AuCyble, that’s about one-tenth of a British penny. If we assume US dollars and American pennies, it’s a straight-up rate of five-a-penny – still astonishingly cheap.)
Of course, some or many of those passwords may be wrong, or old, or even just made up by the crooks, but Cyble has told reporters it tried a small sample of them and at least some did work.
We haven’t seen the actual passwords, but from the price and the size of the list we’re assuming that these passwords were already in the hands of the crooks, probably from an old data breach where passwords were exposed from another site, or stolen by malware, possibly months or even years ago.
In other words, it’s fair to say that the only “hacking” here is that crooks who already knew the passwords for existing accounts went and tried them out on Zoom as well.
After all, for many people, a Zoom password is the most recent “new password” they’ve had to choose because Zoom is the most recent new account they’ve set up…
…and therefore anyone who’s reused an old password lately has kind-of “pre-hacked” themselves.
Don’t reuse passwords.
One account, one password! (If you find that a hassle, and you probably do, get a password manager to keep your passwords under control.)
Seriously, folks – tell your friends, tell your family, tell your colleagues, tell your boss, even if you’ve told them all 100 times before.
Password reuse is a behaviour that we simply have to eliminate, especially now we’re all signing up for new accounts in a hurry becsuse of the coronavirus pandemic.
Using old passwords again makes things far too easy for cybercriminals – they know that we’re creatures of habit so they routinely and regularly try old passwords on new accounts.
In fact, the practice of trying old passwords on lots of accounts is so common it even has a name of its own: credential stuffing.
And friends don’t let friends get stuffed.
Recent weeks have been rough, with droves of people turning to virtual communication for sensitive conversations they’d like to keep private – medical visits, seeing friends’ faces and hearing their voices, or solace for those who’ve lost loved ones.
Understandably, the end-to-end (E2E) encrypted messaging app Signal has been signing up new users at “unprecedented” rates and flipping the switch on servers “faster than we ever anticipated,” Signal’s Joshua Lund said last week.
… and you can say goodbye to any of that staying stateside if the EARN IT Act passes.
Signal claims that legal and liability concerns would make it impossible to operate in the US. That doesn’t mean it would shut up shop entirely, but it could mean that the non-profit would need to move operations now based in the US.
Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill was introduced last month. If it passes, EARN IT would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.
To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites aren’t liable for user-submitted content.
The proposed legislation’s details haven’t been ironed out yet, but at this early point, the bill’s intent to water down Section 230 turns that protection into a “hypocritical bargaining chip,” Lund wrote on Signal’s blog.
At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee ‘best practices’ that are extraordinarily unlikely to allow end-to-end encryption. Anyone who doesn’t comply with these recommendations will lose their Section 230 protection.
Maybe some of the tech behemoths could swing the potentially huge financial risk that would come with slews of lawsuits as they suddenly become responsible for whatever random things their users say, but not Signal, Lund said.
It would not be possible for a small nonprofit like Signal to continue to operate within the United States. Tech companies and organizations may be forced to relocate, and new startups may choose to begin in other countries instead.
It’s bizarre that a government that’s reliant on secure, private messaging would even contemplate gutting E2E encryption, Lund said. In February, the European Commission endorsed the messaging app, telling staff to switch to Signal for encrypted messaging. Lund listed other military and government endorsements, calling the proposed legislation “troubling and confusing”:
For a political body that devotes a lot of attention to national security, the implicit threat of revoking Section 230 protection from organizations that implement end-to-end encryption is both troubling and confusing. Signal is recommended* by the United States military. It is routinely used by senators and their staff. American allies in the EU Commission are Signal users too. End-to-end encryption is fundamental to the safety, security, and privacy of conversations worldwide.
*The US Military also recommends Wickr for encrypted messaging: both it and Signal feature auto-delete functions that erase messages after a set period of time.
The bill’s backers claim that they’re not targeting encryption. Rather, as with other attempts to legally enforce encryption backdoors, they’re claiming that their real goal is to get companies to accept responsibility for the enabling of online child sexual abuse.
But as has been explained by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at The Center for Internet and Society at Stanford Law, the bill doesn’t have any tools to actually stop online child abuse. Furthermore, if it passes, it would actually make it much harder to prosecute pedophiles, she says.
As it now stands, online providers proactively, and voluntarily, scan for child abuse images by comparing their hash values to known abusive content.
Apple does it with iCloud content, Facebook has used hashing to stop millions of nude children’s images, and Google released a free artificial intelligence tool to help stamp out abusive material, among other voluntary efforts by major online platforms.
The key word is “voluntarily,” Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they rifle through our digital content, including email, chat discussions and cloud storage.
The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, they’re private actors, so the Fourth Amendment doesn’t apply to them.
Turning the private companies that provide those communications into “agents of the state” would, ironically, result in courts’ suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.
Pfefferkorn has also pointed out that the bill would give unprecedented power to Attorney General William Barr, a vocal critic of end-to-end encryption, who would become the arbiter of any recommendations from the “best practices” commission that the EARN IT bill would create.
The “best practices” approach came after pushback over the bill’s predicted effects on privacy and free speech. The best practices would be subject to approval or veto by Barr, who has issued a public call for backdoors; the Secretary of Homeland Security (ditto); and the Chair of the Federal Trade Commission (FTC).
Basically, those wolves are going to eat smaller encryption providers alive, Lund said:
It is as though the Big Bad Wolf, after years of unsuccessfully trying to blow the brick house down, has instead introduced a legal framework that allows him to hold the three little pigs criminally responsible for being delicious and destroy the house anyway. When he is asked about this behavior, the Big Bad Wolf can credibly claim that nothing in the bill mentions ‘huffing’ or ‘puffing’ or ‘the application of forceful breath to a brick-based domicile’ at all, but the end goal is still pretty clear to any outside observer.
Last month, Sen. Ron Wyden, who introduced the CDA’s Section 230, said that the “disastrous” legislation is a “Trojan horse” that will give President Trump and Attorney General Barr “the power to control online speech and require government access to every aspect of Americans’ lives.”
The EARN IT Act is only the latest of many attempts to inject an encryption backdoor that the US government and law enforcement agencies have been trying to inflict for years.
Digital rights advocates say that the proposed act could harm free speech and data security, and Sophos concurs. For years, we’ve said #nobackdoors, agreeing with the Information Technology Industry Council that “Weakening security with the aim of advancing security simply does not make sense.”
The EARN IT Act is still working its way through Congress, not having seen a vote in either the House nor Senate.
There’s still time to stop it, Lund said. To reach out to elected officials, you can look up contact information on The Electronic Frontier Foundation’s Action Center.
