Perpetual IT

Trying to keep your kids entertained?

Looking for something to take the “long” out of the forthcoming long weekend? (Ever thought you’d be worried about a weekend being “long”?)

Ready to try some new apps, just to see what they’ve got to offer?

If you are, please read the latest report from SophosLabs first, entitled Don’t let fleeceware sneak into your iPhone.

Ace Sophos researchers Jagadeesh Chandraiah and Xinran Wu have just published a followup to an investigation carried out last year into what we dubbed the “fleeceware” phenomenon on Google Play.

This time, we’ve turned our focus on fleeceware in the Apple App Store.

Fleeceware, in case you’re wondering, isn’t actually malware – the term refers to apps that offer you some sort of legitimate functionality, albeit very little, on a subscription model that’s not little at all.

In other words, the app is free…

…but the strings attached are not, and may end up being very expensive indeed.

The “trick” that many fleeceware apps use is to invite you to sign up for a trial subscription to “unlock” the app, with the proviso that if you don’t like it and you cancel within a few days – actually, it’s often just three days, which both Apple and Google permit – then you start getting billed.

Maximum subscription rates typically vary by region, but you could be on the hook for a weekly, monthly or even a yearly fee, billed in advance.

One of the Android apps we identified last year, for example, was a QR code reader that was little different from the one already built into your phone’s camera app that went for a whopping €104.99 even if you uninstalled the app straight after trying it and never used it again.

This time, SophosLabs has taken a look at the App Store, and as Jagadeesh explains it:

Many of the fleeceware apps we see are advertised within the App Store as “free” apps, which puts the apps at odds with section 2.3.2 of the App Store Review Guidelines, which require developers to make sure their “app description, screenshots, and previews clearly indicate whether any featured items, levels, subscriptions, etc. require additional purchases.”

If you think one of these apps is free and install it, the app presents you with a “free trial” notification immediately upon launching the app for the first time. This notification prompts the user to provide payment card details. In some cases, most of the useful features of the app will only be usable if you sign up for the subscription. Some users may sign up to subscribe without reading the fine print, which includes the actual cost of the subscriptions.

And those subscription costs can really add up:

Zodiac Master Plus, one of the apps on our list of fleeceware, is listed as the 11th highest revenue-generating app. Another app, named Lucky Life – Future Seer, is earning more revenue than even the extremely popular Britbox, one of the UK’s most popular subscription streaming TV services.

What to do?

Sadly, there are no shortcuts.

• Always read the small print. Even, or perhaps especially, if it’s in a light grey font that’s hard to see.
• Subscriptions don’t go with the app. The subscription goes with your Apple or Google account, and that’s where you need to go to cancel it. Deleting the app will leave you still signed up and still paying the fees.
• Prefer apps where you get the trial before you sign up. Be wary of handing over your credit card at the start of the trial instead of the end.

For advice on how to check and cancel subscriptions from your iPhone or iPad, please head to the SophosLabs report.

---

Latest Naked Security podcast

This week we discuss the hackers’ forum that got hacked (lol), how the coronavirus pandemic has deferred a security update, and why jumping to conclusions is always a bad idea.

Oh, and we came across plans for a toilet that identifies you by scanning your, errrm… you’ll have to listen to find out.

Host Anna Brading is joined by Sophos experts Paul Ducklin, Mark Stockley and Greg Iddon.

Listen now!

Facebook on Tuesday released a new couples-only messaging app that gives you a place to get “as mushy, quirky, and silly” with your bae as you do in front of each other even when you’re apart, keeping it to yourselves and thus avoiding setting off nausea in others.

It’s a place to build a digital scrapbook together, Facebook said in its Apple App Store Preview description. You can use the app – which Facebook has dubbed “Tuned” – to chat and to share your mood, photos, music, love notes and more, or to create a shared, daily “diary of special moments.”

Then again, you can also use it to privately break up with your smiley-rainbow-end, as pointed out in one 5-star review:

In its brief life to date, the new private messaging app has earned a 3.2 rating from 58 users. It would be better if it had more stickers and GIFs, said one 4-star review:

How do you illustrate a breakup? I would vote for a GIF of Betty White explaining that she feels …

… like crawling under the covers and eating Velveeta right out of the box.

Tuned is only available on the App Store for iPhone and iPad at this point. You don’t have to have a Facebook account to use it, though you do have to be over the age of 13 and you do have to fork over your phone number.

The prospect of having to give Facebook a phone number yielded multiple “Yea, um, no” app reviews: not entirely surprising, given Facebook’s history of dealing with user data.

The app comes from Facebook’s New Product Experimentation (NPE) team, which was formed in July 2019 to create new, experimental social media apps for whatever nooks and crannies that the team imagines are undersaturated with such. In February, the team launched its first app, called Hobbi, which lets users document their creative work by sharing photos and videos.

As the BBC points out, Tuned claims to be a “private space” for couples, but it’s apparently not private enough to warrant the end-to-end (E2E) encryption of Facebook’s WhatsApp messaging app.

Facebook says that its NPE apps will be governed by its Terms of Service, Data Policy, and NPE Team Supplemental Terms, which it will post in advance of apps shipping. Ditto for the data collected by the NPE apps if Facebook winds up shutting them down. Without E2E encryption, Facebook can access the content couples share on Tuned, and how it disposes of that data (or doesn’t) depends on those terms.

One imagines that if Facebook doesn’t toss in the towel on the Tuned or other NPE experiments, it might come to pass that the apps could in fact get E2E encryption at some point. That, after all, is what Facebook has pledged about its messaging apps.

Last year, Facebook announced that it would stitch the technical infrastructure of all of its chat apps – Messenger, WhatsApp and Instagram – together so that users of each app can talk to each other more easily.

Much to the displeasure of lawmakers and law enforcement, Facebook’s plan includes slathering the E2E encryption of WhatsApp – which keeps anyone, including law enforcement and even Facebook itself, from reading the content of messages – onto Messenger and Instagram.

---

Latest Naked Security podcast

Google has removed an Android VPN program from the Google Play store after researchers notified it of a critical vulnerability. The app, SuperVPN, has been downloaded over 100 million times.

Virtual private networks (VPNs) let users create encrypted connections to online servers that then serve as their gateway to the Internet. They enable users to tunnel safely to the internet when using untrusted local connections such as those in public places like coffee shops. In theory, they should stop intruders from sniffing your traffic on insecure networks. SuperVPN is one of dozens of programs that supposedly serve this function for Android devices.

VPNpro, a company that reviews and advises on VPN products, warned in February of a vulnerability in the product that could cause a man in the middle (MITM) attack, enabling an intruder to insert themselves between the user and the VPN service. It said at the time:

What this VPN app has done is to leave its users, people seeking extra privacy and security, to actually have less privacy and security than if they’d used no VPN at all.

The program was sending encrypted data, but it hard coded the decryption key, the review site said. Decrypting the data revealed information about SuperVPN’s server, certificates, and authentication credentials. VPNpro was able to replace that data with its own.

That means the attacker can force SuperVPN to connect to a fake server, enabling them to see all of the user’s data including passwords, private text, and voice messages, VPNpro said.

VPNpro’s researcher Jan Youngren discovered the vulnerability in October 2019, adding that its developer, SuperSoftTech, likely based in Beijing, didn’t respond to its notification. Instead, it notified the Google Play Security Reward Program (GPSRP), operated for Google by HackerOne. That team couldn’t get a response from SuperSoftTech either, so it removed the program from the Google Play store on 7 April, 2020.

This isn’t the first time that SuperVPN has cropped up in vulnerability research. It also got a mention in a 2016 paper that researched security risks in Android VPNs. That research, presented at the Association for Computing Machinery’s 2016 Internet Measurement Conference (IMC), found that 13 antivirus programs detected malware activity in the software. It took third place in a ranking of Android VPNs most often flagged with malware-like activity by antivirus programs.

SuperVPN wasn’t the only Android VPN to raise VPNpro’s concerns. It identified nine others in its February blog post that it said had critical vulnerabilities leaving their users vulnerable to to MITM attacks. A quick check shows that several of them are still available for download on the Play Store.

---

Latest Naked Security podcast

Researchers at German pentesting company Enable Security just published an intriguing blog post about a security problem they found in the popular online collaboration tool Slack.

The short version is that they uncovered a way to poke around inside the private parts of Slack’s network, so they disclosed it, Slack fixed it and paid them a $3500 bounty…

…and then, as sometimes happens when the rest-of-life gets in the way, it was another two years before they got the green light to publish their findings.

In some ways, the bug bounty progress report makes more fascinating reading than the blog post itself, because it shows how the responsible disclosure process allows for affable and open technical discourse between the bug finders and the bug fixers, without giving needless hints to crooks along the way.

But we’ll focus on the blog post here because it includes some really simple but very effective advice that anyone running real-time collaboration services (a hot topic right now!) can take on board.

Whether you’re interested in live text chat, audio or video, this report could help you improve your own security, and that of your users.

How to find a computer online

One problem that so-called end-to-end or peer-to-peer software has on most internet-connected networks is that very few computers these days have network identifiers – what are known as IP numbers – assigned uniquely to them.

Here’s why.

The modern internet numbering system known as IPv6 (there is no IPv5 numbering system because the suffix -5 had already been used for other things) gives each device on the internet a 128-bit number.

Even using just 64 bits’ worth of that so-called address space, you can “count” all the way from zero to 2⁶⁴-1, which is enough to number more nearly 20 million million million devices uniquely.

But the older IPv4 system is still used by the vast majority of devices out there, and it has just 32 bits, which gives you an absolute maximum device count of just over 4000 million (4 billion).

As large as that sounds, there are already billions of mobile phones around the world, plus billions more laptops, routers, cloud servers, smart kettles, street signs, lampposts…

..so you can see why 32-bit network numbers are a real problem these days, and have been for years.

(In practice, there aren’t even 2³² values available because about half-a-billion IPv4 numbers are set aside for purposes other than identifying individual devices.)

Most networks these days make do with one IP number that’s shared between all the computers on the local network (LAN), which make do with so-called “private IP numbers” that are reserved for internal use only.

These private IP numbers don’t get past the router, so they don’t need registration or any central authority to control them, but they don’t identify your computer globally in any useful or usable way.

If you’ve ever wondered why your computer may show up with an IP number such as 192.168.1.12 at home, and something very similar, such as 192.168.1.13 at the coffee shop you (used to) frequent, it’s because those numbers are “private only”, and as long as they’re allocated on separate LANs they won’t get in each others’ way.

 [RFC1918: Address Allocation for Private Internets] The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix

As an aside, if you’ve ever had the misfortune to have all the computers on your network blocklisted at the same time because just one of them did something naughty, such as sending spam…

…that’s because all traffic out of your network has the very same IP number once it joins the public internet, so your individual computers can’t be blocked independently – they stand or fall together.

Your router therefore acts as a sort of “traffic proxy” that figures out which incoming network packets are replies to what outgoing network requests, and redirects them accordingly.

That’s called NAT, short for Network Address Translation, and it’s a decent enough solution if all you want to do is establish connections from your private network to servers on the public internet, as you did when you browsed to this web server to start reading this article.

Generally speaking, however, a NATting router can only deal reliably with incoming traffic after a computer on the LAN has initiated an outbound connection – otherwise it has no idea which network flows (as they are called) belong to which device.

The problem with NAT

For peer-to-peer chats, whether they’re one-to-one calls or group calls, you have a problem – each participant can dial out to the call by connecting outwards to any or all of the others, but no one can accept the call because incoming network traffic relies on an already-open connection to a public server first.

Stalemate!

One solution to this problem is known as TURN, which is a rather forced acronym meaning Traversal Using Relays around NAT. (Relays Using NAT Traversal would be clearer to write in full, but wouldn’t be a good acronym.)

The idea is that a server on the public internet acts as an “answering machine” that accepts calls from other computers, even if they are behind NAT routers, and applies suitable identification and authentication as needed.

For any call that users are trying to connect to, the TURN server ends up on the receiving end of outbound connections from everyone on the call, so it can act as a “relay” or “broker” that shuffles one caller’s outbound data into the right recipient’s inbound data channel and vice versa, thus simulating an end-to-end connection between two or more computers that would otherwise be kept apart by their NAT routers.

This isn’t an ideal solution, especially if the TURN server is in New York and the callers are both in San Diego, say, because the packets are crossing a continent only to come straight back again, and it also means that everyone’s call latency gets affected by the load on the TURN server.

But by making TURN into a lightweight data packet “shuffling” service, it’s nevertheless proved to be a very useful system that works for all sorts of traffic, not just for audio, or video, or whatever.

Because TURN servers can broker traffic between arbitrary services on arbitrary computers, you don’t need to add TURN code to every type of server you run, meaning that you can dedicate TURN servers entirely to their job of “packet brokering”.

This means you can therefore configure and tune TURN your servers for optimum throughput, without worrying if those tweaks would reduce performance for other service types on your network such as web, database and streaming servers.

Brokers

But this general-purpose nature of TURN means that you need some way for a TURN server to allow the original caller to specify where they want to go to reach the other end of their TURN call.

And the primary functions of TURN is to “broker” traffic past NAT routers, which means that TURN needs to be able to make sense of IP traffic that a router itself would ignore because the destination computers have internal-only IP numbers that make no sense on the public internet.

You can probably guess where this is going.

There are almost certainly several network ports open on your laptop right now, many of them listening on localhost, which is a special series of IP numbers from 127.0.0.0 to 127.255.255.255 that are reserved for your computer to access itself only from itself.

Localhost addresses (127.0.0.1 is usually used) are so special that many operating systems don’t even send local network packets through the networking subsystem.

To improe the speed, security and reliability of local-to-local connections they often just shuffle the data directly in memory between the sending program and the receiver.

Likewise, your router probably has an administration web server running on an IP number such as 192.168.1.254 or 192.168.0.1 to keep it safely cut off from the outside world but accessible to computers inside your network.

But if you have a TURN server, it is already inside your network, so if you accidentally permit an incoming caller to specify an internal-only IP number as its target, you may end up “brokering” packets between an outsider and some internal service that would otherwise be invisible to outsiders.

The story with Slack

Peeking into internal Slack resources via Slack’s TURN servers in this way is what our intrepid researchers were able to do, two years ago.

By placing fake calls with “recipients” that were inside Slack’s own network, using a mixture of localhost and private IP numbers, they were able to boldly go where no caller was supposed to.

They made an informative video (it’s slow going but surprisingly easy to follow) of what happened:

[embedded content]

What to do?

If you are a Slack user, there is nothing to do.

Slack already did it for you, which is why this report is public only now.

But if you run your own TURN servers, the researchers suggest checking that you have configured your server to ignore connection brokering requests to any internal-only IP numbers.

This protects you from access control mistakes down the line, because there is no “down the line.”

For the server described in their paper (called coturn), the configuration they recommend is as follows:

 no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=100.64.0.0-100.127.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=169.254.0.0-169.254.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=192.0.0.0-192.0.0.255 denied-peer-ip=192.0.2.0-192.0.2.255 denied-peer-ip=192.88.99.0-192.88.99.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=198.18.0.0-198.19.255.255 denied-peer-ip=198.51.100.0-198.51.100.255 denied-peer-ip=203.0.113.0-203.0.113.255 denied-peer-ip=240.0.0.0-255.255.255.255

If you’re a networking person you will probably recognise those ranges anyway – they cover multicast, LAN-only IP numbers, localhost-only IP numbers, autoconfiguration IP numbers, reserved-for-documentation IP numbers and more.

Remember: the earlier you block bad traffic, the less harm it can possibly do!

---

Latest Naked Security podcast