Perpetual IT

In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the aging and insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols.

Mozilla Firefox and Google’s Chrome developers sneaked out the move in recent days with only Microsoft Edge team bothering to formally announce the sudden reprieve on Tuesday.

In fairness, with COVID-19 throwing development schedules into minor chaos browser development teams probably have other things on their minds right now anyway.

While a temporary delay, it’s still an unexpected retreat for an industry which had showed unity in collectively deciding to banish TLS 1.0 and the lesser used TLS 1.1 by early 2020.

TLS, of course, is the protocol used to encrypt network communication, most prominently the HTTPS used by web browsers to connect securely to websites.

While TLS 1.2 and the recent 1.3 are now widely supported, versions 1.0 and 1.1 are now so old they’ve accumulated numerous weaknesses that render them insecure.

Attacks have included BEAST in 2011, Lucky Thirteen in 2013, and the POODLE SSL downgrade attack from 2014, and several others. Things got so bad the PCI DSS compliance standards were updated to insist that servers taking credit card payments stop supporting it in 2018 at the risk of big fines.

But what’s this got to do with COVID-19?

That’s less well explained, with Microsoft referring only to “current global circumstances”. Mozilla was more forthcoming:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

That’s a polite way of saying that, prior to COVID-19, those sites would have been allowed to wither as browsers’ users trying to visit them were confronted with warnings about the sites’ support for insecure protocols.

In other words, the seriousness of COVID-19, and the possibility that at least some people might try to visit these sites, has now overridden these concerns.

Ironically, this is the very issue that’s dogged the phasing out of support for TLS 1.0 – the annoying fact that some websites that should know better haven’t been turning off support, hence the need for browser makers to step in to do it from the client end.

The question is how long this logic can hold.

Officially, the three browser makers mentioned in this article have all said they plan to revert to plan A and drop support for TLS 1.0 and 1.1 by the late spring or summer. But what happens if COVID-19 is still a problem?

Assuming these sites offering COVID-19 advice haven’t banished TLS 1.0 and 1.1 by the cut offs, that could either force more delays or a decision to press ahead regardless.

The larger truth is abandoning anything in software has become difficult. When the moment comes, there are bound to be losers and holdouts.

It’s been the bane of operating systems, such as Windows and Android, for years. Now this phenomenon is repeating itself on a smaller scale in the normally obscure world of the protocols used to quietly secure traffic between browsers and websites.

Latest Naked Security podcast

Every once in a while an attack comes along that is so simple to set up, and yet so effective, that it makes your jaw drop. Here’s one: fake bitcoin QR generators. According to web developer and cryptocurrency enthusiast Harry Denley, a wily scammer has been operating a network of fake bitcoin QR code generators to dupe people out of their bitcoins.

Bitcoin uses addresses as conduits to send and receive bitcoin payments. To improve anonymity (which was a fundamental design principle for bitcoin), these addresses are disposable. You’re not supposed to reuse them. You can imagine how many bitcoin addresses you’d need to support a massive cryptocurrency network ad infinitum. It’s a lot. That’s why each address is up to 35 alphanumeric digits long. They’re not something you’d want to write down or type in manually.

Instead, people use QR codes – the blocky squares invented by Masahiro Hara – to represent them easily to others. Invoicing and payment software will often generate these automatically. Someone making a payment can scan them and send bitcoin to that address.

Denley explained on Twitter that he had found sites offering to generate QR codes for people if they typed in a bitcoin address:

⚠️ Be careful of fake #Bitcoin QR code generators – these ones have had ₿4.9 gone through the current activate address

free-bitcoin-qr-codes[.]com
bitcoinaddresstoqrcode[.]com

Address: 343CXYVBKXT2VgELCdjEeMyPpfiKwkzUNg ($BTC)

IP 207.244.100.245 hosting suspicious domains pic.twitter.com/y4DEezQmN1

— harrydenley.eth ◊ (@sniko_) March 21, 2020

He told ZDNet that he found several domains pulling the same scam.

Typing in an address – any address – spat out the same handful of QR codes, which had nothing to do with the addresses entered. Instead, they pointed to the attacker’s own addresses. So when anyone used that QR code as a payment address, the person sending them bitcoin would have sent it to the attacker’s account rather than their own.

The address he quoted in the tweet held 4.9 bitcoins (a little over £25,000) as of yesterday, received via 473 transactions.

Cryptocurrency phishing scams are common. We’ve reported on sites that fooled users into entering the private keys to access their cryptocurrency wallets. Recently, this fraudulent Chrome extension duped customers into handing over their Ledger hardware wallet keys.

Latest Naked Security podcast

After re-Chroming its Edge browser last summer, Microsoft this week announced a list of new security and privacy features it plans to add to forthcoming versions in an effort to take on its rivals.

The first of these, tracking prevention, has been in the browser for months, but was recently redesigned to make it stand out a bit more.

The second is that Edge’s InPrivate mode searches are, as of last week, possible via the company’s Bing search engine.

The third is called Password Monitor, a feature that will tell Edge users when usernames and passwords they’ve entered on a website have been found on the dark web.

These sound very similar to features already available in rivals, which is why it’s worth delving into the newer two in a little more detail to draw out some of the differences.

Starting with Password Monitor, the most significant of the new features, which should appear in Edge at some point soon (it’s not clear when, given that Microsoft has paused updates apart from security fixes because of disruption caused by Covid-19).

Essentially, every time credentials are saved into Edge’s password store (rather than into a third-party password manager) it checks to see whether these are already part of a database of those known to have been breached.

If they are, Edge will tell the user, suggesting they change them. All credentials detected to be breached will be viewable in a special dashboard.

There are two issues with this, the first being what data source Microsoft is checking the credentials against.

For example, Mozilla’s Firefox, which started integrating this feature as Firefox Monitor as long ago as 2018, uses a service called Have I Been Pwned (HIBP). So far, the implication is that Microsoft will use its own inhouse database, perhaps combined with an external source.

The second is how it will do the checking, which for plaintext email addresses is relatively simple – just look up the user’s email address in a database of breached email addresses.

For passwords, things get a lot more complicated. It’s not just that the user’s password can’t be leaked to Microsoft or a man-in-the-middle, but that the feature doesn’t become an inadvertent lookup for criminals looking in the opposite direction.

Both Firefox, and Google Chrome’s Password Checkup extension which appeared in 2019, use a variety of mathematical techniques, including the principle of k-anonymity, blinding, and multiple rounds of hashing.

There are some subtle differences, however, which probably don’t matter to the average user, but which bother engineers. Hopefully, Microsoft will share more detail on this aspect of Edge’s Password Monitor at some point.

Available now, InPrivate with Bing sounds like a statement of the obvious: private browsing shouldn’t monitor which sites someone is visiting when using it.

In fact, while private anonymous modes don’t record what users have been looking at within the browser itself, that doesn’t mean Google itself isn’t paying attention to searches.

However, Microsoft claims that searches won’t be tied to a user’s account, as long as Bing is used.

Latest Naked Security podcast

Marriott International has today announced that it has suffered a data breach affecting up to 5.2 million people.

The hotel chain says it uses an application to help provide services to its guests. Beginning mid-January this year, the login credentials of two employees at a franchised property were used to access guest information on this app.

When the breach was discovered at the end of February, Marriott International says it disabled those login credentials and began its investigation.

What data was accessed?

Marriott says it believes the following information “may have been involved” although the entries weren’t there for every guest:

• Contact details (name, mailing address, email address, and phone number)
• Loyalty account information (account number and points balance, but not passwords)
• Additional personal details (company, gender, and birthday day and month)
• Partnerships and affiliations (linked airline loyalty programs and numbers)
• Preferences (stay/room preferences and language preference)

Marriott says there is currently no reason to believe the information accessed included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.

Marriott says it informed guests via email, today (31st March), from the address marriott@email-marriott.com. It says it’s giving guests the option of accessing a data monitoring service for a year.

What to do

• Marriott International has set up a self-service portal for you to be able to determine if and what information of yours was accessed. It’s also listed a set of phone numbers you can call on its breach announcement page.
• If your information was involved, Marriott has disabled your password and you’ll be prompted to enter a new one when you next log in. The company is also recommending you enable two-factor authentication (2FA) on your account, although we couldn’t find the option when we logged in.
• Stay alert for scams. Criminals like to take advantage of breaches to send phishing emails or spin up fake websites. Don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers. Marriott says if it contacts you by email it’ll do so from the marriott@email-marriott.com email address, and won’t send emails with attachments or ones that ask for information.