Perpetual IT

“The long wait is over,” Apple WebKit engineer John Wilander announced on Tuesday: the latest update to the Safari browser is blocking third-party cookies by default for all users.

Safari 13.1 was released on Tuesday, bringing full cookie blocking and other updates to Apple’s Intelligent Tracking Prevention (ITP) privacy feature. What it means: online advertisers and analytics firms will no longer be able to use our browser cookies to follow us around like bloodhounds as we wander from site to site, tracking and mapping our interests and behavior for whatever profit-motivated, privacy-wrecking purposes they might have.

Is this is a big deal? Not really, Wilander said in a post on the WebKit team’s blog, given that previous work has meant that most cookies are already blocked:

It might seem like a bigger change than it is.

But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.

Safari thus joins other browsers that either plan to or are already blocking third-party tracking cookies by default, including the Tor browser. Mozilla rolled out the privacy enhancement in September 2019, announcing that Firefox would block both tracking cookies and cryptomining by default.

Brave also blocks most third-party cookies, though it makes exceptions for a few popular third-party embedded sites. In January 2020, Google announced that it would gradually kill third-party cookies in Chrome over the course of two years.

But while it might appear that Apple beat Google to the third-party cookie kill fest, Google actually gets the credit for pushing browsers down the no-tracking path. In a May 2019 post, Google said that it planned to update Chrome to provide users with more transparency about how sites use cookies and would require developers to explicitly specify which cookies are allowed to work across websites and which could thus be used to track users.

But there are other ways to track us beyond cookies, as Google’s post explained, referring to browser fingerprints: a way to track users that doesn’t rely on cookies but instead gets identifying information from your browser that marks you as unique, such as what fonts are installed, what HTTP headers your browser sends, your screen size and your timezone. Naked Security’s Mark Stockley has called it “the cookie you can’t delete” and says it’s an extremely accurate way to identify your browser:

That collection of information varies so much from one browser to the next that it’s enough to tell any two browsers apart with startling accuracy.

In the announcement about third-party cookie blocking on Tuesday, Wilander said that the privacy enhancement will disable browser login fingerprinting: a technique that allows a website to invisibly detect where you’re logged in and which is viable in any browser without full third-party cookie blocking.

Since ‘global browser state’ has been top of mind in the web privacy community as of late, we’d like to point out that cookies themselves are global state and unless the browser blocks or partitions them in third-party contexts, they allow for cross-site leakage of user information such as login fingerprinting.

Wilander listed these other benefits of third-party cookie blocking:

• Disables cross-site request forgery (CSRF) attacks against websites through third-party requests. [An example: Facebook suffered from a CSRF bypass flaw, which could have let attackers hijack accounts, in February 2019.] Apple notes that developers still need to protect against forged requests that come in through top frame navigations and pointed them to its materials on SameSite cookies for guidance.
• Removes the ability to use an auxiliary third-party domain to identify users. Such a setup could otherwise persist IDs even when users delete website data for the first party.
• Simplifies things for developers. Wilander says it’s now “as easy as possible: If you need cookie access as third-party, use the Storage Access API.”

Latest Naked Security podcast

Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.

The file-deleting bug, CVE-2020-3808, stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned:

Successful exploitation could lead to arbitrary file deletion.

To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.

Creative Cloud is a subscription-based service that lets users access its range of creative software products from Adobe online, and to use some cloud-based services that support them. Users get well-known Adobe titles like Acrobat, After Effects, Dreamweaver, Illustrator, InDesign, and Photoshop. It replaced Creative Suite, which was its perpetual license software.

The bug affects Creative Cloud version 5.0 and earlier on Windows platforms according to the company’s advisory, and it has a severity rating of critical. Adobe has issued a FIX and given it a priority rating of two. In other words, it isn’t the most urgent patch in history, but you should still hop on it, sharpish. The fact that the company issued an out-of-band patch to fix the vulnerability indicates how seriously it’s taking this.

The fix involves installing version 5.1 of the software.

This isn’t the only such patch this month. The company issued a gaggle of bug fixes on 17 March, which were late, as it normally aligns its patches with Microsoft’s Patch Tuesday releases. The 41 vulnerabilities appeared in Photoshop, Acrobat, and Reader, and more than half of them received a critical rating.

In its advisory this week, Adobe credited Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security with finding the file-munching bug.

Latest Naked Security podcast

As of Tuesday, hijacked Twitter accounts were spewing out hundreds of tweets hawking a dodgy looking face mask/toilet paper/digital forehead thermometer online store, according to Motherboard’s Vice.

When Vice’s Joseph Cox searched for the masks site on Tuesday, he found what he called a “heavy stream” of other accounts that posted a link to the site. Some at least appeared to have been hijacked, given that they were created years ago and posted what Cox called “relatively normal content” before tweeting out the link to the masks site.

As of Wednesday afternoon, two Twitter accounts were still advertising masksfast[.]us. One of the accounts, created in April 2012, had zero followers and had only ever created one post: the ad for masks that it posted on Tuesday. Another account advertising the (potentially scammy) site hadn’t previously posted anything since July 2019, has only retweeted and has never posted original content, all of which gives off the aroma of a bot network and/or having been hacked away from their rightful account owners.

I reported both accounts to Twitter.

Vice knows for sure that one of the accounts pumping out mask advertising was hijacked, given that the account belonged to one of its own: Motherboard’s Todd Feathers. On Tuesday, the journalist confirmed on Twitter that his account had been hijacked and used to send out direct messages, purportedly about face masks.

Vice found another hijacked account that posted tweets to a website called “Masks 2 U” and which included this message in broken English:

Wearing mask make you away from COVID-19

Motherboard’s Feathers told Vice that about 40 minutes before he logged into Twitter and realized that his account had been hacked, the platform had informed him that his account was last accessed by a computer in Virginia. That doesn’t mean much: whoever took over his account could have been located anywhere.

After the hijacker had control of Feathers’s account, they used it to send a tweet advertising the masks website. They also sent a link to the site, via DM, to a load of his followers, Feathers said.

They sent DMs to what looks like all (or at least a lot) of my followers with a link to masksfast [.] us and some variation of the message: ‘Masks save lives.’

As Cox notes, it’s not clear whether the barebones site is actually selling the products it lists or if it’s just a scam. I, for one, certainly wouldn’t hand over my credit card, given a number of oddities, including that a) clicking on its multiple social media logos merely sends you round-robin, returning you to the site’s home page, and b) the site refers to toilet paper as “paper towels,” which suggests that its creators aren’t fluent with the American English terminology for the quotidian product that’s grown so scarce, or with its British rendition (“toilet paper” or “toilet roll.”)

At any rate, as Cox reports, the records for the site show that it was created on Monday. Motherboard also found other, near-identical masks websites hosted on the same IP address as the site mentioned by the hacked accounts, some of which had been created just a few days earlier.

The timing of this coronavirus-related cyber assault jibes with what’s happening all over the internet. Over the past week or so, thousands of COVID-19 scam and malware sites have been pumped out on a daily basis. Cyber crooks have been going online to put up coronavirus scam sites or to sell counterfeit surgical masks; fake self-testing kits for HIV and glucose monitoring; and/or bogus antiviral meds, chloroquine (that’s fish-tank cleaner to me and you, and regardless of what you might have heard, please don’t take it – at least one man has already died), Vitamin C or other food supplements.

Law enforcement agents have been trying to mop it all up: on Friday, the state of New York let it be known to domain registrars that it’s high time they cracked down on this health-threatening trend by making it tougher to register a domain that’s likely to be selling snake oil, inflicting malware or setting up whatever other trap the crooks have been rushing to put into place.

Europol on Saturday announced that a global operation to target trafficking in counterfeit medicines – named Operation Pangea – has resulted in the seizure of nearly 34,000 counterfeit surgical masks.

Involving 90 countries worldwide, the operation took place between 3 and 10 March and led to the seizure of €13 million (USD $14m, £11.9m) worth of potentially dangerous drugs. Law enforcement officers also coordinated by Interpol took down about 2,500 links to websites, social media, online marketplaces, and ads. Police also arrested 121 COVID-19 scam suspects and took down 37 organized crime groups.

Europol says that the operation, which is ongoing, revealed a “worrying increase” in unauthorized antiviral medications and the antimalarial chloroquine.

In short, the hijacked Twitter accounts being used to hype face mask sites are yet another wrinkle in what the World Health Organization (WHO) has dubbed the Infodemic – a virtual plague of misinformation and fraud that it’s fighting right alongside the viral pandemic.

Twitter reacts

Twitter told Motherboard that it had taken action against a number of accounts and URLs around the suspicious activity. The platform pointed to its policy banning malicious use of bots and inauthentic accounts. Its statement:

Currently, our team is not seeing large-scale coordinated platform manipulation surrounding the Covid-19 conversation. As is standard, we will remove any pockets of smaller coordinated attempts to distort or inorganically influence the conversation. Additionally, we’re continuing to review and require the removal of Tweets that do not follow the Twitter Rules – half of which we catch before they’re ever reported to us. If people see anything suspicious on our service, please report it to us. This is an evolving global conversation and we will remain vigilant.

Latest Naked Security podcast

Cybercriminals are exploiting two unpatched zero-day flaws affecting all supported versions of Windows, Microsoft has warned.

The Remote Code Execution (RCE) vulnerabilities affect Adobe Type Manager (ATM) Library, the part of Windows that manages PostScript Type 1 fonts.

For now, there are no CVE identifiers and the only confirmed details are in Microsoft’s warning:

Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library and is providing the following guidance to help reduce customer risk until the security update is released.

Attackers could exploit the flaw by persuading users to open a malicious document. Importantly, however, the same danger would arise even if users viewed that document using the Windows Explorer file manager preview pane.

The latter is significant because, for now, there’s no software fix, which could be as far away as the next Patch Tuesday update, scheduled for 14 April 2020:

Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.

Until then, the only countermeasure is to use one of the recommended workarounds, which involves disabling Explorer’s preview and details pane.

This can be achieved as follows:

1. Open Windows Explorer, click the View tab (Organize and Layout on older systems).
2. Clear both the Details pane and Preview pane menu options.
3. Click Options (or Organize), and then click Change folder and search options.
4. Click the View tab.
5. Under Advanced settings, check the Always show icons, never thumbnails box.
6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebClient service should also block the most likely attack route, Microsoft said:

1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running, click Stop.
4. Click OK and exit the management application.

Renaming atmfd.dll was another mitigation for versions of Windows before Windows 10 1709, with instructions on how to do this for different older versions covered in the advisory.

This workaround might affect OpenType fonts which although not part of Windows are used by some third-party applications.

The affected versions of Windows include 32-bit and 64-bit versions of Windows 10 (1607, 1709, 1803, 1809, 1903, 1909), Windows 8.1, Windows 7, and Windows Servers 2008, 2012, 2016 and 2019, including Server Core installations.

Importantly, Windows 7 users whose installations lack an Extended Security Updates (ESU) agreement won’t receive patches for these flaws (Windows 7 reached end of life on 14 January 2020).

Why is Microsoft patching Adobe Type Manager?

The short answer is because this vulnerability has nothing to do with Adobe – despite its name, ATM has long been part of Windows itself, and is maintained by Microsoft under a license agreement that presumably requires it to name-check Adobe.

This is the third time in a matter of weeks Microsoft has faced having to patch a Windows zero day after running into some timing problems over patching.

February’s Patch Tuesday saw a fix for an Internet Explorer flaw (CVE-2020-0674), a zero-day which had been exploited in “limited attacks” dating back to January.

And earlier this month, Microsoft scrambled to patch the ‘SMBGhost’ vulnerability (CVE-2020-0796), news of which leaked accidentally into the public domain.

Latest Naked Security podcast

Folding@Home, a distributed computing project that’s using its might to battle COVID-19, is now twice as fast as Summit, the world’s fastest supercomputer. In fact, it now has more brawn than the world’s top seven supercomputers – combined.

Folding@home’s director, Dr. Greg Bowman, told Twitter on Friday that the project’s now working with about 470 petaFLOPS in its quest to help scientists better understand how the virus’s proteins fold and bind and to hence be able to find a way to block them from attaching to human cells:

Amazing! @foldingathome now has over 470 petaFLOPS of compute power. To put that in perspective, that’s more than 2x the peak performance of the Summit super computer!

— Greg Bowman (@drGregBowman) March 20, 2020

Earlier this month, Oak Ridge National Laboratory (ORNL) announced that IBM’s Summit had joined the coronavirus fight and that it had already found 77 promising small-molecule drug compounds that can be tested for experimental use.

A distributed computing project like Folding@Home works by borrowing PC-owning donors’ idle CPU and GPU cycles. Since February, the community has been working on the computationally heavy work of figuring out how the virus’s proteins bind to cells.

It’s all about blocking those spikes on the outer surface of the virus.

Infection in both COVID-19 (2019-nCoV) and its close cousin, the SARS coronavirus (SARS-CoV), first happens in the lungs when a protein on the surface of the virus binds to a receptor protein on a lung cell.

You’ve seen those little spikes in depictions of the coronavirus: they’re the red prongs that surround the virus, looking like a corona and hence giving the disease its name. They’re called the spike protein, or ACE2. One way to stop the infection is to block the spike protein from binding to the receptor cell. One such therapeutic antibody has already been developed for SARS-CoV, but in order to develop something similar for COVID-19, scientists need to better understand the structure of the virus’s spike protein and how it binds to the human ACE2 receptor to gain viral entry into human cells.

In late February, when the outbreak was picking up steam, the Folding@Home project asked for volunteers to donate their computers’ unused computational power to help accelerate the open science effort to develop new life-saving therapies, as part of an open science collaboration of multiple laboratories around the world.

Folding@Home says there’s been a roughly 1,200% increase in contributors, with 400,000 new members signing up in the past two weeks.

Got a spare computer collecting dust somewhere? It might well be time to dust that soldier off and commission it in the battle. Folding@Home is still looking for help and horsepower, and you can find out how to contribute here.

A disclaimer: this project has, understandably, been swamped by eager participants. Please do bear with them: they’re doing the best they can, the project said, but there might be a bit of downtime as they set up simulations:

These calculations are enormous and every little bit helps! Each simulation you run is like buying a lottery ticket. The more tickets we buy, the better our chances of hitting the jackpot.

Usually, your computer will never be idle, but we’ve had such an enthusiastic response to our COVID-19 work that you will see some intermittent downtime as we sprint to setup more simulations. Please be patient with us! There is a lot of valuable science to be done, and we’re getting it running as quickly as we can.

May you tread a carpet of four-leaf clovers in this lottery, Folding@Home.

Latest Naked Security podcast