Category Archives: News

S3 Ep141: What was Steve Jobs’s first job?

PONG FOR ONE!?

No audio player below? Listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.  Emergency Apple patches, justice for the 2020 Twitter hack, and “Turn off your phones, please!”

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

Paul, how do you do?


DUCK.  I’m very well, Douglas.

And just to be clear, when we talk about “turning off your phone”, that’s not just when you’re travelling in the Quiet Carriage on the train…

…though that would be certainly nice. [LAUGHTER]


DOUG.  That would!

Well, stick around for more on that.

But first we start with our This Week in Tech History segment.

Paul, should I go with the transistor, which is our obvious choice this week, or go mildly countercultural?

What say you?


DUCK.  I don’t know what you’re proposing for the countercultural thing, but let me try this…

…I spy, with my little eye, something beginning with “A”?


DOUG.  Correct!

This week, on 27 June 1972, pioneering video game company Atari was founded by Nolan Bushnell and Ted Dabney.

Fun fact: before Atari was named “Atari”, it went by “Syzygy”.

However, Atari co-founder Nolan Bushnell considered various terms from the game Go, eventually choosing Atari, referencing a position in the game when a group of stones is imminently in danger of being taken.


DUCK.  That’s where a young Steve Jobs got his start, isn’t it?


DOUG.  Exactly right!


DUCK.  And he drafted in his chum Woz [Steve Wozniak] to design the follow up for PONG, but you only needed one player.

Namely, Breakout.


DOUG.  Great game!

Still, to this day, it holds up, I can tell you first hand.


DUCK.  It certainly does!


DOUG.  Well, let’s stick with Apple and start our stories.

This is an emergency patch for silent, dangerous iPhone malware.

So, what’s going on here, Paul?

Apple patch fixes zero-day kernel hole reported by Kaspersky – update now!


DUCK.  This is the Triangulation Trojan that was announced at the start of June 2023 by Russian anti-malware company Kaspersky.

They claimed they’d found this thing not because they were doing threat analysis for a customer, but because they found something weird on their own executives’ phones.

They went looking and, “Oh, golly, here are some 0-days.”

And that was the big story of the start of June 2023.

Apple issued a double patch.

As often seems to happen when these emergency patches come out, there was a WebKit bug, basically of the “reports exist that this was exploited” sort (it’s an 0-day!), and a kernel-level code execution hole.

That was the one found by Kaspersky researchers.

And, as we’ve said many times before, those two types of exploit are often combined in iPhone attacks.

Because the WebKit exploit gets the crooks in, although it gives them limited power, and then the kernel-level hole that they exploit with the code they’ve injected into the browser gives the full takeover.

And therefore you can essentially implant malware that not only spies on everything, but survives reboots, etc.

That certainly smells of “spyware”, “complete phone takeover”, “utter jailbreak”…

So, go and check that you have the latest updates, because although these bugs are only known to have been exploited on iPhones, the actual vulnerabilities exist pretty much in every Apple device, notably including Macs running macOS (all supported versions).


DOUG.  OK, Settings > General > Software Update to see if you’ve gotten the patch already.

If not, patch!

Now let’s move on to the… [LAUGHS]

…it’s a shame that this is still a thing, but just the low-hanging fruit of cybercrime.

Guessing your way into Linux servers.

Beware bad passwords as attackers co-opt Linux servers into cybercrime


DUCK.  This was South Korean anti-virus researchers who, sadly (I guess that’s the right word), discovered that the old tricks are still working.

Crooks are using automated systems to find SSH servers, and just trying to log in with one of a well-known set of username/password pairs.

One of the ones that was commonly used on their list: the username nologin with the password nologin. [LAUGHTER]

As you can imagine, once the crooks had found their way in…

…presumably via servers that either you’d forgotten about, or that you didn’t realise you were running in the first place because they just magically started up on some device you bought, or that they came as part of another software installation and were weakly configured.

Once they’re in, they’re doing a mixture of things, these particular crooks: attacks that can be automated.

They’re implanting DDoS-for-hire zombies, which is software that they can later trigger to use your computer to attack somebody else, so you’re left looking like a Bad Guy.

They’re also injecting (can you believe it!) cryptomining code to mine for Monero coins.

And lastly, just because they can, they’re routinely inserting zombie malware called ShellBot, which basically means that they can come back later and instruct the infected device to upgrade itself to run some new malware.

Or they can sell access on to somebody else; they can basically adapt their attack as they want.


DOUG.  Alright, we’ve got some advice in the article, starting with: Don’t allow password-only SSH logins, and frequently review the public keys that your SSH server relies on for automated logins.


DUCK.  Indeed.

I think, if you asked a lot of sysadmins these days, they’d say, “Oh, no, password only logins on SSH? We haven’t been allowing those for years.”

But are you sure?

It may be that you force all of your own official users to use public/private key logins only, or to use password-plus-2FA.

But what if, at some time in the past, some previous crook was able to fiddle with your configuration so that password-only logins are allowed?

What if you installed a product that brought with it an SSH server in case you didn’t have one, and set it up weakly configured, assuming that you would go in and configure it correctly afterwards?

Remember that if crooks do get in once, particularly via an SSH hole, often what they will do (particularly the cryptomining crooks) is they will add a public key of their own to your authorised-public-keys-that-can-login list.

Sometimes they’ll also go, “Oh, we don’t want to mess around, so we’ll turn on root logins,” which most people don’t allow.

Then they don’t need your weak passwords anymore, because they’ve got an account of their own that they have the private key for, where they can log in and do root stuff right away.


DOUG.  And, of course, you can also use XDR Tools (extended detection and response) to review for activity you wouldn’t expect, such as high spikes in traffic and that kind of stuff.


DUCK.  Yes!

Looking for bursts of outbound traffic is very useful, because not only can you detect potential abuse of your network to do DDoS, you might also catch ransomware criminals exfiltrating your data in the run up to scrambling everything.

You never know!

So, keeping your eye out is well worth it.

And of course, malware scanning (both on-demand and on-access) can help you an awful lot.

Yes, even on Linux servers!

But if you do find malware, don’t just delete it.

If one of those things is on your computer, you’ve got to ask yourself, “How did it get there? I really need to find out.”

That’s where threat hunting becomes very important.


DOUG.  Careful out there, folks.

Let’s talk about the Great Twitter Hack of 2020 that has finally been resolved with, among other things, a five-year prison sentence for the perpetrator.

UK hacker busted in Spain gets 5 years over Twitter hack and more


DUCK.  I saw a lot of coverage in this in the media: “Twitter Celeb Hacker Gets Five Years”, that sort of thing.

But the headline that we had on Naked Security says: UK hacker busted in Spain gets five years over Twitter hack and more.

The key things I’m trying to get into two lines of headline there, Doug, are as follows.

Firstly, that this person was not in the US, like the other perpetrators were, when he did the Twitter hack, and he was ultimately arrested when he travelled to Spain.

So there are lots of international gears going here.

And that, actually, the big deals that he was convicted for…

…although they included the Twitter hack (the one that affected Elon Musk, Bill Gates, Warren Buffett, Apple Computer, where they were used to promote a cryptocurrency scam), that was a small part of his cybercrime doings.

And the Department of justice wanted you to know that.


DOUG.  And “plenty more” it was.

SIM swapping; stealing; threatening people; swatting people’s homes.

Bad stuff!


DUCK.  Yes, there was a SIM swap…

…apparently he made $794,000 worth of Bitcoins out of this, by SIM-swapping three executives at a cryptocurrency company, and using that to access corporate wallets and drain them of almost $800,000.

As you say, he was taking over TikTok accounts and then basically blackmailing the people saying, “I’ll leak…” well, the, the Department of Justice just refers to it as “stolen sensitive materials.”

You can use your imagination for what that probably includes.

He had this fake online persona, and he hacked some celebs who were already online and then told them, “I’ve got all your stuff; I’ll start leaking it unless you start promoting me so I can become as popular as you.”

The last things that he was convicted for were the really evil-sounding ones.

Stalking and threatening a minor by swatting them.

As the Department of Justice describes it:

A swatting attack occurs when an individual makes false emergency calls to a public authority in order to cause a law enforcement response that may put the victim or others in danger.

And when that didn’t work (and remember, this victim is a minor), they called up other family members and threatened to kill them.

I think the Department of justice wanted to make it clear that although the celeb Twitter hack was in amongst all of this (where they tricked Twitter employees into letting them get access to internal systems), it’s almost as though those were the minor parts of this crime.

The person ended up with five years (not perhaps more, which they might have got if they decided to go to trial – they did plead guilty), and three years of supervised release, and they have to forfeit $794,012.64.

Though it doesn’t say what happens if they go, “Sorry, I don’t have the money anymore.”


DOUG.  We’ll find out sooner or later.

Let’s end the show on a slightly lighter note.

Inquiring minds want to know, Paul, “Should we turn off our phones while we brush our teeth?”

Aussie PM says, “Shut down your phone every 24 hours for 5 mins” – but that’s not enough on its own


DUCK.  Oh, I wonder which story you’re referring to, Doug? [LAUGHTER]

In case you haven’t seen it, it’s one of the most popular stories of the year so far on Naked Security.

The headline says Australian Prime Minister says, “Shut down your phone every 24 hours for 5 minutes.”

Presumably, somebody in the government’s cybersecurity team had pointed out that if you happen to have spyware on your phone (this followed the Apple story, right, where they fixed the zero-day found by Kaspersky, so spyware was in everyone’s mind)…

…*if* you have spyware that doesn’t survive a reboot because it doesn’t have what the jargon calls “persistence” (if it’s a transient threat because it can only inject itself into memory until the current process ends), then when you reboot your phone, you get rid of the spyware.

I guess this seemed like a harmless idea, but the problem is that most serious spyware these days *will* be a “persistent threat”.

So I think the real problem with this advice is not that it might get you to brush your teeth longer than is advised, because obviously, if you brush too much, you can damage your gums…

…the problem is that it implies that there’s this magic thing that you have to do, and if you do so, you’re helping everybody.


DOUG.  As luck would have it, we have a long list of things you can do other than just turning off your phone for five minutes.

Let’s start with: Get rid of apps you don’t need.


DUCK.  Why have apps that may have data stored on your phone that you don’t need?

Just simply get rid of apps if you’re not using them, and get rid of all the data that goes with them.

Less is very much more, Douglas.


DOUG.  Excellent.

We’ve also got: Explicitly log out from apps when you aren’t using them.


DUCK.  Yes.

Very unpopular advice when we give it [LAUGHTER]…

…because people go, “Oh, you mean that, on my phone, I won’t just be able to press the Zoom icon and I’ll be straight in a call?”

No amount of rebooting your phone will log you out from apps that you’ve stayed logged into.

So you can reboot your phone, which might just throw away some spyware that you’re probably never going to get anyway, but it won’t log you out from Facebook, Twitter, TikTok, Instagram, etc.


DOUG.  Alright, and we’ve got: Learn how to manage the privacy settings of all the apps and services you use.

That’s a good one.


DUCK.  I thank you for saying it’s a good one, and I was very proud of it when I wrote it myself…

…but then I had that sinking feeling, when I came to explain it, that I’m not going to be able to do it unless I write a series of 27 sub-articles. [LAUGHTER]


DOUG.  Probably going to have to search for it…


DUCK.  Maybe take the time to go into your favorite apps, go into the settings, have a look at what’s available.

You may be pleasantly surprised at some of the things you can lock down that you didn’t realise.

And go into the Settings app of the phone itself, whether you’re running iOS or Android, and actually dig through all the things you can do, so you can learn how to turn off things like Location Settings, how to review which apps have access to your photos, and so on.


DOUG.  OK.

And this one is probably overlooked by many, but: Turn off as much as you can on the lock screen.


DUCK.  My recommendation is try to have nothing on your lock screen except what the phone forces you to have.


DOUG.  Alright, and on a similar note: Set the longest lock code and the shortest lock time you can tolerate.


DUCK.  Yes.

That doesn’t need much explanation, does it?

Once again, it’s not popular advice. [LAUGHTER]


DOUG.  A little inconvenience goes a long way!


DUCK.  Yes, I think that’s the good way to put it.


DOUG.  And then: Set a PIN code on your SIM card if you have one.


DUCK.  Yes, a lot of phones and mobile operators still provide SIM cards.

Now, in the future, phones probably won’t have a SIM slot; it will all be done electronically.

But at the moment, certainly if you’re doing pay-as-you-go stuff, you buy a little SIM card (it’s a secure chip), and you plug it into a little slot in the side of your phone. and you don’t think about it anymore.

And you imagine that when you lock your phone, you’ve somehow magically locked the SIM.

But the problem is that if you power down the phone, eject the SIM, plug it into a new device, and there isn’t a lock code on the SIM card itself, *then the SIM just starts working*.

A crook who steals your phone shouldn’t be able to unlock your phone and use it to make calls or get your 2FA codes.

But locking your SIM card also means that if they take the SIM card out, they can’t just magically acquire your number, or literally do a “SIM swap”, by just sticking it into another device.

A lot of people don’t even realise you can or should set a lock code on hardware SIM cards, but remember that they are removable by design *precisely so you can swap them*.


DOUG.  And then we had a tip that said: Learn how to clear your browser history and do so frequently.

This prompted a comment, our comment of the week, from Jim, who asked if you could clarify the difference between clearing a browser *history* and clearing browser *cookies*:

Clearing cookies erases tracking data, login sessions, etc.

Clearing history erases the list of places that you’ve been, which breaks autocompletion of addresses, which increases the chance of mistyping an address, which plays into the hands of typosquatting malware sites.

Not ideal.


DUCK.  I had two responses to that comment.

One was, “Oh, dear. I didn’t write that clearly enough.”

So I went back and changed the tip to say: Learn how to clear your browser history, cookies and site data, and do so frequently.

In that sense, it was a very good comment.

The bit where I disagree with Jim is the idea that clearing your browser history puts you at greater risk of typosquatting.

And I think what he’s saying is that if you’ve typed in a URL correctly, and it’s in your history, and you want to go back to that URL later by, say, clicking the back button…

…you’ll get back to where you want to be.

But if you make the person type in the URL over and over again, eventually they’ll type in the wrong word, and they’ll get typosquatted.

Now, while that is technically true, if you want a site that you go to regularly to have a fixed URL that you go to directly from a menu, my recommendation is to use a bookmark.

Do not rely on your browser history or browser autocompletion.

Because, in my opinion, that actually makes it more likely that you will compound a mistake you made earlier, rather than that you won’t get the wrong site in the future.

You also have the problem, with your browser history list, that it can give away an awful lot of information about what you’ve been doing lately.

And if you don’t clear that history list regularly, “lately” might not just be hours; it could be days or even weeks.

So why keep it lying around where a crook might happen upon it by mistake?


DOUG.  Alright, great.

Thank you very much, Jim, for sending in that comment.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you: Until next time…


BOTH.  Stay secure!

[MUSICAL MODEM]


Pong screenshot in featured image via pong74ls from Wikimedia, under Creative Commons Attribution 3.0 Unported licensing.


Interested in $10,000,000? Ready to turn in the Clop ransomware crew?

The latest high-profile cybercrime exploits attributed to the Clop ransomware crew aren’t your traditional sort of ransomware attacks (if “traditional” is the right word for an extortion mechanism that goes back only to 1989).

Conventional ransomware attacks are where your files get scrambled, your business gets totally derailed, and a message appears telling you that a decryption key for your data is available…

…for what is typically an eye-watering amount of money.

Criminal evolution

As you can imagine, given that ransomware goes back to the days before everyone had internet access (and when those who were online had data transfer speeds measured not in gigabits or even megabits per second, but often merely in kilobits), the idea of scrambling your files where they lay was a dastardly trick to save time.

The criminals ended up with complete control over your data, without needing to upload everything first and then overwrite the original files on disk.

Better yet for the crooks, they could go after hundreds, thousands or even millions of computers at once, and they didn’t need to keep hold of all your data in the hope of “selling it back” to you. (Before cloud storage became a consumer service, disk space for backup was expensive, and couldn’t easily be acquired on demand in an instant.)

Victims of file-encrypting ransomware ironically end up acting as unwilling prison wardens of their own data.

Their files are left temptingly within reach, often with their original filenames (albeit with an extra extension such as .locked added on the end to rub salt into the wound), but utterly unintelligible to the apps that would usually open them.

But in today’s cloud computing world, cyberattacks where ransomware crooks actually take copies of all, or at least many, of your vital files are not only technically possible, they’re commonplace.

Just to be clear, in many, if not most, cases, the attackers scramble your local files too, because they can.

After all, scrambling files on thousands of computers simultaneously is generally much faster than uploading them all to the cloud.

Local storage devices typically provide a data bandwidth of several gigabits per second per drive per computer, whereas many corporate networks have an internet connection of a few hundred megabits per second, or even less, shared between everyone.

Scrambling all your files on all your laptops and servers across all of your networks means that the attackers can blackmail you on the basis of bankrupting your business if you can’t recover your backups in time.

(Today’s ransomware crooks often go out of their way to destroy as much of your backed-up data as they can find before they do the file scrambling part.)

The first layer of blackmail says, “Pay up and we’ll give you the decryption keys you need to reconstruct all your files right where they are on each computer, so even if you have slow, partial or no backups, you’ll be up and running again soon; refuse to pay and your business operations will stay right where they are, dead in the water.”

At the same time, even if the crooks only have time to steal some of your most interesting files from some of your most interesting computers, they nevertheless get a second sword of Damocles to hold over your head.

That second layer of blackmail goes along the lines of, “Pay up and we promise to delete the stolen data; refuse to pay and we won’t merely hold onto it, we’ll go wild with it.”

The crooks typically threaten to sell your trophy data on to other criminals, to forward it to the regulators and the media in your country, or simply to publish it openly online for anyone and everyone to download and gorge on.

Forget the encryption

In some cyberextortion attacks, criminals who have already stolen your data either skip the file scrambling part, or aren’t able to pull it off.

In that case, victims end up getting blackmailed only on the basis of keeping the crooks quiet, not of getting their files back to get their business running again.

That seems to be what happened in the recent high-profile MOVEit attacks, where the Clop gang, or their affiliates, knew about an exploitable zero-day vulnerability in software known as MOVEit…

…that just happens to be all about uploading, managing, and securely sharing corporate data, including a component that lets users access the system using nothing more complex than their web browsers.

Unfortunately, the zero-day hole existed in MOVEit’s web-based code, so that anyone who had activated web-based access inadvertently exposed their corporate file databases to remotely-injected SQL commands.



Apparently, more than 130 companies are now suspected to have had data stolen before the MOVEit zero-day was discovered and patched.

Many of the victims appear to be employees whose payroll details were breached and stolen – not because their own employer was a MOVEit customer, but because their employer’s outsourced payroll processor was, and their data was stolen from that provider’s payroll database.

Furthermore, it seems that at least some of the organisations hacked in this way (whether directly via their own MOVEit setup, or indirectly via one of their service providers) were US public service bodies.

Reward up for grabs

This combination of circumstances led to the US Rewards for Justice (RFJ) team, part of the US Department of State (your country’s equivalent might go by the name Foreign Affairs or Foreign Ministry), reminding everyone on Twitter as follows:

The RFJ’s own website says, as quoted in the tweet above:

Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

Whether informers could end up with several multiples of $10,000,000 if they identify multiple offenders isn’t clear, and each reward is specified as “up to” $10 million rather than an undiluted $10 million every time…

…but it will be interesting to see if anyone decides to try to claim the money.


UK hacker busted in Spain gets 5 years over Twitter hack and more

Some hacks become so notorious that they acquire a definite article, even if the word THE ends up attached to a very general technical term.

For example, you can probably trot out the names of dozens of well-known internet worms amongst the millions that exist in the zoos maintained by malware collectors.

NotPetya, Wannacry, Stuxnet, Conficker, Slammer, Blaster, CodeRed and Happy99 are just a few from the past couple of decades.

But if you say THE internet worm, then everyone knows that you mean the Great Worm of November 1988 – the one written by Robert Morris, student son of Robert Morris of the US National Security Agency, that ended with Morris Junior getting three years of probation, 400 hours of community service and a $10,050 fine:

And if you say THE Twitter hack, everyone knows you mean the one that happened in July 2020, when a small group of cybercriminals ended up in control of a small number of Twitter accounts and used them to talk up a cryptocoin fraud.

But what accounts they were, as we wrote a year later, including Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, Kim Kardashian, and Apple (yes, THE Apple):

One of the suspects in that case was Joseph O’Connor, then 21, who wasn’t in the US, and who eluded US authorities for a further year until he was arrested on the Costa del Sol in Spain in July 2021:

Off to prison at last

O’Connor was ultimatly extradited to the US in April 2023, pleaded guilty in May 2023, and was sentenced last week.

He wasn’t convicted only of the Twitter cryptocoin scam we mentioned above, where high profile accounts were used to trick people into sending “investments” to users they assumed were people such as Gates, Musk, Buffett and others.

He was also convicted of:

  • Using a SIM-swap trick to steal about $794,000 in cryptocurrency. SIM swaps are where a criminal sweet-talks, bribes or coerces a mobile phone provider into issuing them with a “replacment” SIM card for someone else’s number, typically under the guise of wanting to buy a new phone or urgently needing to replace a lost SIM. The victim’s SIM card goes dead, and the crook starts receiving their calls and text messages, notably including any two-factor authentication (2FA) codes needed for secure logins or password resets. By taking over the SIMs of three staff members at a cryptocurrency company, O’Connor and others drained nearly $0.8m in cryptocoins from corporate wallets.
  • Using a similar trick to take over two celebrity Tik Tok accounts and threaten the account holders. O’Connor “stated publicly, via a post to [the first victim’s] TikTok account, that he would release sensitive, personal material,” and “threatened to publicly release […] stolen sensitive materials unless [the second victim] agreed to publicly post messages [promoting O’Connor’s] online persona, among other things.”
  • Stalking and threatening a minor. O’Conner “swatted” the victim, meaning that he called law enforcement claiming to be the victim and saying “he was planning to kill multiple people at his home,” as well as calling in the guise of someone else who claimed that “the [third victim] was making threats to shoot people.” That same day, O’Connor also made similar “swat” calls to a high school, a restaurant, and a sheriff’s department in the same area. The following month, he “called multiple family members of [the third victim] and threatened to kill them.”

Swatting gets its name because the usual reaction of US law enforcement to a call claiming that a shooting is imminent is to send a so-called Special Weapons and Tactics (SWAT) team to deal with the situation, rather than expecting a regular patrol officer to stop by and investigate.

As the US Department of Justice describes it:

A “swatting” attack occurs when an individual makes a false emergency call to a public authority in order to cause a law enforcement response that may put the victim or others in danger.

O’Connor was convicted of multiple offences: conspiracy to commit computer intrusions, conspiracy to commit wire fraud, conspiracy to commit money laundering, making extortive communications, stalking, and making threatening communications.

He received a five-year prison sentence, followed by three years of supervised release, and he was ordered to pay $794,012.64 in forfeiture. (What happens if he can’t or won’t pay, we don’t know.)

What to do?

SIM swaps are tricky to protect against, because the final decision to authorise a replacement SIM card is down to your mobile phone company (or the staff in one of its stores), not to you yourself.

But the following tips can help:

  • Consider switching away from SMS-based 2FA if you haven’t already. One-time login codes based on text messages are better than no 2FA at all, but they clearly suffer from the weakness that a scammer who decides to target you can attack your account indirectly via your mobile provider instead of directly via you. App-based 2FA generally depends on a code sequence generated by an app on your phone, so you don’t even need a SIM card or a network connection on your phone.
  • Use a password manager if you can. In some SIM-swap attacks, the crooks go after your SIM card because they already know your password, and are getting stuck at your second factor of authentication. A password manager helps to stymie the crooks right at the start, getting them stuck at your first factor of authentication instead.
  • Watch out if your phone goes dead unexpectedly. After a SIM swap, your phone won’t show any connection to your mobile provider. If you have friends on the same network who are still online, this suggests that it’s probably you who is offline and not the whole network. Consider contacting your phone company for advice. If you can, visit a phone shop in person, with ID, to find out if your account has been taken over.

Aussie PM says, “Shut down your phone every 24 hours for 5 mins” – but that’s not enough on its own

The Australian Prime Minister, Anthony Albanese, has apparently advised people Down Under to turn off their mobile phones once a day, for the surprisingly precise period of five minutes, as a cybersecurity measure.

UK newspaper The Guardian quotes the PM as saying:

We all have a responsibility.

Simple things, turn your phone off every night for five minutes.

For people watching this, do that every 24 hours, do it while you’re brushing your teeth or whatever you’re doing.

Why at night? Why every day? Why for five minutes, and not, say, two minutes or 10 minutes?

We’re not sure.

But the Guardian suggests that the reason is that this will “stop any spyware that may be running in the background on your device.”

There’s some truth in this, given that malware infections can generally be divided into two separate categories, known in the jargon as persistent threats and the rest.

In malware terms, persistence generally refers to rogue software that outlives the app that launched it, that outlives your current logon session (if you’re on a laptop), or that survives even a full power-off and reboot.

But non-persistent threats are transient, and don’t survive from app launch to app launch, or from session to session, or from shutdown to reboot.

And shutting down generally closes all your apps, then closes down the entire operating system, thus stopping any malware or spyware that was active in the background, along with everything else.

In that sense, regularly rebooting your phone won’t do any harm.

There’s a lot more to it

The problem is that most malware these days, especially secretive mobile spyware developed at the likely cost of millions of dollars, will be of the persistent threat sort, meaning that it won’t exist only in memory until the end of your current session and then evaporate like early-morning summer mist.

For example, Apple’s latest spyware-crushing security update for iPhones, iPads and Macs included patches for two zero-day code execution vulnerabilities: one in WebKit, Apple’s low-level browser software, and one in the operating system’s own kernel.

If attackers can only trigger the execution of unauthorised code inside your browser, then it’s likely that their malware won’t be able to escape from the browser process and therefore won’t be able to access or modify any other parts of the device.

The malware might therefore be limited to the current browser session, so that rebooting your phone (which would bump the browser software and its injected malware code out of memory) would indeed magically disinfect the device.

But if the unauthorised code that the attackers run inside your browser via the zero-day WebKit bug follows up by triggering the other zero-day bug in the kernel, you are in a pickle.

The attackers can use the non-persistent malware in your browser to compromise the kernel itself, getting control over your entire device.

Then, the attackers can use the unauthorised code running inside your kernel to implant a persistent malware infection that will automatically start back up whenever your phone does.

If that’s how the attackers choose to do it, then religiously rebooting your phone every day will give you a false sense of security, because it will feel as though you’re doing something really important and useful, even though you aren’t.

Other tips to consider as well

With that in mind, here are some additional mobile cybersecurity tips to consider as well.

Unfortunately, none of these are quite as easy and unintrusive as simply “turning it off and back on again”, but they’re all worth knowing about:

  • Get rid of apps you don’t need. Uninstall unnecessary apps entirely, and delete all their associated data. If your needs change, you can always reinstall the app in the future. The best way to avoid having data snooped on by malware is not to have it stored where the malware can see it in the first place. Unfortunately, many mobile devices come with a raft of preinstalled software that can’t be uninstalled, known disparagingly in the jargon as bloatware, but some of these non-removable packages can be turned off to prevent them running automatically in the background.
  • Explicitly log out from apps when you aren’t using them. This is unpopular advice, because it means you can’t just open an app such as Zoom, Outlook or Strava and be back in the middle of a meeting, a discussion forum or a group ride at a moment’s notice. And logging in with passwords and 2FA codes via the fiddly keyboard of a mobile phone can be annoying. But the best way to avoid exposing data by mistake is to authorise yourself, and therefore your device, to access it only when genuinely necessary. Rebooting your device doesn’t “reboot” the logged-in status of the apps you use, so your phone starts back up with all your commonly used apps automatically reauthenticated to their respective online accounts, unless you previously logged out deliberately. Unfortunately, different apps (and different operating system options) implement their logout processes in different ways, so you may need to dig around to find out how to do this.
  • Learn how to manage the privacy settings of all the apps and services you use. Some configuration settings can be controlled centrally via your phone’s operating system Settings app, others can be managed in the app itself, and others may need you to visit an online portal. Sadly, there’s no shortcut for this, because different apps, different operating systems, and even different mobile network providers, have different setup tools. Consider setting aside a rainy weekend afternoon to explore the myriad privacy and security options that exist in your own chosen apps and services.
  • Learn how to clear your browser history and do so frequently. Rebooting your device doesn’t “reboot” your browser history, so all sorts of tracking cookies and other personal history items get left behind, even when your phone restarts. Once again, each browser does it slightly differently, so you need to match the history-clearing procedure to the browser or browsers you use.
  • Turn off as much as you can on the lock screen. Ideally, your lock screen would be just that, a locked screen at which you can do exactly two things, namely: make an emergency call, or unlock your device for use. Every app that you allow to access your “lock” screen, and every bit of personal data that you allow to be shown on it (upcoming meetings, message subject lines, personal notifications, and so on) weakens your cybersecurity posture, even if only slightly.
  • Set the longest lock code and the shortest lock time you can tolerate. A little inconvenience to you can be a massive extra hassle to cybercrooks. And get in the habit of manually locking your device whenever you put it down, even if it’s right in front of you, just for added peace of mind.
  • Be aware of what you share. If you don’t actually need to know your location precisely, consider turning off Location Services completely. If you don’t need to be online, try turning off Wi-Fi, Bluetooth or your mobile connection. And if you genuinely don’t need your phone at all (for example, if you are going to go out for a walk without it), consider powering it down completely until later, just as the Australian PM suggests.
  • Set a PIN code on your SIM card, if you have one. A physical SIM card is the cryptographic key to your phone calls, text messages and perhaps some of your 2FA security codes or account resets. Don’t make it easy for a crook who steals your phone to take over the “phone” part of your digital life simply by swapping your unlocked SIM card into a phone of their own. You only need to re-enter your SIM PIN when you reboot your phone, not before every call.

By the way, if you’re planning to start rebooting your phone regularly – as we mentioned above, it doesn’t do any harm, and it does give you a fresh operating system startup every day – why not follow exactly the same process with your laptop as well?

Sleep mode on modern laptops is mightily convenient, but it really only saves you a couple of minutes every day, given how quickly modern laptops boot up in the first place.

Oh, and don’t forget to clear your laptop browser history regularly, too – it’s a minor inconvenience for you, but a major blow to those stubborn website owners who are determined to track you as closely and as doggedly as they can, simply because you let them do so.


S3 Ep140: So you think you know ransomware?

LISTEN AND LEARN

Gee Whizz BASIC (probably). Think you know ransomware? Megaupload, 11 years on. ASUS warns of critical router bugs. MOVEit mayhem Part III.

No audio player below? Listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.  Router woes, Megaupload in megatrouble, and more MOVEit mayhem.

All that and more on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

Paul, how do you do?


DUCK.  Just a disambiguation for our British and Commonwealth English listeners, Doug…


DOUG.  “Router.” [PRONOUNCED UK-STYLE AS ‘ROOTER’, NOT US-STYLE AS ‘ROWTER’]


DUCK.  You don’t mean the woodworking tools, I guess?


DOUG.  No! [LAUGHS]


DUCK.  You mean the things that let crooks break into your network if they’re not patched in time?


DOUG.  Yes!


DUCK.  Where the behaviour of what we would call a ‘ROOTER’ does to your network more like what a ‘ROWTER’ would do to the edge of your table? [LAUGHS]


DOUG.  Exactly! [LAUGHS]

We will get to that shortly.

But first, our This Week in Tech History segment.

Paul, this week, on 18 June, way back in 1979: a big step forward for 16-bit computing as Microsoft rolled out a version of its BASIC programming language for 8086 processors.

This version was backward compatible with 8-bit processors, making BASIC, which had been available for the Z80 and 8080 processors, and was found on some 200,000 computers already, an arrow in most programmers’ quivers, Paul.


DUCK.  What was to become GW-BASIC!

I don’t know whether this is true, but I keep reading that GW-BASIC stands for “GEE WHIZZ!” [LAUGHS]


DOUG.  Ha! [LAUGHTER]


DUCK.  I don’t know whether that’s true, but I like to think it is.


DOUG.  Alright, let’s get into our stories.

Before we get to stuff that’s in the news, we are pleased, nay thrilled, to announce the first of three episodes of Think You Know Ransomware?

This is a 48-minute documentary series from your friends at Sophos.

“The Ransomware Documentary” – brand new video series from Sophos starting now!

The first episode, called Origins of Cybercrime, is now available for viewing at https://sophos.com/ransomware.

Episode 2, which is called Hunters and Hunted, will be available on 28 June 2023.

Episode 3, Weapons and Warriors, will drop on 5 July 2023.

Check it out at https://sophos.com/ransomware.

I have seen the first episode, and it is great.

It answers all the questions you may have about the origins of this scourge that we keep fighting year after year, Paul.


DUCK.  And it feeds very nicely into what regular listeners will know is my favourite saying (I hope I haven’t turned it into a cliche by now), namely: Those who cannot remember history are condemned to repeat it.

Don’t be that person! [LAUGHS]


DOUG.  Alright, let’s stick on the subject of crime.

Prison time for two of the four Megaupload founders.

Copyright infringement at issue here, Paul, and about a decade in the making?

Megaupload duo will go to prison at last, but Kim Dotcom fights on…


DUCK.  Yes.

Remember last week when I paraphrased that joke about, “Oh, you know what buses are like? None come for ages, and then three arrive at once?” [LAUGHTER]

But I had to parlay it into “two arrive at once”…

…and no sooner had I said it than the third one arrived. [LAUGHTER]

And this is out of New Zealand, or Aotearoa, as it’s alternatively known.

Megaupload was an infamous early so-called “file locker” service.

That’s not “file locker” as in ransomware that locks up your files.

It’s “file locker” like a gym locker… the cloud place where you upload files so you can get them later.

That service got taken down, primarily because the FBI in the US got a takedown order, and alleged that its primary purpose was actually not so much to be a mega *upload* service as to be a mega *download* service, the business model of which was based on encouraging and incentivising copyright infringement.

The primary founder of this business is a well known name: Kim Dotcom.

And that really is his surname.

He changed his name (I think he was originally Kim Schmitz) to Kim Dotcom, created this service, and he’s just been fighting extradition to the US and continues to do so, even though the Aotearoa courts have ruled that there’s no reason why he can’t be extradited.

One of the other four, a chap by the name of Finn Batato, sadly died of cancer last year.

But two of the other individuals who were the prime movers of the Megaupload service, Mathias Ortmann and Bram van der Kolk…

…they fought extradition (you can understand why) to the US, where they potentially faced large prison sentences.

But eventually they seemed to have done a deal with the courts in NZ [New Zealand/Aotearoa] and with the FBI and the Department of Justice in the US.

They agreed to be prosecuted in NZ instead, to plead guilty, and to assist the US authorities in their ongoing investigation.

And they ended up with prison sentences of 2 years 7 months and 2 years 6 months respectively.


DOUG.  The judge in that case had some interesting observations, I felt.


DUCK.  I think you’re right there, Doug.

Notably, that it wasn’t a question of the court saying, “We accept the fact that these massive megacorporations all around the world lost billions and billions of dollars.”

In fact, the judge said that you have to take those claims with a pinch of salt, and quoted evidence to suggest that you can’t just say that everybody who downloaded a pirated video would otherwise have bought the original.

So you can’t add up the monetary losses in the way that some of the megacorps like to do so.

Nevertheless, he said, that doesn’t make it right.

And even more importantly, he said, “You really did hurt the little guys as well, and that matters just as much.”

And he quoted the case of an indie software developer from the South Island in NZ who had written to the court to say, “I noticed piracy was making a big dent in my income. I found that 10 or 20 times I had to appeal to Megaupload to have infringing content taken down; it took me a lot of time to do that, and it never made the slightest difference. And so I’m not saying that they are entirely responsible for the fact that I could no longer make a living out of my business, but I am saying I went to all this effort to get them to take the stuff down which they said they would do, but it never worked.”

Actually that came out elsewhere in the judgment… which is 38 pages, so it’s quite a long read, but it’s very readable and I think it’s very well worth reading.

Notably, the judge said to the defendants that they had to bear responsibility for the fact that they admitted that they didn’t want to get too tough on copyright infringers because “Growth is mainly based on infringement.”

And he also noted that they devised a takedown system that basically, if there were multiple URLs to download the same file…

…they kept one copy of the file, and if you complained about the URL, they would take down *that URL*.


DOUG.  Ah ha!


DUCK.  So you would think they’d removed the file, but they would leave the file there.

And he described that as follows: “You knew, and intended, that takedowns would have no material effect.”

Which is exactly what this indie Kiwi software developer had claimed in his statement to the court.

And they certainly must have made a lot of money out of it.

If you look at the photos from the controversial raid on Kim Dotcom back in 2012…

…he had this enormous property, and all these flash cars with weird number plates [vehicle tags] like GOD and GUILTY, as though he was anticipating something. [LAUGHS]

Megaupload takedown makes headlines and waves as Mr Dotcom applies for bail

So, Kim Dotcom is still fighting his extradition, but these other two have decided that they want to get it all over with.

So they pleaded guilty, and as some of our commenters have pointed out on Naked Security, “Golly, for what it seems that they did when you read through the judgment in detail, it does sound that their sentence was light.”

But the way it was calculated is the judge worked out that he thought that the maximum sentences they should get under Aotearoa law should be about 10 years.

And then he figured, based on the fact they were pleading guilty, that they were going to cooperate, that they’re going to pay back $10 million, and so on and so on, that they should get 75% off.

And my understanding is that means that they will put to bed this fear that they will be extradited to the US, because my understanding is the Department of Justice has said, “OK, we’ll let the conviction and the sentencing happen in another country.”

More than ten years on, and still not over!

You’d better say it, Doug…


DOUG.  Yesss!

We will keep an eye on this.

Thank you; let’s move on.

If you’ve got an ASUS router, you may have some patching to do, although quite a murky timeline here for some pretty dangerous vulnerabilities, Paul.

ASUS warns router customers: Patch now, or block all inbound requests


DUCK.  Yes, it isn’t incredibly clear quite when these patches came out for the various many models of router that are listed in the advisory.

Some of our readers are saying, “Well, I went and had a look; I’ve got one of those routers and it’s on the list, but there are no patches *now*. But I did get some patches a little while ago that seemed to fix these problems… so why the advisory *now*?”

And the answer is, “We don’t know.”

Except, perhaps, that ASUS have discovered that the crooks are onto these?

But it’s not just, “Hey, we recommend you patch.”

They’re saying you need to patch, and if you’re unwilling or unable to do so, then we “strongly recommend to (which basically means ‘you had better’) disable services accessible from the WAN side of your router to avoid potential unwanted intrusions.”

And that’s not just your typical warning, “Oh, make sure that your admin interface isn’t visible on the internet.”

They’re noting that what they mean by blocking incoming requests is that you need to turn off basically *everything* that involves the router accepting the outside initiating some network connection…

…including remote administration, port forwarding (bad luck if you use that for gaming), dynamic DNS, any VPN servers, and what they call port triggering, which I guess is port knocking, where you wait for a particular connection and only when you see that connection do you then fire up a service locally.

So it’s not just web requests that are dangerous here, or that there might be some bug that lets someone log in with a secret username.

It’s a whole range of different types of network traffic that if it can reach your router from the outside, could pwn your router, it seems.

So it does sound terribly urgent!


DOUG.  The two main vulnerabilities here…

…there is a National Vulnerability Database, the NVD, which scores vulnerabilities on a scale of one to ten, and both of these are 9.8/10.

And then there’s a whole bunch of other ones that are 7.5, 8.1, 8.8… a whole bunch of stuff that’s pretty dangerous here. Paul.


DUCK.  Yes.

“9.8 CRITICAL”, all in capital letters, is the kind of thing that means [WHISPERING], “If the crooks figure this out, they are going to be all over it like a rash.”

And what’s perhaps the weirdest about those two 9.8/10 badness-score vulns is that one of them is CVE-2022-26376, and that’s a bug in HTTP unescaping, which is basically when you have a URL with funny characters in, like, spaces…

…you can’t legally have a space in the URL; you have to put %20 instead, its hexadecimal code.

That’s pretty fundamental to processing any sort of URL on the router.

And that was a bug that was revealed, as you can see from the number, in 2022!

And there’s another one in the so called Netatalk protocol (that provides support for Apple computers) which was the vulnerability, Doug, CVE-2018-1160.


DOUG.  That was a long time ago!


DUCK.  It was!

It was actually fixed in a version of Netatalk which I think was version 3.1.12, which came out on 20 December *2018*.

And they’re only warning about “you need to get the new version of Netatalk” right now, because that too, it seems, can be exploited via a rogue packet.

So you don’t need a Mac; you don’t need Apple software.

You just need something that talks Netatalk in a dodgy way, and it can give you arbitrary memory write access.

And with a 9.8/10 bug score, you have to assume that means “remote outsider pokes in one or two network packets, takes over your router completely with root level access, remote code execution horror!”

So quite why it took them that long to warn people that they needed to get the fix for this five year old bug…

…and why they didn’t actually have the fix for the five year old bug five years ago is not explained.


DOUG.  OK, so there is a list of routers that you should check, and if you can’t patch, you’re supposed to do all that “block all the inbound stuff”.

But I think our advice would be patch.

And my favourite advice: If you’re a programmer, sanitise thine inputs, please!


DUCK.  Yes, Little Bobby Tables has appeared yet again, Doug.

Because one of the other bugs that wasn’t at the 9.8 level (this was at the 7/10 or 8/10 level) was CVE-2023-28702.

It’s basically the MOVEit-type bug all over again: Unfiltered special characters in web URL input could cause command injection.

So that sounds like a pretty broad brush for cybercriminals to paint with.

And there was CVE-2023-31195 that caught my attention, under the guise of a Session hijack.

The programmers were setting what are essentially authentication token cookies… those magic strings that, if the browser can feed them back in future requests, proves to the server that earlier on in the session the user logged in, had the right username, the right password, the right 2FA code, whatever.

And now they’re bringing this magic “access card”.

So, you’re supposed to tag those cookies, when you set them, so that they will never get transmitted in unencrypted HTTP requests.

That way it makes it much harder for a crook to hijack them… and they forgot to do that!

So that’s another thing for programmers: Go and review how you set really significant cookies, ones that either have private information in them or have authentication information in them, and make sure you are not leaving them open to inadvertent and easy exposure.


DOUG.  I am marking this down (against my better judgment, but this is the second of two stories so far) as one that we will keep an eye on.


DUCK.  I think you’re right, Doug, because I don’t really know why, given that for some of the routers these patches had already appeared (albeit later than you might have wanted)… why *now*?

And I guess that part of the story may still have to emerge.


DOUG.  Turns out that we absolutely cannot *not* keep an eye on this MOVEit story.

So, what do we have this week, Paul?

MOVEit mayhem 3: “Disable HTTP and HTTPS traffic immediately”


DUCK.  Well, sadly for Progress Software, the third bus came along at once, as it were. [LAUGHTER]

So, just to recap, the first one was CVE-2023-34362, which is when Progress Software said, “Oh no! There’s a zero-day – we genuinely didn’t know about this. It’s a SQL injection, a command injection problem. Here’s the patch. But it was a zero-day, and we found out about it because ransomware crooks, extortion crooks, were actively exploiting this. Here are some Indicators of Compromise [IoCs].”

So they did all the right things, as quickly as they could, once they knew that there was a problem.

Then they went and reviewed their own code, figuring, “You know what, if the programmers made that mistake in one place, maybe they made some similar mistakes in other parts of the code.”

And that led to CVE-2023-35036, where they proactively patched holes that were like the original one, but as far as they knew, they found them first.

And, lo and behold, there was then a third vulnerability.

This one is CVE-2023-35708, where it seems that the person who found it, surely knowing full well that Progress Software was entirely open to responsible disclosure and prompt reaction…

…decided to go public anyway.

So I don’t know whether you call that “‘full disclosure” (I think that’s the official name for it), “irresponsible disclosure” (I’ve heard it referred to like that by other people at Sophos), or “dropping 0-day for fun”, which is how I think of it.

So that was a little bit of a pity.

And so Progress Software said, “Look, somebody dropped this 0-day; we didn’t know about it; we’re working on the patch. In this tiny interim period, just turn off your web interface (we know it’s a hassle), and let us finish testing the patch.”

And within about a day they said, “Right, here is the patch, now apply it. Then, if you want, you can turn your web interface back on.”

So I think, all in all, although it’s a bad look for Progress Software for having the bugs in the first place…

…if this should ever happen to you, then following their kind of response is, in my opinion, a pretty jolly decent way to do it!


DOUG.  Yes, we do have praise for Progress Software, including our comment for this week on this story.

Adam comments:

Seems like rough going for MOVEit lately, but I applaud them for their quick, proactive, and apparently honest work.

They could theoretically have tried to keep this all quiet, but instead they’ve been pretty up-front about the problem and what needs to be done about it.

At the very least it makes them look more trustworthy in my eyes…

…and I think that’s a sentiment that’s shared with others as well, Paul.


DUCK.  It is indeed.

We’ve heard the same thing on our social media channels too: that although it’s regrettable they had the bug, and everyone wishes they didn’t, they’re still inclined to trust the company.

In fact, they may be inclined to trust the company more than they were before, because they think that they keep cool heads in a crisis.


DOUG.  Very good.

Alright, thank you, Adam, for sending that in.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…


BOTH.  Stay secure!

[MUSICAL MODEM]


go top