Category Archives: News

S3 Ep3: Cryptography, hacking and pwning Chrome [Podcast]

This week: the DOJ’s attempt to reignite the Battle to Break Encryption; the story of the Russian hackers behind the Sandworm Team; a zero-day bug just patched in Chrome; and (oh no!) why your vocabulary needs the word “restore” even more than it needs “backup”.

Presenters: Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music: Edith Mudge.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Time for a mobile privacy reset?

October is Cybersecurity Awareness Month.
We asked Anthony Merry, senior director, Product Management at Sophos, for his top mobile privacy tips.

If you’ve updated your Apple phone or your Android to the latest version – iOS 14 and Android 11 respectively – you may have noticed that they come with enhanced privacy controls.

These new versions allow you to more easily check, and change, the personal information and phone features that individual apps can access.

So how about taking this opportunity to give your personal and work phones a mobile privacy health check?

Even if you’re running earlier OS versions – or don’t have a smartphone at all! – it’s still worth taking a few minutes to check the privacy settings in your digital life and ensure that they’re where you want them to be.

Before you start

If you have loads of apps installed, don’t worry: you can check some of the most important permissions for all of them in one go. 

Alternatively, focus on the apps you use most. (If you do forget to check up on old apps, Android 11 will reset all “sensitive” permissions automatically if an app is not used for a few months.)

Watch out for apps that are asking for access to features or information that they very clearly don’t need – a calculator that’s insisting on using your camera and knowing your location, for instance.

If you have any apps like this, then you should be asking yourself, “Do I want this app on my phone at all?”

It could be an overtly malicious app, or overly-aggressive adware that’s out to collect as much information as possible for monetization through a data broker.

If in doubt, don’t bother trying to tune up its privacy settings – get rid of it!

The top five things to check

For iOS 14 you can manage all your privacy settings through Settings > Privacy.

On Android 11, the location of the Privacy section varies from device to device, so you may need to look around for the settings pages.

However, the Android Permission manager page lets you see all app permissions in one place.

Left. iOS 14 Privacy screen.
Right. Android 11 Permission manager page.

1. Location services

This is one of the most important permissions to check and both iOS and Android offer a centralized one-click block option that covers all apps.

They have also made it easier to find out which apps already have permission to know where you are – you may be surprised how many apps ask for this permission by default.

On iOS 14 and Android 11, you can see which apps have access to location services in a single list.

The wording used varies slightly, but both give you three options for each app: always allow, never allow, and only while app is in use.

Left. iOS 14 Location Services screen.
Right.
Android 11 Location page.

With iOS 14 small arrows now appear alongside an app in the list or on the home screen when the app is in use to let you know if a location service is being or has been accessed by that app. 

This is a helpful extra indicator to remind you of the permissions you’ve granted.

2. Tracking

By tracking we don’t mean monitoring your physical location, as in (1) above, but rather keeping track of what you do and where you go online while using your phone.

Tracking is a new feature available in iOS 14 (but not in Android 11) – it’s a centralized setting that allows you to bulk-block apps from requesting permission to track you online.

Tracking information is gold dust to advertisers who want to know which apps and websites you visit before and after you use their app so they can learn more about you and better target their advertising.

If you want to keep that information to yourself, turn tracking off (although be aware that apps may still try to track you even if you say no).

iOS 14 Tracking screen. (No Android 11 equivalent.)

3. Camera

Access to your camera gives apps a deeply personal insight to your physical as well as digital world.

Images can also reveal additional information about you, for example when and where a picture was taken.

While iOS 14 adopts a binary allow/block approach, Android 11 is a little more granular with allow all the time and allow only while app is in use options as well as block all the time.

On updated Apple devices, a green spot on the home screen will alert you if an app is accessing your camera.

Left. iOS 14 Camera screen.
Right. Android 11 Camera page.

4. Microphone

Just like the camera feature, this is a critical check for both physical and digital privacy.

You don’t want third parties picking up sound and conversations without your knowledge and approval.

Check your apps and turn the microphone off wherever an app doesn’t need to access it.

Helpfully, Apple devices show an amber warning spot next to the battery indicator at the top of the home screen whenever an app is using the microphone.

iOS 14 amber warning spot on home screen when mic is in use. (Pointer icon shows location is on, too.)

5. Bluetooth

Bluetooth can be a huge convenience, but you might not want to have Bluetooth connectivity turned on for all apps all the time.

If you’re running iOS 14, it’s also worth checking the access settings for local networks.

If you have the Local Network feature enabled for an app it can connect to other devices on the LAN, such as other people’s laptops or a printer at the coffee shop, which might not be what you want.

iOS 14 Local Network screen. (No Android 11 equivalent.)

To sum up

Protecting your mobile privacy is not about disconnecting everything – obviously, some apps need access to certain features, including location, camera or microphone, in order to function as intended. 

A mapping app can’t show you how to walk back to your hotel from where you are now without knowing your location, for example; and you can’t use a messaging app to stream video footage without giving it access to the camera.

Mobile privacy is about understanding which apps have access to information or features they don’t need, and removing those permissions.

This will help you to protect your personal information better, and to defend yourself against cyberthreats that abuse legitimate-looking apps to gather intelligence about you.

Over time, you’ll probably forget which permissions you’ve given to what apps – or you may simply change your mind about how much you want an app to know about you – so it is worth doing a quick mobile privacy health check on a regular basis.

You could even set an alert on your phone to remind you!


Chrome zero-day in the wild – patch now!

Do you browse with Google Chrome or a related product such as Chromium?

If so, please check that your auto-updater is working and that you have the latest version.

A trip to the About Chrome or About Chromium dialog should give the version identifier 86.0.4240.111.

That’s the version that was released yesterday as Chrome’s “stable” version, available to all users, not just to opted-in early adopters.

If you see 86.0.4240.75, you’re close – but still on the previous version, so your system hasn’t updated yet.

As Google explains, you can spot a pending update by the presence of an upward arrow in a circle at the far right of the address bar.

At this point, closing and re-opening Chrome will apply the fix.

If you’re in the habit of rarely shutting down your computer, or even of rarely exiting from your browser, now would be a good “rare moment” to give Chrome a chance to ingest the update.

If you’re a Chromium user (that’s the open-source version of Chrome with no proprietary parts), follow your usual update procedure, which depends on the operating system that you’re using and where you got Chromium in the first place.

The reason for making sure you’ve got this particular update is not only that five security bugs have been patched, including one buffer overflow and three use-after-free vulnerabilities, but also that one of these bugs, designated CVE-2020-15999, is already known to attackers.

As the update notification states, “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.”

The bug is described as a heap buffer overflow in Freetype, where Freetype is an open source font rendering software toolkit that allows programmers to support the use of all sorts of modern font files and formats in their applications.

Many web pages these days include special versions of the fonts they need – a corporate typeface, for instance – and these files, known as WOFFs, short for Web Open Font Format, are downloaded into your browser to use as required.

WOFF files are used not only so that websites can rely on fonts that a user is unlikely already to have installed, but also so that they can depend access to specific version of a font that supports particular characters or character sets that might otherwise be missing or display incorrectly.

We’re guessing, therefore, that this bug could be exploited by luring you to a web page that contained an innocent-looking but booby-trapped font file that deliberately triggered the bug, either when the font was loaded or when specific text was displayed.

What to do?

Get the update!

Despite an attack already being known in the wild, Google has included its customary notification that the update will “roll out over the coming days/weeks”, presumably because some Chrome users may be dependent on a vendor to push out fixes.

If in doubt, ask the maker of your device for advice.


Russian “government hackers” charged with cybercrimes by the US

You’ve probably seen the news that six Russians, allegedly employed by the Russian Main Intelligence Directorate, better known as the GRU, have been charged with cybercrimes by the US Department of Justice (DOJ).

The DOJ alleges that the defendants, all men, “caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United States.”

This group and its activities, says the DOJ, have been given a variety of different nicknames by cybersecurity researchers: Sandworm Team, Telebots, Voodoo Bear, and Iron Viking.

Sophos cybersecurity expert Chester Wisniewski had this to say about the US charges:

The indictment of the Russian GRU hackers related to the attacks referred to collectively as “Sandworm” is an interesting development in attempts by Western governments to rein in foreign adversary attacks. Sandworm has operated for more than 10 years and has played nearly every card in the attacker playbook. They are accused of having used spearphishing, document exploits, password stealers, living-off-the-land tools, supply chain hijacking and destructive wipers that have pretended to be ransomware in efforts to create false flags for investigators. They have been a noisy operation and many of us have been expecting this day to come for some time.

Another result of this noisiness is they have popularized sophisticated nation-state level tactics to be copied by everyday criminals. While they did not pioneer all these methods, they certainly perfected them and exposed their usefulness in breaching organizations’ defenses. Considering the accused are members of the Russian military intelligence (GRU) they are unlikely to ever be arrested. Three of the accused were previously indicted for other crimes and these indictments might prove to embolden them rather than curb their behavior.

We’re no safer than we were yesterday, and we need to continue to bolster our defenses to be prepared for Sandworm or any of the garden variety criminals they have inspired. Were they to be arrested, their replacements are already in training and the relentless thirst of nation-states to compromise and interfere with their adversaries goes undeterred.

Simply put, this indictment doesn’t really put an end to anything – it’s a reminder that cybercrime is here to say, and that the techniques developed by one group rarely stay within that group for long.

What to do?

As Chester points out above, cybersecurity isn’t only, or even predominantly, about heading off state-sponsored attacks, for the simple reason that the same attack techniques work no matter who carries them out.

(A ransomware attack that ruins all your files will disrupt your immediate business operations just as abruptly whether the attackers try to blackmail you for $3000 or $3,000,000.)

Here are some tips for defending in the most general way against the sort of techniques listed by the DOJ:

  • Spearphishing. Don’t be tempted by links or documents you receive by email just because they align with a special interest of yours. Don’t assume that a document or an email is trustworthy just because the sender knows your name, your job title, or where you work. Even the least subtle porn scammers – crooks who claim to have a sex video of you that doesn’t actually exist, and demand money to “delete” it – frequently include names, phone numbers and even genuine passwords from your accounts as “proof”. That sort of data typically comes from existing public sources, including your corporate profile on your work website, social media accounts where you have intentionally told the world about yourself, or data breaches where a third party has spilled your personal information in a way you couldn’t control. If in doubt, leave it out.
  • Exploits. Sometimes, attackers find an exploitable software bug before anyone else and start using it before any software patches are available – what’s known as a zero-day, because there were zero days during which even an on-the-ball system administrator could have patched proactively. But many attacks – including the infamous and destructive NotPetya worm that the DOJ attributes to the Sandworm team – relied on exploits for which patches were already available. Even though or it’s not always possible to be ahead of the crooks, there’s no reason to let yourself fall behind them if you don’t have to. Patch early, patch often.
  • Living-off-the-land attacks. This is the term used when cybercriminals avoid using new and suspicious malware files to do their dirty work, but instead rely on legimate tools – often, tools commonly used for cybersecurity research and penetration testing – that crop up from time to time even when no actual attack is underway. Most modern cybersecurity tools can detect “grey hat” tools of this sort, such as Mimikatz (a tool that looks for left-over passwords in memory) and PSExec (a tool that automatically launches software on other computers). However, these reports are often ignored as “probably just one of our own team and therefore not worthy of investigation”, even when they are detected in unusual places or are run by unexpected users. Don’t let credible signs of intrusion be ignored, any more than you’d ignore a fire alarm because there wasn’t actually a fire last time. An ounce of prevention is worth a pound of cure.

Remember: there’s no such thing as being “too small” or “not important enough” to be targeted or affected by cybercriminals.

“CYBERCROOKS WON’T BE INTERESTED IN LITTLE OLD ME”: LEARN WHY THAT’S NOT TRUE

“No one’s too small” section starts at 4:27. Click-and-drag on the soundwaves to fast forward.


Naked Security Live – Ping of Death: are you at risk?

Here’s the latest episode of our weekly Naked Security Live video series.

By the way, if you want to ask questions in real time while we’re online, we’d love you to join in live – just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be on air. (Note that you don’t need a Facebook account to watch our live streams, but you will need to login if you want to ask questions or post comments.)

It’s usually somewhere between 18:00 and 19:00 UK time, which is early afternoon/late morning on the East/West coast of North America.

For those of you who [a] don’t use Facebook, [b] had buffering problems while we were live, [c] would like see subtitles or use the option to speed up playback, or [d] simply want to catch up later, we also upload the finished videos to our YouTube channel.

Here’s the latest video, where we advise you about the Windows bug CVE-2020-16898, informally and more catchily known as a Ping of Death.

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!


go top