Perpetual IT

SFW! Here they are! The Top N cybersecurity stories of the year that are totally SFW, and entirely conducive to Happy Holidays!

And by totally SFW, we don’t just mean Suitable For Work, but also Something For the Weekend – a double bonus if you’re on official duty over the holiday break and are looking for laid-back content that nevertheless counts as genuine on-the-job learning.

While everyone else was choosing their Top N Terrible Cybersecurity Incidents Of 2021, some of them for worryingly high values of N, we thought we’d pick our year-end stories in a more family-friendly way.

From the Liverpool man who was surprised to find that he weighed 100 tons, via the late European cryptocurrency speculator who actually weighed just 100 grams, to the US Government’s crustacean Easter egg…

STILL LOOKING FOR A ‘TERRIBLE TOP 3’ LIST?

In case you can’t live without a Top Three Terrible Cybersecurity Incidents list, we wrote some code to help you generate a personalised yet objective version of your own:

Here are some sample outputs – choose the one you {like, hate, fear, endorse, disagree with} the most, and {enjoy, quake at the sight of, rant at} your very own unique* Major Incidents of the Year list!

$ luax top3.lua
Top N Cybersecurity Incidents of 2021 for N=3
1     ransomware
2     kaseya
3     hafnium

$ luax top3.lua
Top N Cybersecurity Incidents of 2021 for N=3
1     log4shell
2     printnightmare
3     ransomware

$ luax top3.lua
Top N Cybersecurity Incidents of 2021 for N=3
1     clearview ai
2     hafnium
3     emotet

$ luax top3.lua
Top N Cybersecurity Incidents of 2021 for N=3
1     iot
2     hivenightmare
3     log4shell

[*] ‘Unique’ in the etymologically unsound sense of the word. In this case, each run of the code emits 1 of 2184 different possibilities. (¹⁴P₃, also written 14 permute 3.)

---

The picture you see above is not only a real Fisher-Price product, released in the second decade of the 21st century…

…but is also officially NOT A TOY!

Sure, it looks like a Chatter Phone toy, with an external appearance that adults of all ages will recognise, perhaps from having had one, played with one, or at least seen one in the toy store all those years ago.

Even when the mobile phone age arrived, the Chatter Phone retained its dial (an actual dial-shaped dial!), its cheese-dish phone styling, and its sideways receiver.

Fascinatingly, “keeping it retro” has been part of telephony ever since the second generation of telephone instruments came out in the century before last.

We carried on referring to the combined mouthpiece-and-loudspeaker component as a “receiver”, and we talked about “replacing the receiver”, long after the receiver ceased to be a separate item that contained just a loudspeaker. (Originally, only the receiver could be lifted up and replaced, because the mouthpiece – the sender – was typically built into the body of the instrument itself.)

And we kept on putting the receiver “back on the hook” to end a call long after phones had either receivers or hooks.

To this day – in fact, in this era of outsourced phone support and faraway call centres, perhaps more so than ever – we “continue to hold” even though Bluetooth headsets mean there is nothing to hold onto any more, and we still “dial” calls, although we now use a “keypad” to do so.

Of course, not only is it no longer a dial, it’s not even a keypad these days: it’s usually a touch screen with no actual keys or buttons at all.

The only thing that didn’t catch on in telephony, and perhaps we can all be thankful for this, is Alexander Graham Bell’s preferred telephonic greeting of “Ahoy!” – though for all we know a future generation of pirate-talking techies might revive this ancient rite.

[I know it’s the day before the day before Christmas, but can we get to the phone bugs already? Ed.]

This is NOT A TOY

Ah, yes.

Back to the Fisher-Price “NOT A TOY” Chatter Telephone with Bluetooth.

They’re not really for children, which is just as well because retro-loving adults seem to have bought them all up. ($60 at Best Buy, out of stock at our closest US store, which turns out to be 4900km away from Oxfordshire, in Bangor, Maine.)

In fact, if you’re a techie and you hadn’t heard of this product before, we suspect you secretly want one now, because [a] childhood memories, [b] ultimate happy/hippie/retro look, [c] the dial actually works, so you can actually dial calls, with an actual dial!

IoT FTW!

But you know where this is going, and you can probably guess who took it there – our chums Pen Test Partners (PTP), just down the road (or not far along the old railway line that’s currently being rebuilt) in Buckinghamshire, the next county over.

PTP wanted one of these phones, just like you do, but their closest Best Buy is also in Maine, so they decided to ask a friend in North America to order one (even he had to wait six weeks!), and conducted their research remotely.

Elegantly simple

The Chatter Telephone with Bluetooth is elegantly simple : the device is basically a bluetooth “headset”, with the added ability to accept numeric input (plus the all-important hash/pound and star symbols) via the rotary dial.

We don’t how how or if you can dial the plus symbol for overseas calls, but many countries let you use a special digit sequence instead.

So, the Chatter Telephone doesn’t take a SIM card itself; instead, it pairs with a regular mobile phone and acts, if you like, as a sort of extension – a happy, smiley, cheerful, brightly coloured, child-like extension phone with an actual rotary dial.

But despite its minimalistic functionality, PTP found that there had nevertheless been plenty of room for Fisher-Price to leave out the sort of cybersecurity features you might have expected.

Notably, PTP found that:

1. The Chatter Phone has no Bluetooth pairing security. So, anyone in range of an unpaired device could hook it up to their phone instead of yours.
2. Pairing your own phone with the Chatter Phone doesn’t lock other people out. You’d hope, despite flaw (1), that once you’d paired your device with the Chatter Phone, it would need to be reset before it could be paired again. Apparently, however, simply taking the paired mobile phone out of range – as you typically do every time you leave the house, for example – opens up the Chatter Phone up to everyone else again.
3. The Chatter Phone can act like an intercom. When off the hook but not on a call, the device will relay audio back and forth to the mobile phone it’s paired with. A child who plays with the device could therefore end up in a creepy conversation with someone outside the household, or a Chatter Phone inadvertently left off-hook in your lounge or home office could turn into a bugging device.
4. The Chatter Phone will auto-answer calls if left off the hook. In theory, this means that if the Chatter Phone is paired with and currently locked onto your own mobile phone, anyone calling your phone might end up snooping on the room. This could happen more easily than you think, for example if your child didn’t replace the receiver perfectly after making a pretend call.

(Try telling your kids that the Chatter Phone is NOT A TOY, even though it looks exactly like the one that Grandma dug out of the attic that IS A TOY.)

As PTP points out, the pairing-is-just-too-easy problem could be solved simply by adding a “press to pair” button on the phone itself, so that you would need physical access to the Chatter Phone to initiate a connection with it.

That way, the Chatter Phone wouldn’t be able to hookm up unintentionally with a stranger just because its currently paired phone went out of range (or ran out of battery, or had Bluetooth turned off).

And a simple timeout to shut down the Chatter Phone if the receiver remained “open-circuit” when it was neither making nor receiving a call would surely help with the other flaws.

If the Chatter Phone shut off its audio connection automatically when it obviously wasn’t in use, and would only re-activate if the receiver were deliberately placed back on the hook and then lifted up again, you’d probably feel much safer against accidental (or deliberate) audio eavesdropping.

What to do?

If you’ve already bought one of these funky NOT A TOYs, try to remember to turn it off when you aren’t actually using it.

Although that defeats the purpose slightly, we suspect that you won’t want to make or take all your calls on the Chatter Phone (it may not actually be a toy, but it certainly looks like one, and we can’t help but assume that the voice quality makes it sound like one).

So, turning it on only when you want to re-live your childhood…

…seems like a simple precaution, at least until Fisher-Price puts out a firmware update, assuming that there’s a way to update it.

---

This story isn’t quite as dramatic as if the Feds had managed to reverse tens of thousands of separate Bitcoin (BTC) transactions used in a global online scam to defraud tens of thousands of separate and vulnerable victims…

…but it’s spectacular nevertheless, given that the stolen-but-recovered amount came to BTC 3,879.16, which worked out as a remarkable $189,568,730.46 at the rate quoted this afternoon by one online source. (Rates subject to change; transaction fees may apply; your mileage may vary.)

The victim in this case was the Sony Life Insurance Company Limited (yes, that Sony), which was allegedly defrauded of this enormous sum in an audacious internal scam that was apparently pulled off by a single employee.

The US Department of Justice claims that a certain Mr Rei Ishii conducted a classic “send funds to a different account” scam.

That’s the same sort of thing that external cybercriminals try to pull off by hacking into one or more company email accounts in an attack known as Business Email Compromise (BEC).

By keeping their eyes on insider emails – the crooks try really hard to crack high-ranking accounts such as the CEO’s or the CFO’s, which is why BEC is often referred to as CEO fraud – and picking the right moment to intervene with instructions to change payment details…

…these criminals often get away with hundreds of thousands of dollars, or even millions of dollars, conducting what is more of a social engineering confidence trick than a typical cybersecurity breach.

Higher and higher

In some cases, the amounts are significantly higher: an infamously extreme case was the so-called Bangladesh Bank Robbery (the BBR wasn’t technically a robbery at all, because there was no physical violence, no stick-up, and no giant bag of cash involved) back in 2016.

Crooks apparently managed to kick off bogus transactions totalling over $1 billion, and to get away with just over $100 million, although $850 million was never transferred, supposedly due to a spelling mistake made by the fraudsters during the process.

(Perhaps overwhelmed or overexcited by the prospect of getting their hands on all those lovely funds, and thinking of how much fun they were going to have with the proceeds, the crooks managed to type FUND-ation instead of FOUND-ation, which raised the alarm.)

As you can imagine, if that’s what outsiders can do with access to company email flows (although the BBR cyberheist may have involved insider assistance), just think what a determined insider might be able to pull off, given enough time to prepare, combined with a sufficiently reckless approach.

Allegedly, Ishii was that sort of risk-taker, diverting $154 million that was supposed to be moved around inside the corporation into an account he’d set up in California.

According to the FBI, he then started what you might call his cash-out procedure by converting the funds into the aforementioned stash of Bitcoins.

But cashing out that much cryptocurrency into regular funds is not as easy or as speedy as you might think, and a multi-department, multi-country law enforcement intervention quickly kicked in.

Ishii, who has already been arrested and charged in Japan, was investigated by a group including at least the FBI, Sony, Citibank, Japan’s National Police Agency, the Tokyo Metropolitan Police Department, Tokyo District Public Prosecutors Office, and the Japan Prosecutors’ Unit on Emerging Crimes (JPEC).

This led to the recovery of the private encryption key needed to “own” and transfer the stolen cryptocurrency, and the announcement of a lawsuit in the US to ensure that the funds get formally frozen until they can be returned to Sony, the rightful owner.

What happened?

How the password or passwords for the Bitcoin wallet or wallets were recovered, we don’t know.

Ishii may simply have decided to confess in the hope of more lenient treatment, or the cryptographic keys may have been recovered following careful forensic analysis of the data and devices available to the investigators, or…

…he may have used his cat’s name as a password.

All we know at this point is what we don’t yet know, with the DOJ concluding by saying:

The FBI continues to investigate the alleged crime.

Still, close to BTC 4000 stolen-and-recovered is a pretty good result already!

---

LEARN MORE ABOUT BUSINESS EMAIL COMPROMISE
AND HOW TO AVOID IT

---

Pick a random person, and ask them these two questions:

Q1. Have you heard of Apache?
Q2. If so, can you name an Apache product?

We’re willing to wager that you will get one of two replies:

A1. No. A2. (Not applicable.)
A1. Yes. A2. Log4j.

Two weeks ago, however, we’d suggest that very few people had heard of Log4j, and even amongst those cognoscenti, few would have been particularly interested in it.

Until a cluster of potentially catastrophic bugs – originally implemented as features, on the grounds that less is never more – were revealed under the bug-brand Log4Shell, the Log4j programming library was merely one of those many components that got sucked into and used by thousands, perhaps even hundreds of thousands, of Java applications and utilities.

Log4j was just “part of the supply chain” that came bundled into more back-end servers and cloud-based services than anyone actually realised until now.

Many sysdamins, IT staff and cybersecurity teams have spent the past two weeks eradicating this programmatic plague from their demesnes. (Yes, that’s a real word. It’s pronounced domains, but the archaic spelling avoids implying a Windows network.)

Don’t forget “the other Apache”

Rewind to the oh-so-recent pre-Log4j era and we suggest that you’d get a different pair of answers, namely:

A1. Yes. A2. Apache’s a web server, isn’t it? (Actually, it’s a software foundation that makes a web server, amongst much else.)
A1. Yes. A2. Apache makes httpd, probably still the world’s most prevalent web server.

With more than 3000 files totalling close to a million line of source code, Apache httpd is a large and capable server, with myriad combinations of modules and options making it both powerful and dangerous at the time.

Fortunately, the open source httpd product receives constant attention from its developers, getting regular updates that bring new features along with critical security patches.

So, in all the excitement about Apache Log4j, don’t forget that:

• You almost certainly have Apache httpd in your network somewhere. Just like Log4j, httpd has a habit of getting itself quietly included into software projects, for example as part of an internal service that works so well that it rarely draws attention to itself, or as a component built unobtrusively into a product or service you sell that isn’t predominantly thought of as “containing a web server”.
• Apache just published an httpd update that fixes two CVE-numbered security bugs. These bugs might not be exposed in your configuration, because they are part of optional run-time modules that you might not actually be using. But if you are using these modules, whether you realise it or not, you could be at risk of server crashes, data leakage, or even remote code execution.

What got fixed?

The two CVE-numbered flaws are listed in Apache’s own changelog as follows:

• CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51
• CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.

The good news about the first bug is that Apache itself warns that the mod_lua server extension (which allows you to adapt the behaviour of httpd using Lua scripts instead of having to write modules in C):

…holds a great deal of power over httpd, which is both a strength and a potential security risk. It is not recommended that you use this module on a server that is shared with users you do not trust, as it can be abused to change the internal workings of httpd.

However, as Log4j has taught us, potentially exploitable bugs even on non-public servers can be troublesome if those bugs can be triggered by untrusted user data passed along by other internet-facing servers at your network edge.

And CVE-2021-44790 doesn’t involve sneaking any untrusted add-on Lua scripts into the configuration.

Instead, it involves simply tricking the “preprocessor” that prepares untrusted user content to be passed to trusted Lua scripts, so the attack does not depend on bugs or flaws in any of the add-on scripts you may have written yourself.

Multipart message splitting

Simply put, the CVE-2021-44790 bug exists in the code that deconstructs multipart messages, common in web form uploads, that typically look something like this:

Content-Type: multipart/form-data; boundary=VILC2R2IHFHLZZ --VILC2R2IHFHLZZ
Content-Disposition: form-data; name="name" <--blank line denotes start of first data item
Paul Ducklin
--VILC2R2IHFHLZZ <--double-dash-plus-boundary denotes end
Content-Disposition: form-data; name="phone" <--blank line denotes start of second data item 555-555-5555 --VILC2R2IHFHLZZ-- <--double-dash-plus-boundary denotes end

Technically, each multipart component consists of the data after the end of each fully blank line (see above), and before each boundary line, which consists of two dashes (hyphens) followed by the unique boundary marker text.

In case you are wondering, the extra double-dash at the end of the very last line above signals the final item in the list.

A blank line in the raw data appears as two CRLF (carriage return plus line feed) pairs, or the ASCII codes (13,10,13,10), denoted in C by the text string "\r\n\r\n".

This parsing is handled very crudely by code that we’ve simplified like this:

for (start = findnext(start,boundarytext); start != NULL; start = end) { crlf = findnext(start,"\r\n\r\n"); if (!crlf) break; end = findnext(crlf,boundarytext); len = end - crlf - 8; buff = memalloc(len+1); memcpy(buff,crlf+4,len); [. . .]
}

Don’t worry if you don’t know C – this code is impenetrable and poorly-documented enough even if you do. (The original is much more complex and harder to follow; we have stripped it to its basics here.)

Loosely speaking, it looks for a double-CRLF string, denoting the next blank line; from there, it finds the next occurrence of the boundary marker text (VILC2R2IHFHLZZ in our example above).

It then assumes that the data it needs to extract consists of everything between those two marker points, denoted by the memory addresses (pointers in C jargon) crlf and end, minus 8 bytes.

The code makes no effort to explain the meaning of that “minus 8” in the code, nor yet the “plus 4” two lines later, though it’s a good immediate guess that crlf+4 is there to skip past the 4 bytes that make up the data in the CRLFCRLF string itself. (The blank line is a separator, and isn’t part of the data to be used.)

Here’s where the “8” comes from:

• 4 bytes taken up by the CRLFCRLF characters at the start, which are not part of the data itself.
• 2 bytes of the CRLF at the end of the last line of data, not included.
• 2 bytes used by the dashes (--) that denote the start of the boundary line, not included.

As you can see, the code allocates enough memory for the data between the exact start of the line after the CRLFCRLF separator and the exact end of the line before the boundary marker…

…plus an extra 1 byte (len+1) to ensure a NUL character (a zero byte) at the end of the buffer to act as the terminator that text strings require in C.

The code then uses memcpy() to copy the relevant data out of the incoming message into that new memory buffer, in which it will be presented to the Lua script that is about to run.

What if there aren’t 8 bytes?

You’ve probably figured out the problem: What if there aren’t 8 extra bytes to remove? What if the CRLF at the end of the last line of data, or the -- at the start of the next line, aren’t there at all?

What if there aren’t 8 bytes altogether between the CRLFCRLF and the boundary text?

This bug would have been much more obvious if the code were more clearly constructed or commented, and would almost certainly have been avoided if the CRLF-- separator between the blank line and the boundary text had been referred to explicitly by the programmer, and tested for explicitly.

That bug was patched by adding a check to make sure that the final buffer size calculation doesn’t come out too small, by adding one line before the memory allocation attempt:

 if (end - crlf <= 8) break;

This tests that the buffer length can’t end up negative, though we still think that an explicit check for a correct data terminator, in the same way that there’s an explicit check for CRLFCRLF, would make for clearer code, and we’d insert a comment referring the reader to a helpful internet RFC about multipart messages, e.g. RFC 2045.

Proxy problems

Dealing with CVE-2021-44224 involved numerous code changes, the most obvious being a correction in a file of utility code used by the httpd proxy module.

The fact that there are more than 5000 lines of C in proxy_util.c alone, which is support code for just one of many httpd modules, is testament to the overall size and complexity of the Apache HTTP Server.

The code we’re referring to above was changed from this…

url = ap_proxy_de_socketfy(p, url);

…to code that verifies that the function called actually did find a URL string to work with:

url = ap_proxy_de_socketfy(p, url);
if (!url) { return NULL;
}

Before the “if no url” error-check forced the code to give up early, the program would plough on even if url were NULL, and try to access the memory via the url variable.

Reading from or writing to a NULL pointer is “undefined” according to the C standard, which means you must take care never do either.

Indeed, on almost all modern operating systems, the value used for NULL, usually zero, is chosen so that any attempt to access that address, whether by reading or writing, will not only fail but be trapped by the operating system, which will then typically kill off the offending process to prevent dangerous or unintended side effects.

What to do?

• If you are using Apache httpd anywhere, update to 2.4.52 as soon as you can.
• If you can’t patch, check whether your configuration is at risk. There are many bug fixes beyond these two CVEs, so you should patch sooner rather than later. But you may decided to defer patching until a more convenient time if you aren’t loading either the Lua scripting or the proxy module.
• If you are a coder, don’t forget to check for errors. If there’s a chance to spot mistakes before you make them worse, for example by verifying you have really have enough memory to play with, or checking that the string you are looking for really is there, take it!
• If you are coder, assume that someone else will need to understand your code in the future. Write helpful and useful comments, on the grounds that those who cannot remember the past are condemned to repeat it.

---

‘Twas the night before Christmas
      When all through the house
Not a creature was stirring,
      not even a mouse…

As Christmas 2021 approaches, spare a thought for your sysamins, for your IT team, and for your cybersecurity staff.

There may be plenty of mice stirring all through the IT house right up to Christmas Eve…

…because that’s the deadline set by the US Cybersecurity and Infrastructure Security Agency (CISA) for patching the infamous Log4Shell vulnerability, a dangerously exploitable flaw in Apache’s widely used Log4j (Logging for Java) programming toolkit.

Since news first broke of the problem on 09 December 2021, Apache has a-patched the code not once but three times, variously fixing CVE-2021-44228 with version 2.15.0, quickly followed by 2.16.0 to fix a related bug dubbed CVE-2021-45046, foillowed quickly yet again by 2.17.0 to deal with CVE-2021-45105.

Why the pressure from CISA? Why the rush when we’re supposed to enjoying a global holiday season? Why not wait until New Year and deal with things then?

Here’s why your sysadmins are taking one (three, actually) for the team…

[embedded content]

(If you can’t read the text clearly here, try using Full Screen mode, or watch directly on YouTube. Click on the cog in the video player to speed up playback or to turn on subtitles.)

LEARN HOW TO FIX IT

UNDERSTAND THE ISSUES YOURSELF

LEARN HOW CYBERCRIMINALS ARE USING IT TO ATTACK

DIG INTO THE VULNERABLE CODE WITH SOPHOS LABS

---