Perpetual IT

If you’ve ever used the Python programming language, or installed software written in Python, you’ve probably used PyPI, even if you didn’t realise it at the time.

PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]).

You can download and install any of these modules automatically just by issuing a command such as pip install [nameofpackage], or by letting a software installer fetch the missing components for you.

The full list includes, to put it plainly, some peculiar projects, with the first five in alphanumeric order being…

 0 0-._.-._.-._.-._.-._.-._.-0 00000a 0.0.1 007

…and the final five doing their very best to be last on the list:

 zzzfs zzzutils zzz-web zzzz zzzZZZzzz

Grab-a-package

As you probably know, many contemporary programming ecosystems such as Python, Node.js and Ruby provide huge, free, public repositories of this sort, and come with easy-to-use tools to fetch all the add-on modules you need and install them automatically.

If you suddenly realise you want to use Python module called asteroid, for example, you can just do pip install asteroid, after which your own Python programs can say import asteroid, and start making use of the package.

The package asteroid is not a look-alike of the game Asteroids by Atari, by the way, nor is it related to astronomy. It’s an audio processing system that claims to be able to separate voice recordings with multiple participants into separate channels for each speaker.

Malicious updates

The ease with which trusting users download and install new Python (and Node.js, and Ruby, etc.) components has led to a range of cybercriminal attacks against package managers.

Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.

Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.

Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.

The public version of the package is given a higher version number that the internal version, and if the company hasn’t secured its auto-updating processes correctly, the attacker may be able to trick a company’s whole development team, or even the organisation’s official software build system, into updating private code from an untrusted (and malicious) external source.

Cybersecurity researcher Alex Birsan famously made well over $100,000 in bug bounties recently by feeding external versions of supposedly internal software packages into dozens of IT giants including Apple, PayPal, Microsoft and Shopify.

This sort of trick is known as a supply chain attack, for obvious reasons.

In a supply chain attack, the crooks don’t break into your network and install the malware directly.

Instead, they insert their malware upstream from you, implanting it into someone else’s network, repository or delivery mechanism and waiting for the infection to pass down the chain until it reaches you.

Package squatting

A third sort of supply chain attack – one that is rather less sophisticated and has no guarantee of success, yet is extremely easy to pull off – is to create a fake package with a misleading name that users in a hurry might download and install by mistake.

Just like typosquatting in the website world, where crooks register near-miss domain names in the hope you won’t notice you’re on the wrong site (e.g. writing c0mpany instead of company), package squatters register near-miss or otherwise believable package names that they hope you’ll fetch by mistake.

Recent examples, now removed, that turned up just last week in the Python Package Index include:

 Fake name Possible target Function of real package Difference -------------- --------------- ------------------------ ----------------------- asteroids asteroid Audio processing Plural, not singular beauitfulsoup4 beautifulsoup4 HTML/XML parsing Typo (letters swapped) llvm llvmpy LLVM compiler Suffix left off winpty winpy Windows functions Extra letter inserted wwebsite website HTML manipulation Doubled letter at start

Meddling considered harmful

As far as are aware, none of these fake packages contained outright malware, or indeed any permanent package code at all.

However, some of them (if not all – it’s hard to check now that they have been removed) included a Python command that was intended to run when the package was installed, rather than when it was used.

The command looked like this:

 url = "h"+"t"+"t"+"p"+":"+"/"+"/"+[REDACTED IP NUMBER]+"/name?FAKEPACKAGENAME" requests.get(url, timeout=30)

This is a crude but simple way to do what’s know in the jargon as telemetry – in other words, to keep track remotely of who has downloaded and installed the package.

The code above simply calls home to a remote web server with the name of the installed package in the URL, and ignores the data that comes back, if there is any.

Presumably, the redacted IP number in the above URL (it’s a Tencent cloud server hosted in Tokyo, Japan, for what that’s worth) is operated by the uploader of the above packages…

…who goes by the unusual and mildly ungrammatical moniker Remind Supply Chain Risks.

Fascinatingly, if rather pointlessly, this user didn’t just upload the five fake libraries listed above, but a grand total, according to the Wayback Machine, of 3951 utterly bogus PyPI packages.

Peculiarly, many, if not most, of the package names were either incongruous or unlikely to be chosen by mistake, such as Build-Number-Incrementor-for-C-Sharp and Web-Service-for-Android-GMaps-AsyncTask-Demo.

We haven’t been able to figure out where or how our mystery Supply Chain Risks user generated their list of fake package names, but perhaps just having a small number of “real-looking” typosquat fakes amonst the vast sea of bogus and even ludicrous ones was part of the plan?

At any rate, it looks as though Remind Supply Chain Risks subscribes to the idea that a job worth doing (or, as in this case, a job that isn’t really worth doing at all) is worth overdoing.

Fortunately, the Python team has already removed all these offending items…

…although we couldn’t help noticing that there is already a new fake beautifulsoup4 imposter in the PyPI database, this time entitled beatufulsoup4, uploaded on 2021-03-03.

This one contains no code at all, but it does have the this-would-be-wittier-if-it-were-not-wearing-a-bit-thin-by-now project title “You may want to install beautifulsoup4, not beautfulsoup4” to prove its this-didn’t-really-need-proving-yet-again point.

What to do?

• Don’t do mass bogus uploads like this to prove your point. We appreciate the message you are trying to deliver, but it’s already been documented so you are just making distracting work for other people who could more usefully be doing something else for the project.
• Don’t choose a PyPI package juat because the name looks right. Check that you really are downloading the right module from the right publisher. Even legitimtate modules sometimes have names that clash, compete or confuse.
• Don’t hook internal projects to external repositories by mistake. If you are using Python packages that you haven’t published externally, then the one thing you can be sure of is that all external copies of “your” package are imposter modules, probably malware.
• Don’t blindly download package updates into your own development or build systems. Test and review everything you download before you approve it for use. Remember that packages typically include update-time scripts that run when you do the update, so malware infections could be delivered as part of the update process, not of the module source code that ultimately gets installed.

How to stop security-conscious apps from allowing unencrypted data to escape, and how scammers put social network users under pressure in order to steal their passwords.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.

Patch now, we said.

And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72:

The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.

In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.

If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.

Object lifecycle issue in audio

Two of the eight High Severity bugs in this set of patches were apparently found in the same part of Chrome, denoted in Google’s list merely as: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research.

The first bug is numbered CVE-2021-21165, reported on 2021-02-04, a month ago; the second was dubbed CVE-2021-21166, reported a week after that on 2021-02-11.

An object lifecycle issue is a jargon way of referring to what probably amounts to some kind of memory mismanagement.

The word “object” refers, very loosely, to a block of memory containing some sort of data structure, together with a list of associated programmatic functions for manipulating that data.

Managing an object’s lifecycle means, amongst other things:

• Ensuring that the memory it uses is reclaimed by the system when the object is no longer needed.
• Taking care not to reclaim and reallocate the memory while the object is still being used.
• Not doing any calculations on the object before its memory has been assigned and initialised.
• Not doing the wrong sort of calculations on the data in an object, such as trying to treat a JPEG file as a PNG, or assuming that an audio clip has 16 bits per audio sample when it only has 8 bits.
• Stopping two different parts of the program from clashing over access to the object.

Exploit in the wild

We don’t know what form these particular bugs took, given that the Chromium team’s discussion of the bugs in this release still seems to be in “keep-it-private-to-stave-off-the-crooks-a-while-longer” mode.

But we do know that at the end of this month’s bug list you will see an almost casual sentence saying that:

Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild.

In vernacular language, that means “this is a zero-day bug.”

In this context, “zero-day” denotes that the crooks got there first, so that there were literally zero days on which even the fastest-patching sysadmin could have been ahead of the Bad Guys.

Who’s exploiting this bug, in which parts of the world, against whom, and with what sort of outcome, we don’t yet know.

We’re assuming that some sort of remote code execution attack (RCE) is involved, in which case this bug, when successfully triggered, could lead to crooks implanting malware on your computer without you noticing at all, let alone agreeing to download or install any files.

We’re also assuming, given that this bug apparently has something to do with audio processing, that the bug can be deliberately and remotely triggered by serving up some audio-related data via a booby-trapped web page.

What to do?

As always in a zero-day report of this sort, don’t worry too much about the exact hows and whys just yet – assume that some kind of “drive-by” RCE is possible, so that just visiting a booby-trapped site might be enough to drop malware onto your computer, and therefore patch right away.

To check what version you have, click the three-lines icon (the “hamburger menu”) in the top right corner.

For Chrome, go to Help > About Chrome. For Chromium simply click About Chromium.

(In either browser, you can also put the special URL chrome://settings/help into the address bar.)

The version you are looking for is 89.0.4389.72 or above.

If you aren’t up-to-date, use the Update Google Chrome option on Windows or Mac to force an update.

If you’re on Linux and your version of Chrome or Chromium is provided by your distro maker, check back with your distro for update details.

Remember the last big jailbreak news?

It was nearly a year ago, back in May 2020, when well-known Apple jailbreaking crew unc0ver released version 5 of their jailbreak toolkit, just a week after Apple came out with iOS 13.5.

The word jailbreak, at least in the IT world, is a generic term for a programming trick that can liberate locked-down hardware from the strictures that the manfuacturer built into it.

But these days, jailbreaking most commonly refers to a very specific sort of unlocking tool: one that can release your iPhone or iPad from Apple’s notoriously strict walled garden.

(On locked-down Android phones, the process is more commonly known as rooting, because root is the name given to the one-admin-to rule-them-all account on Unix and Unix-like operating systems.)

What’s all the fuss about!?

Opponents of jailbreaking argue that it should be banned because jailbreaks can be used to bypass copyright protection and anti-piracy measures.

The say jailbreaks make it too easy to get your device into an insecure state.

Some argue that jailbreaking is pointless because Apple’s walled garden already provides vetted versions of all the software you could ever need anyway.

Proponents, however, say that banning jailbreaking to stop copyright infringement is a red herring.

After all, a non-jailbroken device can be used to access infringing material anyway, right there in your browser if you want, and no one is seriously suggesting banning iPhones (or the Safari browser) on that account.

Likewise, jailbreakers argue that jailbreaking is often the only way to increase security by allowing you to fix bugs that Apple hasn’t patched yet, or never will.

As for the walled garden argument, well, if you paid for your device out of your own after-tax income, and you own the hardware itself outright, jailbreaking means you can use your device as creatively or as ecologically as you wish, albeit at your own cybersecurity risk.

Is there a choice?

As we mentioned at the top of the article, the last – or, as you’ve probably figured out by now, the last-but-one – iPhone jailbreak only handled iOS versions up to iOS 13.5.

But that’s all changed in the past week, because on 2021-02-25, @Pwn20wnd of the unc0ver crew tweeted:

We wrote our own exploit based on CVE-2021-1782 for #unc0ver to achieve optimal exploit speed and stability.

— @Pwn20wnd (@Pwn20wnd) February 25, 2021

Next came @axi0mX, on 2021-02-27:

iPhone jailbreaking is not dead yet.@Pwn20wnd will be releasing #unc0ver 6.0.0 today:
* EVERY DEVICE, including A14 is supported
* EVERY VERSION, iOS 11.0 – iOS 14.3

Thanks @Pwn20wnd. Let’s get #unc0ver trending again.

— ax🔥🌸mX (@axi0mX) February 27, 2021

And an update to the update arrived this week on 2021-03-02:

unc0ver v6.0.1 is NOW OUT with improvements to iOS 14 support.

— @Pwn20wnd (@Pwn20wnd) March 2, 2021

It now looks as though at least one of the “in the wild” security vulnerabilities that Apple patched unexpectedly and in a vague shroud of secrecy at the end of January 2021…

…was patched as an anti-jailbreaking measure, given the mention of CVE-2021-1782 (a kernel-level privilege elevation hole allowing complete device take-over) in @Pwn20wnd’s tweet above.

So if you followed our advice to “patch early, patch often” (and please see below why we still think applying Apple updates as soon as you can is a wise move), you will already be on iOS 14.4, and that’s the one version that this new jailbreak can’t handle.

Part of Apple’s anti-jailbreaking protection includes measures to prevent you from downgrading, which deliberately stops you reverting to older, known-buggy versions of iOS when a new jailbreak comes out. (Sorry, folks,)

Should you or shouldn’t you?

Our take is pretty simple.

A. If you live in a country where jailbreaking is actually illegal, don’t do it.

You are just inviting legal hassles you don’t need.

If you feel strongly about having the freedom to unlock and repurpose your mobile devices, vote with your wallet and choose a product up front that isn’t permanently locked and that you can lawfully “liberate” without getting into trouble.

B. If you are using your device for work, don’t jailbreak if IT asks you not to.

If you are using your phone to access company resources and to co-operate with colleagues, spare a thought for your IT team, who are almost certainly already working all the hours they can to keep your organisation cybersecure.

Life’s hard enough for your sysadmins without flinging your unregulated and unaccountable hand-hacked device into the mix.

So please do your best by IT, and stay current with Apple’s official patches instead of hanging back in the hope that the version you have will get a jailbreak soon.

(And please don’t kick up a fuss if they kick your device off the network if it’s jailbroken.)

C. But if jailbreaking is legal where you live and you own the device outright, knock yourself out!

Don’t feel compelled to try it, of course, but you may be surprised at what you can learn from the process.

We’ve jailbroken old iDevices before, mainly to give them a new lease of life (re-use before you recycle, and all that).

Just remember

Just remember that if you do decide to go down the jailreaking route on your iPhone or iPad:

• Your device might never work again. This is called bricking your phone because it turns your device into a very expensive paperweight, a job more cheaply and reliably done by a humble housebrick. Jailbreaks involve running code that Apple really doesn’t want you to, so there’s plenty that could go wrong.
• If it’s listed as a “tethered” jailbreak your phone will not be able to reboot on its own. If your battery runs down or the phone crashes, you will need to plug it into your laptop – that’a the tethering part – before it will restart properly.
• It’s easy to get security settings wrong. For what it’s worth, the only real-world self-spreading iPhone computer viruses or worms (that we know of, at least) were restricted to jailbroken devices. These viruses, known as Ikee and Duh, attacked users who had done a jailbreak but not heeded the security warnings that came with it.
• You’re on your own. OK, strictly speaking, that’s not true because there’s a vibrant jailbreaking community out there who may well be able to help you. Or not.

As we said above, we’ve jailbroken old iDevices before so we could keep using them after Apple’s offiical “use by” date.

But we don’t recommend a jailbreak simply because it has an old-school rock-and-roll feel to it.