+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

Mild monthly security update from Firefox – but update anyway

by

It’s time for this month’s scheduled Firefox update (technically, with 28 days between updates, you sometimes get two updates in one calendar month, but July 2022 isn’t one of those months)…

…and the good news is that the worst bugs listed, which get a risk category of High, are those found by Mozilla itself using automated bug-hunting tools, and lumped togther under two catchall CVE numbers:

  • CVE-2022-36320: Memory safety bugs fixed in Firefox 103.
  • CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1.

The reason that these bugs are split into two groups is that Mozilla officially supports two flavours of its browser.

There’s the latest-and-greatest version, currently 103, which has all the latest features and relevant security fixes.

And there’s the Extended Support Release (ESR) flavour, which synchs up with the features in the latest version every few months, but in between gets security updates only, thus bringing in new features only after they’ve been available to try out in the mainstream version for some time.

As you can imagine, sysadmins and IT teams who support Firefox at work often like ESRs because it means they don’t have to foist new features on their own users (or take the inevitable support calls about new menu options, different icons and modified behaviour) without good warning.

There are almost always at least a few bugs fixed in the mainstream Firefox version that don’t appear in the ESR, and thus can’t be fixed there, because the bugs are new, introduced in the new code added to support the new features.

This is another reason that some sysadmins like ESR-style software, given that the code in those versions has been geneally exposed to real-life scrutiny for longer, without lagging behind on security patches.

In fact, Mozilla retains two ESR versions, so that you can try the previous and the current ESR versions at the same time before making the switch, thus never needing to use the cutting-edge version our your production network at all. (See below for the latest version numbers of all currently-supported versions.)

Misleading your clicks

Of the other six bugs on the patch list, we think two are intriguing and important, because both of them give attackers a chance to trick you into clicking something that isn’t what it seems:

  • CVE-2022-36319: Mouse Position spoofing with CSS transforms. Simply put, this bug means that a booby-trapped website could leave your mouse pointer positioned at the wrong spot in the browser window, so that clicking your mouse won’t register where you expect. This trick is generally known as clickjacking, where a scammer makes you think you’re clicking somewhere safe, when in fact you’re clicking on a link or button you would deliberately have avoided if only you knew. In its simplest form, clickjacking can engineer fake social media likes or unwanted ad impressions. At worst, it can lead you directly into harm from phishing attacks or fake downloads that aren’t obvious, even if you’re looking out for them.
  • CVE-2022-36314: Opening local .lnk files could cause unexpected network loads. LNK files are Windows shortcuts, which are a whole can of security worms in their own right. (A .LNK file can sneakily redirect you to a file of type X, such as .EXE, while presenting itself with an icon of type Y, such as .PDF.) In this case, a web link that specified a local .LNK file, could, if clicked, redirect you to a file stored somewhere on the network instead. Although there’s no suggestion that the data fetched this way could be used for remote code execution (in other words, to make unauthorised changes, including implanting malware), you could easily be tricked into trusting remote content under the mistaken impression that it was local data. Any network request leaks some information to the person running the server at the other end, so it’s important for your browser to give you an accurate idea of where each link you click will take you.

LEARN MORE ABOUT SHORTCUTS AND MALWARE

What to do?

As usual, go to Help > About Firefox and see whether the popup box tells you Firefox is up to date or offers you a clickable button labelled [Update to X].

This time, the version you’re after is 103.0 (if you’re using the mainstream version), ESR 102.1 (if you’re on the most recent ESR version), or ESR 91.12 (if you’re on the oldest ESR flavour).

As we’ve explained before, but think it’s worth mentioning again, the two numbers in the ESR release identifiers add together to denote the mainstream release that they match up with in terms of security updates.

So, given that the current mainstream version is 103, you can quickly tell than 102.1 ESR (102+1 = 103) and 91.12 ESR (91+12 = 103) are the most recent releases in their respective lineages.

News

T-Mobile to cough up $500 million over 2021 data breach

by

Just under a year ago, the US arm of telecomms giant T-Mobile admitted to a data breach after personal information about its customers was offered for sale on an underground forum.

At the time, VICE Magazine claimed to have communicated with the hacker behind the breach via online chat, and to have been offered “T-Mobile USA. Full customer info.”

VICE’s Motherboard reporters wrote at the time that:

The data include[d] social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

IMEI is short for International Mobile Equipment Identity, a globally unique serial number burned into your phone when it’s manufactured. Because the IMEI is considered a “non-resettable identifier”, apps on both Android and iOS are restricted from accessing it unless they have been granted special device management privileges, and developers are instructed to rely on user-resettable identifiers such as advertising IDs when legitimately tracking users and devices. You can view your phone’s IMEI by dialling the special phone number *#06#.

Reuters reports that T-Mobile has agreed, in a US federal court in Missouri, to make $350,000,000 available for what are known in America as class-action settlements.

Class actions involve individuals, who would otherwise need to sue individually for impossibly small amounts, banding together with a team of attorneys to bring lawsuits that combine their individual complaints.

Part of the $350 million mega-settlement, says Reuters, is up to $105,000,000 (30% of the total amount) for the lawyers, leaving a slightly less dramatic $245 million for the individuals who joined the suit.

Apparently, more than 75 million people were affected in the breach, though with the standard payout listed by Reuters as $25 per person, it looks as though fewer than 10 million of them decided to sign up to be part of the legal action.

According to Reuters, T-Mobile will also commit to spending “an additional US$150 million to upgrade data security”, bringing its total settlement pledge to half-a-billion dollars.

In return, T-Mobile doesn’t have to admit guilt, so this isn’t a fine or a criminal penalty – it’s a civil agreement to settle the matter.

The settlement still needs approval from from the court, something that’s expected to happen by the end of 2022.

News

Office macro security: on-again-off-again feature now BACK ON AGAIN!

by

The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation…

…and even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.

Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Office’s own menu bar; to run secondary programs; to create network connections; and much more.

Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didn’t already know and trust.

Fighting back against cybercriminals

Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.

Curiously, though, it took Microsoft 20 years (actually, closer to 25, but we’ll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.

As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, “At last!”

To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.

Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.

Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.

So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.

Apparently, however, these “few” turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:

Notably, many people using cloud servers (including, of course, Microsoft’s own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.

Remember that old joke that “the cloud” is really just shorthand for “someone else’s computer”? Turns out that there’s many a true word spoken in jest.

Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources…

…found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.

Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:

The good news amongst the bad news, though, was that Microsoft made it clear that this on-by-default setting would definitely be coming back, possibly quite soon, just as soon as the company felt it had got the message across more clearly about the how, why and wherefore of the change:

Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.

[…] We will provide additional details on timeline in the upcoming weeks.

Well, that “upcoming week” arrived more quickly than we’d dared to hope, with Microsoft updating its updated announcement on 20 July 2022 to say (our emphasis):

We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share.

There you have it!

What to do?

The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:

It’s a small step, and it took 20 years plus an on-off-on-again default-flipping palaver to complete that step…

…but we’re all for it.

News

S3 Ep92: Log4Shell4Ever, travel tips, and scamminess [Audio + Text]

by

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

DOUG.  Facebook scams, Log4Shell forever, and tips for a cybersafe summer.

All that, and more, on the Naked Security Podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth, and with me, as always, is Paul Ducklin.

How do you do, Paul?

DUCK.  I’m super-duper, Douglas.

Starting to cool down a bit here in England.

DOUG.  Yes.

DUCK.  I think I picked the wrong day to go on a nice big country bicycle ride.

It was such a good idea when I set out: “I know, I’ll do a nice long ride, and then I’ll just get the train home, so I’m at home in plenty of time for the podcast.”

And when I got there, because of the extreme heat, the trains were only running once every two hours, and I’d just missed one.

So I had to ride all the way back… and I did just make it in time.

DOUG.  OK, there you go… you and I are in the full swings of summer, and we have some tips for the summertime coming up later in the show.

But first, I’d like to talk about This Week in Tech History.

This week, in 1968, the Intel Corporation was formed by Gordon Moore (he of Moore’s Law), and Robert Noyce.

Noyce is credited as pioneer of the integrated circuit, or microchip.

Intel’s first microprocessor would be the 4004, which was used for calculators.

And, a Fun Fact, the name Intel is a mashup of INTegrated ELectronics.

So… that company turned out pretty good.

DUCK.  Yes!

I guess, to be fair, maybe you would say, “Co-pioneer”?

DOUG.  Yes. I had, “A pioneer.”

DUCK.  Jack Kilby, of Texas Instruments, I think came up with the first integrated circuit, but it still required parts in the circuit to be wired together.

And Noyce solved the problem of how to bake them all in in silicon.

I actually attended a speech by Jack Kilburn, when I was a freshly minted computer scientist.

Absolutely fascinating – research in the 1950s in America!

And of course, Kilby famously received a Nobel Prize, I think in the year 2000.

But Robert Noyce, I’m sure, would have been a joint winner, but he had already died by that time, and you cannot get a Nobel Prize posthumously.

So, Noyce never did get a Nobel Prize, and Jack St. Clair Kilby did.

DOUG.  Well, that was a long time ago…

…and a long time from now, we may still be talking about Log4Shell…

DUCK.  Oh, dear, yes.

DOUG.  Even though if there’s a fix for it, the US has come out and said that it could be decades before this thing is actually fixed.

DUCK.  Let’s be fair… they said, “Perhaps a decade or longer.”

This is a body called the Cybersecurity Review Board, the CSRB (part of the Department of Homeland Security), which was formed earlier this year.

I don’t know whether it was formed specifically because of Log4Shell, or just because of supply chain source code issues becoming a big deal.

And nearly eight months after Log4Shell was a thing, they produced this report, of 42 pages… the executive summary alone runs to nearly 3 pages.

And when I first glanced at this, I thought, “Oh, here we go.”

Some public servants have been told, “Come on, where’s your report? You’re the review board. Publish or perish!”

Actually, although parts of it are indeed heavy going, I think you should take a read through this.

They put in some stuff about how, as a software vendor, as a software creator, as a company that’s providing software solutions to other people, it’s actually not that hard to make yourself easy to contact, so people can let you know when there’s something you have overlooked.

For example, “There’s still a Log4J version in your code that you didn’t notice with the best will in the world, and you haven’t fixed.”

Why wouldn’t you want someone who’s trying to help you to be able to find you and contact you easily?

DOUG.  And they say things like… this first one is kind of table stakes, but it’s good for anyone, especially smaller businesses that haven’t thought of this: Develop an asset and application inventory, so you know what you have running where.

DUCK.  They doesn’t expressly threaten or claim this, because it’s not for these public servants to make the laws (that’s up to the legislature)… but I think what they’re saying is, “Develop that capacity, because if you don’t, or you couldn’t be bothered, or you can’t figure out how to do it, or you think your customers won’t notice, eventually you might find that you have little or no choice!”

Particularly if you want to sell products to the federal government! [LAUGHTER]

DOUG.  Yes, and we’ve talked about this before… another thing that some companies may have not thought of yet, but is important to have: A vulnerability response program.

What happens in the case that you do have a vulnerability?

What are the steps you take?

What’s the game plan that you follow to address those?

DUCK.  Yes, that’s what I was alluding to earlier.

The simple part of that is you just need an easy way for somebody to find out where they send reports in your organisation… and then you need to make a commitment, internally as a company, that when you receive reports, you’ll actually act upon them.

Like I said, just imagine that you’ve got this big Java toolkit that you’re selling, a big app with lots of components, and in one of the back-end systems, there’s this big Java thing.

And in there, imagine there’s still a vulnerable Log4J .JAR file that you’ve overlooked.

Why wouldn’t you want the person who discovered it to be able to tell you quickly and easily, even with a simple email?

The number of times that you go on Twitter and you see well known cybersecurity researchers saying, “Hey, does anyone know how to contact XYZ Corp?”

Didn’t we have a case on the podcast of a guy who eventually… I think he went on TikTok or something like that [LAUGHTER] because he couldn’t find out how to contact this company.

And he made a video saying, “Hey guys, I know you love your social media videos, I’m just trying to tell you about this bug.”

And eventually they noticed that.

If only he could have gone to yourcompany DOT com SLASH security DOT txt, for example, and found an email address!

“That’s where we’d prefer you to contact us. Or we do bug bounties through this program… here’s how you sign up for it. If you want to be paid.”

It’s not that hard!

And that means that somebody who wants to give you the heads up that you have a bug that you maybe thought you fixed can tell you.

DOUG.  I do love the dismount in this article!

You write and you channel John F. Kennedy, saying [KENNEDY VOICE] “Ask not what everyone else can do for you, but think about what you can do for yourself, because any improvements you make will almost certainly benefit everyone else as well.”

Alright, that is up on the site if you want to read about it… it is required reading if you’re in any sort of position that you have to deal with one of these things.

It’s a good read… at least read the three-page summary, if not the 42-page report.

DUCK.  Yes, it’s long, but I found it surprisingly thoughtful, and I was very pleasantly surprised.

And I thought if people read this, and random people take a random one tenthh of it to heart…

…we ought collectively to be in a better place.

DOUG.  All right, moving right along.

It is summer vacation season, and that often involves taking your gadgets with you.

We have some tips for enjoying your summer vacation without, errr, “not enjoying” it.

DUCK.  “How many gadgets should we take? [DRAMATIC] Pack them all!”

Sadly, the more you take, the bigger your risk, loosely speaking.

DOUG.  Your first tip here is you’re packing all your gadgets… should you make a backup before you set off?

Guessing the answer is, “Yes!”

DUCK.  I think it’s pretty obvious.

Everyone knows you should make a backup, but they put it off.

So I thought it was a chance to trot out our little maxim, or truism: “The only backup you will ever regret is the one you didn’t make.”

And the other thing about making sure that you’ve backed up a device – whether that’s into a cloud account that you then log out from, or whether that’s to a removable drive that you encrypt and put in the cupboard somewhere – it means that you can strip down your digital footprint on the device.

We’ll get to why that might be a good idea… just so you don’t have your whole digital life and history with you.

The point is that by having a good backup, and then thinning out what you actually have on the phone, there’s less to go wrong if you lose it; if it gets confiscated; if immigration officials want to look at it; whatever it is.

DOUG.  And, somewhat related to moving around, you may lose your laptop and or your mobile phone… so you should encrypt those devices.

DUCK.  Yes.

Now, most devices are encrypted by default these days.

That’s certainly true for Android; it’s certainly true for iOS; nd I think when you get Windows laptops these days, BitLocker is there.

I’m not a Windows user, so I’m not sure… but certainly, even if you have Windows Home Edition (which annoyingly, and I hope this changes in the future, annoyingly doesn’t let you use BitLocker on removable drives)… it does let you use BitLocker on your hard disk.

Why not?

Because it means that if you lose it, or it gets confiscated, or your laptop or phone gets stolen, it’s not just a case that a crook opens up your laptop, unplugs the hard disk, plugs it into another computer and reads everything off it, just like that.

Why not take the precaution?

And, of course, on a phone, generally because it’s pre-encrypted, the encryption keys are pre generated and protected by your lock code.

Don’t go, “Well, I’ll be on the road, I might be under pressure, I might need it in a hurry… I’ll just use 1234 or 0000 for the duration of the vacation.”

Don’t do that!

The lock code on your phone is what manages the actual full-on encryption and decryption keys for the data on the phone.

So pick a long lock code… I recommend ten digits or longer.

Set it, and practise using it at home for a few days, for a week before you leave, until it’s second nature.

Don’t just go, 1234 is good enough, or “Oh, I’ll have a long lock code… I’ll go 0000 0000, that’s *eight* characters, no one will ever think of that!”

DOUG.  OK, and this is a really interesting one: You have some advice about people crossing national borders.

DUCK.  Yes, that has become something of an issue these days.

Because many countries – I think the US and the UK amongst them, but they’re by no means the only one – can say, “Look, we want to have a look at your device. Would you unlock it, please?”

And You go, “No, of course not! It’s private! You’ve got no right to do that!”

Well, maybe they do, and maybe they don’t… you’re not in the country yet.

It’s “My kitchen, My rules”, so they might say, “OK, fine, *you* have every right to refuse… but then *we’re* going to refuse your admission. Wait here in the arrivals lounge until we can transfer you to the departure lounge to get on the next flight home!”

Basically, don’t *worry* about what’s going to happen, such as “I might be forced to reveal data at the border.”

*Look up* what the conditions of entry are… the privacy and surveillance rules in the country you’re going to.

And if you genuinely don’t like them, then don’t go there! Find somewhere else to go to.

Or simply enter the country, tell the truth, and reduce your digital footprint.

Like we were saying with the backup… the less “digital life” stuff you carry with you, the less there is to go wrong, and the less likely it is that you will lose it.

So, “Be prepared” is what I’m saying.

DOUG.  OK, and this is a good one: Public Wi-Fi, is it safe or unsafe?

It depends, I guess?

DUCK.  Yes.

There are a lot of people saying, “Golly, if you use public Wi-Fi, you’re doomed!”

Of course, we’ve all been using public Wi-Fi for years, actually.

I don’t know anyone who’s actually stopped using it out of fear of getting hacked, but I do know people go, “Well, I know what the risks are. That router could have been owned by anybody. It could have some crooks on it; it could have an unscrupulous coffee shop operator; or it could be just that somebody hacked it who was here on vacation last month because they thought it was terribly funny, and it’s leaking data because ‘ha ha ha’.”

But if you’re using apps that have end-to-end encryption, and if you’re using sites that are HTTPS so they’re end-to-end encrypted between your device and the other end, then there are considerable limits to what even a completely hacked router can reveal.

Because any malware that’s been implanted by a previous visitor will be implanted on the *router*, not on *your device*.

DOUG.  OK, next… what I consider to be computing’s version of seldom-cleaned public toilets.

Should I use kiosk PCs in airports or hotels?

Cybersecurity aside… just the number of people that have had their hands on that dirty, dirty keyboard and mouse!

DUCK.  Exactly.

So, this is the flip side of the “Should I use public Wi-Fi?”

Should I use a Kkiosk PC, say, in the hotel or in an airport?

The big difference between a Wi-Fi router that’s been hacked and a kiosk PC that’s been hacked is that if your traffic is going encrypted through a compromised router, there’s a limit to how much it can spy on you.

But if your traffic is originating from a hacked or compromised kiosk computer, then basically, from a cybersecurity point of view, *it is 100% Game Over*.

In other words, that kiosk PC could have unfettered access to *all the data that you send and receive on the internet* before it gets encrypted (and after the stuff you get back gets decrypted).

So the encryption becomes essentially irrelevant.

*Every keystroke you type*… you should assume it’s being tracked.

*Every time something’s on the screen*… you should assume that someone can take a screenshot.

*Everything you print out*… you should assume that there’s a copy made in some hidden file.

So my advice is to treat those kiosk PCs as a necessary evil and only use them if you really have to.

DOUG.  Yes, I was at a hotel last weekend which had a kiosk PC, and curiosity got the better of me.

I walked up… it was running Windows 10, and you could install anything on it.

It was not locked down, and whoever had used it before had not logged out of Facebook!

And this is a chain hotel that should have known better… but it was just a wide open system that nobody had logged out of; a potential cesspool of cybercrime waiting to happen.

DUCK.  So you could just plug in a USB stick and then go, “Install keylogger”?

DOUG.  Yes!

DUCK.  “Install network sniffer.”

DOUG.  Uh huh!

DUCK.  “Install rootkit.”

DOUG.  Yes!

DUCK.  “Put flaming skulls on wallpaper.”

DOUG.  No, thank you!

This next question doesn’t have a great answer…

What about spycams and hotel rooms and Airbnbs?

These are tough to find.

DUCK.  Yes, I put that in because it’s a question we regularly get asked.

We’ve written about three different instances of undeclared spy cameras. (That’s a sort of tautology, isn’t it?)

One was in a farm work hostel in Australia, where this chap was inviting people on visitor visas who are allowed to do farm work, saying “I’ll give you a place to stay.”

It turned out he was a Peeping Tom.

One was at an Airbnb house in Ireland.

This was a family who traveled all the way from New Zealand, so they couldn’t just get in the car and go home, give up!

And the other one was an actual hotel in South Korea… this was a really creepy one.

I don’t think it was the chain that owned the hotel, it was some corrupt employees or something.

They put spy cameras in rooms, and I kid you not, Doug… they were actually selling, basically, pay-per-view.

I mean, how creepy is that?

The good news, in two of those cases, the perpetrators were actually arrested and charged, so it ended badly for them, which is quite right.

The problem is… if you read the Airbnb story (we’ve got a link on Naked Security) the guy who was staying there with his family was actually an It person, a cybersecurity expert.

And he noticed that one of the rooms (you’re supposed to declare if there are any cameras in an Airbnb, apparently) had two smoke alarms.

When do you see two smoke alarms? You only need one.

And so he started looking at one of them, and it looked like a smoke alarm.

The other one, well, the little hole that has the LED that blinks wasn’t blinking.

And when he peered through, he thought, “That looks suspiciously like a lens for a camera!”

And it was, in fact, a spy camera disguised as a smoke alarm.

The proprietor had hooked it up to the regular Wi-Fi, so he was able to find it by doing a network scan… using a tool like Nmap, or something like that.

He found this device and when he pinged it, it was pretty obvious, from its network signature, that it was actually a webcam, although a webcam hidden in a smoke alarm.

So he got lucky.

We wrote an article about what he found, linking and explaining what he had blogged about at the time.

This was back in 2019, so this is three years ago, so technology has probably even come along a little bit more since then.

Anyway, he went online to see, “What chance do I actually have of finding cameras in the next places where I stay?”

And he came across a spy camera – I imagine the picture quality would be pretty terrible, but it is still a *working digital spy camera*…. not wireless, you have to wire it in – embedded *in a Phillips-head screw*, Doug!

DOUG.  Amazing.

DUCK.  Literally the type of screw that you would find in the cover plate that you get on a light switch, say, that size of screw.

Or the screw that you get on a power outlet cover plate… a Phillips-head screw of regular, modest size.

DOUG.  I’m looking them up on Amazon right now!

“Pinhole screw camera”, for $20.

DUCK.  If that’s not connected back to the same network, or if it’s connected to a device that just records to an SD card, it’s going to be very difficult to find!

So, sadly, the answer to this question… the reason why I didn’t write question six as, “How do I find spycams in the rooms I stayed in?”

The answer is that you can try, but unfortunately, it’s that whole “Absence of evidence is not evidence of absence” thing.

Unfortunately, we don’t have advice that says, “There’s a little gizmo you can buy that’s the size of a mobile phone. You press a button and it bleeps if there’s a spycam in the room.”

DOUG.  OK. Our final tip for those of you out there who can’t help yourselves: “I’m going on vacation, but what if I want to take my work laptop along?”

DUCK.  I can’t answer that.

You can’t answer that.

It’s not your laptop, it’s work’s laptop.

So, the simple answer is, “Ask!”

And if they say, “Where are you going?”, and you give the name of the country and they say, “No”…

…then that’s that, you can’t take it along.

Maybe just say, “Great, can I leave it here? Can you lock it up in the IT cupboard till I get back?”

If you go and ask IT, “I’m going to Country X. If I were taking my work laptop along, do you have any special recommendations?”…

…give them a listen!

Because if work thinks there are things that you ought to know about privacy and surveillance in the place you’re going, those things probably apply to your home life.

DOUG.  All right, that is a great article…go read the rest of it.

DUCK.  I’m so proud of the two jingles I finished with!

DOUG.  Oh, yes!

We’ve heard, “If in doubt, don’t give it out.”

But this is a new one that you came up with, which I really like….

DUCK.  “If your life’s on your phone/Why not leave it at home?”

DOUG.  Yes, there you go!

All right, in the interest of time, we have another article on the site I beg you to read. This is called: Facebook 2FA scammers return, this time in just 21 minutes.

This is the same scam that used to take 28 minutes, so they’ve shaved seven minutes off this scam.

And we have a reader question about this post.

Reader Peter writes, in part: “Do you really think these things are coincidental? I helped change my father-in-law’s British Telecom broadband contract recently, and the day the change went ahead, he had a phishing telephone call from British Telecom. Obviously, it could have happened any day, but things like that do make you wonder about timing. Paul…”

DUCK.  Yes, we always get people who go, “You know what? I got one of these scams…”

Whether it’s about a Facebook page or Instagram copyright or, like this chap’s dad, telecomms related… “I got the scam the very morning after I did something that directly related to what the scam was about. Surely it’s not a coincidence?”

And I think for most people, because they’re commenting on Naked Security, they realise it’s a scam, so They’re saying, “Surely the crooks knew?”

In other words, there must be some inside information.

The flipside of that is people who *don’t* realise that it’s a scam, and won’t comment on Naked Security, they go, “Oh, well, it can’t be a coincidence, therefore it must be genuine!”

In most cases, in my experience, it absolutely is down to coincidence, simply on the basis of volume.

So the point is that in most cases, I am convinced that these scams that you get, they are coincidences, and the crooks are relying on the fact that it’s easy to “manufacture” those coincidences when you can send so many emails to so many people so easily.

And you’re not trying to trick *everybody*, you’re just trying to trick *somebody*.

And Doug, if I can squeeze it in at the end: “Use a password manager!”

Because then you can’t put the right password into the wrong site by mistake, and that helps you enormously with those scams, whether they are coincidental or not.

DOUG.  All right, very good as always!

Thank you for the comment, Peter.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, until next time, to…

BOTH.  Stay secure!

[MUSICAL MODEM]

News

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

by

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.

The relevant security bulletins, update numbers, and where to find them online are as follows:

  • APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
  • APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
  • APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
  • APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
  • APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
  • APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
  • APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341

As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.

But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.

An honorary zero-day

By the way, if you’ve got a Mac with an earlier version of macOS, don’t forget about that second download for Safari, because it’s vitally important, at least as far as we can see.

That’s because one of the browser-related patches in this round of updates deals with a vulnerability in WebRTC (web real-time communications) known as CVE-2022-2294

…and if that number sounds familiar, it should, because it’s the same bug that was fixed as a zero-day by Google in Chrome (and by Microsoft in Edge) about two weeks ago:

Intriguingly, Apple hasn’t declared any of this month’s vulnerabilities as “reported to be in the wild”, or as “zero-day bugs”, despite the abovementioned patch that was dubbed a zero-day hole by Google.

Whether that’s because the bug isn’t as easy to exploit in Safari, or simply because no one has traced back any Safari-specific misbehaviour to this particular flaw, we can’t tell you, but we’re treating it as an “honorary zero-day” vulnerability, and patching zealously as a result.

Pwn2Own hole closed

Apple has also apparently fixed the bug found by German cybersecurity researcher Manfred Paul at the recent Pwn2Own competition in Canada, back in May 2022.

Manfred Paul exploited Firefox with a two-stage bug that earned him $100,000 ($50,000 for each part), and got into Safari as well, for a further $50,000 bounty.

Indeed, Mozilla published its fix for Paul’s bugs within two days of receiving his report at Pwn2Own:

Apple, in contrast, took two months to deliver its post-Pwn2Own patch:

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero Day Initiative [Pwn2Own]

Remember, however, that responsible disclosure is part of the Pwn2Own competition, meaning that anyone claiming a prize is required not only to hand over full details of their exploit to the affected vendor, but also to keep quiet about the vulnerabiity until the patch is out.

In other words, as laudable and exciting as Mozilla’s two-day patch delivery time may have been, Apple’s much slower response is nevertheless acceptable.

The live video streams you may have seen from Pwn2Own served to indicate whether each competitor’s attack succeeded, rather than to reveal any information about how the attack actually worked. The video displays used by the competitors had their backs to the camera, so you could see the faces of the competitors and adjudicators, but not what they were typing or looking at.

Multi-stage attacks

As usual, the numerous bugs patched by Apple in these updates include vulnerabilities that could, in theory, be chained together by determined attackers.

A bug listed with the proviso that “an app with root privileges may be able to execute arbitrary code with kernel privileges” doesn’t sound terribly worrying at first.

After all, if an attacker already has root powers, they’re pretty much in control of your computer anyway.

But when you notice a bug elsewhere in the system that’s listed with the warning that “an app may be able to gain root privileges”, you can see how the latter vulnerability could be a convenient and unauthorised stepping stone to the former.

And when you also notice an image rendering bug described as “processing a maliciously crafted file may lead to arbitrary code execution”, you can quickly see that:

  • A booby-trapped web page could contain an image that launches untrusted code.
  • That untrusted code could implant a low-privilege app.
  • The unwanted app could acquire root powers for itself.
  • The now-root app could inject its own rogue code into the kernel.

In other words, theoretically at least, just looking at an apparently innocent website…

…could send you tumbling into a cascade of trouble, just like the famous saying that goes, “For want of a nail, the shoe was lost; for want of a shoe, the horse was lost; for want of a horse, the message was lost; for want of a message, the battle was lost… all for the want of a horseshoe nail.”

What to do?

That’s why, as always, we recommend that you patch early; patch often; patch everything.

Apple, to its credit, makes patching everything the default: you don’t get to choose which patches to deploy and which to leave “for later”.

The only exception to this rule, as we noted above, is that for macOS Big Sur and macOS Catalina, you will receive the bulk of the operating system updates in one giant download, followed by a separate download-and-update process to install the latest version of Safari.

As usual:

  • On your iPhone or iPad: Settings > General > Software Update
  • On your Mac: Apple menu > About this Mac > Software Update…

Latest Blog

View All
go top