+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

Google patches “in-the-wild” Chrome zero-day – update now!

by

Google’s latest update to the Chrome browser fixes a varying number of bugs, depending on whether you’re on Android, Windows or Mac, and depending on whether you’re running the “stable channel” or the “extended stable channel“.

Don’t worry if you find the the plethora of Google blog posts confusing…

…we did too, so we’ve tried to come up with an all-in-one summary below.

The Stable channel is the very latest version, including all new browser features, currently numbered Chrome 103.

The Extended Stable channel identifies itself as Chrome 102, and doesn’t have the latest features but does have the latest security fixes.

Three CVE-numbered bugs are listed across the three bulletins listed above:

  • CVE-2022-2294: Buffer overflow in WebRTC. A zero-day hole, already known to the cybercrime fraternity and actively exploited in the wild. This bug appears in all versions listed above: Android, Windows and Mac, in both “stable” and “extended stable” flavours. WebRTC is short for “web real-time communication”, which is used by many audio and video sharing services you use, such as those for remote meetings, webinars and online phone calls.
  • CVE-2022-2295: Type confusion in V8. The term V8 refers to Google’s JavaScript engine, used by any website that includes JavaScript code, which, in 2022, is almost every website out there. This bug appears in Android, Windows and Mac, but apparently in the Chrome 103 flavour (“stable channel”) only.
  • CVE-2022-2296: Use-after-free in Chrome OS Shell. This is listed as applying to the “stable channel” on Windows and Mac, although the Chrome OS shell is, as the name suggests, part of Chrome OS, which is neither Windows nor Mac based.

Additionally, Google has patched against a bunch of non-CVE-numbered bugs that are collectively labelled with Bug ID 1341569.

These patches provide a slew of proactive fixes based on “internal audits, fuzzing and other initiatives”, which very probably means that they weren’t previously known to anyone else, and therefore never were (and no longer can be) turned into zero-day holes, which is good news.

Linux users haven’t had a mention in this month’s bulletins yet, but it’s not clear whether that’s because none of these bugs apply to the Linux codebase, because the patches aren’t quite ready yet for Linux, or because the bugs aren’t considered important enough to get Linux-specific fixes.

Bug types explained

To give you a very quick glossary of the important bug categories above:

  • Buffer overflow. This means that data supplied by an attacker gets dumped into a block of memory that isn’t big enough for the amount that was sent. If the extra data ends up “spilling over” into memory space already used by other parts of the software, it may (or in this case, does) deliberately and treacherously affect the behaviour of the browser.
  • Type confusion. Imagine that you are supplying data such as “price of product” that the browser is supposed to treat as a simple number. Now imagine that you can later trick the browser into using the number you just supplied as if it were a memory address or a text string instead. A number that passed the check to make sure it was legal price probably isn’t a valid memory address or text string, and would therefore not have been accepted without the ruse of sneaking it in under the guise of a a different data type. By feeding in data that’s “valid-when-checked-but-invalid-when-used”, an attacker could deliberately subvert the behaviour of the browser.
  • Use-after-free. This means that one part of the browser incorrectly carries on using a block of memory after it has been handed back to the system for reallocation elsewhere. As a result, data that’s already been checked for safety (by the code that assumes it “owns” the memory concerned) could end up sneakily modified just before it gets used, thus treacherously affecting the behaviour of the browser.

What to do?

Chrome will probably update itself, but we always recommend checking anyway.

On Windows and Mac, use More > Help > About Google Chrome > Update Google Chrome.

On Android, check that your Play Store apps are up-to-date.

After updating, you’re looking for version 102.0.5005.148 if you’re on the “extended stable” release; 103.0.5060.114 if you’re on the “stable” track; and 103.0.5060.71 on Android.

On Linux, we’re not sure what version number to look out for, but you might as well do the Help > About > Update security dance anyway, to ensure you’ve got the latest version available right now.

News

Canadian cybercriminal pleads guilty to “NetWalker” attacks in US

by

If you’re a Naked Security Pocast listener, you may remember, back in March 2022, that we spoke about a convicted cybercriminal from Canada by the name of Sebastien Vachon-Desjardins.

By all accounts, he was part of several so-called Ransomware-as-a-Service (RaaS) gangs, such as REvil and NetWalker, where the actual ransomware attackers act as “affiliates” for the core ransomware creators, in return for handing over an AppStore-like or Google Play-like 30% cut of every blackmail payment they extort.

Simply put, the core gang members create the malware samples, run the darkweb servers that handle the “negotiations” with victims, and collect the extortion payments…

…while the affiliates handle breaking into victims’ networks, mapping them out, and lining up the final attack in which as many computers on the network as possible have their data scrambled at the same time.

The “business theory”, if we can call it that, is that by taking 30% of every successful attack, the core criminals become extremely wealthy indeed, but keep a low profile away from the network-cracking limelight.

At the same time, by handing 70% to their “affiliates”, they encourage those co-conspirators to make each attack as debilitating as possible, potentially increasing the amount that victims can ultimately be squeezed into paying to get their business running again.

LEARN MORE ABOUT RECENT MALWARE BUSTS (FIRST SECTION)

The background

Vachon-Desjardins had been a federal government worker in the Canadian Capital Region (he comes from Gatineau in Quebec, directly across the river from the federal capital Ottawa in Ontario).

He seems to have decided that joining the cybercrime underworld would be much more lucrative than his government job, and it seems that did indeed rack up a small fortune in illegal earnings…

…until he was identified, arrested and prosecuted in Canada.

After being sentenced to nearly seven years in a Canadian prison, he was then extradited to Tampa, Florida in the US, to face four federal charges there:

  • Conspiracy to Commit Computer Fraud
  • Conspiracy to Commit Wire Fraud
  • Intentional Damage to a Protected Computer
  • Transmitting a Demand in Relation to Damaging a Protected Computer

The choice of Tampa for his trial was because a known victim of one of his “NetWalker” ransomware attacks is based there.

Vachon-Desjardins has now pleaded guilty to all four charges, with the plea agreement (thanks to The Register for uploading a copy of the court document) explaining:

The NetWalker Ransomware was a specific type of malicious software (malware) that was used to compromise and restrict access to a victim’s computer network in an effort to extort a ransom. Conspirators used NetWalker not only to encrypt victim data, but also used the malware to steal sensitive data from victims. If a victim did not pay the ransom, conspirators would refuse to decrypt victim data and would publish the sensitive, stolen data online. The stolen data was often published on a dark web website named “the NetWalker Blog,” which existed for the primary purpose of facilitating the publication of stolen victim data.

NetWalker operated as ransomware-as-a-service (“RaaS”), featuring Russia-based developers and affiliates who resided all over the world. Under the RaaS model, developers were responsible for creating and updating the ransomware, and making it available to affiliates. Affiliates were responsible for identifying and attacking high-value victims with the ransomware. After a victim paid, developers and affiliates split the ransom. Sebastien Vachon-Desjardins was one of the most prolific NetWalker Ransomware affiliates.

SophosLabs has analysed the NetWalker ransomware in detail, thanks to a stash of files recovered by our threat response team during an ransomware incident investigation in 2020:

The plea deal also notes that:

On or about January 27 and 28, 2021, the Royal Canadian Mounted Police executed search warrants at Vachon-Desjardins’ home and on safe deposit boxes held by Vachon-Desjardins at National Bank, Gatineau, Quebec.

During these searches, law enforcement seized, among other assets , all bitcoin contained in the defendant’s BTC Wallet 3Pxki6pFFKC12YSn8JtDs3ZrEg3pFTHnHd.

This seized bitcoin was derived primarily from ransom funds paid by victims of NetWalker Ransomware attacks.

The amount seized was just under BTC 720, worth about US$23 million in early 2021, and still worth about US$14 million today.

That wasn’t all, however, with the court document stating:

Law enforcement identified and seized copies of the server that operated as the backend, or internal-facing, server of the NetWalker Tor Panel and the NetWalker Blog. This server contained detailed transactional information as to the NetWalker developers and affiliates. The transactional records revealed that during the course of the conspiracy, approximately 100 affiliates had been active, and victims had paid approximately 5058 bitcoin in ransoms (an approximate total of US$40 million based on the value of bitcoin at the time of each transaction).

These records also tied Vachon-Desjardins to the successful extortion of approximately 1864 bitcoin in ransoms (an approximate total of US$21.5 million based on the value of bitcoin at the time of each transaction) from dozens of victim companies across the world, including [the victim in Tampa, Florida].

What next?

As Chester Wisniewski put it in the March 2022 podcast:

Sebastien is temporarily “on loan” to the Americans, so they can punish him, but when he comes back, he still has to face his sentence here in Canada.

The wire fraud offence alone carries a maximum sentence of 20 years, but we’re assuming that the court will impose a lighter sentence on account of the plea deal being signed.

The plea agreement makes it clear that “[the] defendant is pleading guilty because [he] is in fact guilty.”

And part of the deal includes that the “defendant agrees to cooperate fully with the United States in the investigation and prosecution of other persons, […including] a full and complete disclosure of all relevant information, including production of any and all books, papers, documents, and other objects in defendant’s possession or control.”

In other words, Vachon-Desjardins is now expected to spill the beans, and rat out his former chums in the ransomware scene.

What to do?

For further insights into the ugly world of ransomware, how it works, and how to protect yourself against it, why not check out our State of Ransomware surveys from 2021 and 2022?

News, Phishing

Facebook 2FA phish arrives just 28 minutes after scam domain created

by

We’ll tell this story primarily through the medium of images, because a picture is worth 1024 words.

This cybercrime is a visual reminder of three things:

  • It’s easy to fall for a phishing scam if you’re in a hurry.
  • Cybercriminals don’t waste any time getting new scams going.
  • 2FA isn’t a cybersecurity panacea, so you still need your wits about you.

It was 19 minutes past…

At 19 minutes after 3 o’clock UK time today [2022-07-01T14:19:00.00Z], the criminals behind this scam registered a generic and unexceptionable domain name of the form control-XXXXX.com, where XXXXX was a random-looking string of digits, looking like a sequence number or a server ID:

28 minutes later, at 15:47 UK time, we received an email, linking to a server called facebook.control-XXXX.com, telling us that there might be a problem with one of the Facebook Pages we look after:

As you can see, the link in the email, highlighted in blue by our Oulook email client, appears to go directly and correctly to the facebook.com domain.

But that email isn’t a plaintext email, and that link isn’t a plaintext string that directly represents a URL.

Instead, it’s an HTML email containing an HTML link where the text of the link looks like a URL, but where the actual link (known as an href, short for hypertext reference) goes off to the crook’s imposter page:

As a result, clicking on a link that looked like a Facebook URL took us to the scammer’s bogus site instead:

Apart from the incorrect URL, which is disguised by the fact that it starts with the text facebook.contact, so it might pass muster if you’re in a hurry, there aren’t any obvious spelling or grammatical errors here.

Facebook’s experience and attention to detail means that the company probably wouldn’t have left out the space before the words “If you think”, and wouldn’t have used the unusual text ex to abbreviate the word “example”.

But we’re willing to bet that some of you might not have noticed those glitches anyway, if we hadn’t mentioned them here.

If you were to scroll down (or had more space than we did for the screenshots), you might have spotted a typo further along, in the content that the crooks added to try to make the page look helpful.

Or you might not – we highlighted the spelling mistake to help you find it:

Next, the crooks asked for our password, which wouldn’t usually be part of this sort of website workflow, but asking us to authenticate isn’t totally unreasonable:

We’ve highlighted the error message “Password incorrect”, which comes up whatever you type in, followed by a repeat of the password page, which then accepts whatever you type in.

This is a common trick used these days, and we assume it’s because there’s a tired old piece of cybersecurity advice still knocking around that says, “Deliberately put in the wrong password first time, which will instantly expose scam sites because they don’t know your real password and therefore they’ll be forced to accept the fake one.”

To be clear, this has NEVER been good advice, not least when you’re in a hurry, because it’s easy to type in a “wrong” password that is needlessly similar to your real one, such as replacing pa55word! with a string such as pa55pass! instead of thinking up some unrelated stuff such as 2dqRRpe9b.

Also, as this simple trick makes clear, if your “precaution” involves watching out for apparent failure followed by apparent success, the crooks have just trivially lulled you into into a false sense of security.

We also highlighted that the crooks also deliberately added a slightly annoying consent checkbox, just to give the experience a veneer of official formality.

Now you’ve handed the crooks your account name and password…

…they immediately ask for the 2FA code displayed by your authenticator app, which theoretically gives the criminals anywhere between 30 seconds and a few minutes to use the one-time code in a fraudulent Facebook login attempt of their own:

Even if you don’t use an authenticator app, but prefer to receive 2FA codes via text messages, the crooks can provoke an SMS to your phone simply by starting to login with your password and then clicking the button to send you a code.

Finally, in another common trick these days, the criminals soften the dismount, as it were, by casually redirecting you to a legitimate Faceook page at the end.

This gives the impression that the process finished without any problems to worry about:

What to do?

Don’t fall for scams like this.

  • Don’t use links in emails to reach official “appeal” pages on social media sites. Learn where to go yourself, and keep a local record (on paper or in your bookmarks), so that you never need to use email web links, whether they’re genuine or not.
  • Check email URLs carefully. A link with text that itself looks like a URL isn’t necessarily the URL that the link directs you to. To find the true destination link, hover over the link with your mouse (or touch-and-hold the link on your mobile phone).
  • Check website domain names carefully. Every character matters, and the business part of any server name is at the end (the right-hand side in European languages that go from left-to-right), not at the beginning. If I own the domain dodgy.example then I can put any brand name I like at the start, such as visa.dodgy.example or whitehouse.gov.dodgy.example. Those are simply subdomains of my fraudulent domain, and just as untrustworthy as any other part of dodgy.example.
  • If the domain name isn’t clearly visible on your mobile phone, consider waiting until you can use a regular desktop browser, which typically has a lot more screen space to reveal the true location of a URL.
  • Consider a password manager. Password managers associate usernames and login passwords with specific services and URLs. If you end up on an imposter site, no matter how convincing it looks, your password manager won’t be fooled because it recognises the site by its URL, not by its appearance.
  • Don’t be in a hurry to put in your 2FA code. Use the disruption in your workflow (e.g. the fact that you need to unlock your phone to access the code generator app) as a reason to check that URL a second time, just to be sure, to be sure.

Remember that phishing crooks move really fast these days in order to milk new domain names as quickly as they can.

Fight back against their haste by taking your time.

Remember those two handy sayings: Stop. Think. Connect.

And after you’ve stopped and thought: If in doubt, don’t give it out.

News

“Missing Cryptoqueen” hits the FBI’s Ten Most Wanted list

by

The US Federal Bureau of Investigation (FBI) famously maintains a Ten Most Wanted Fugitives list.

Currently, nine of them are men, suspected of 22 different offences between them:

  • Accessory After the Fact
  • Aiding and Abetting
  • Armed Robbery
  • Cocaine Importation Conspiracy
  • Conspiracy to Commit Murder-for-Hire
  • Conspiracy to Commit Violent Crimes in Aid of Racketeering
  • Conspiracy to Kidnap a Federal Agent
  • Conspiracy to Possess Machine Guns
  • Dangerous Weapon with Intent to Injure
  • Felony Murder of a Federal Agent
  • First Degree Assault
  • First Degree Murder
  • Interstate Stalking
  • Kidnapping
  • Kidnapping of a Federal Agent
  • Murder
  • Possession of Machine Guns
  • Racketeering Conspiracy
  • Second Degree Assault
  • Second Degree Murder
  • Unlawful Flight to Avoid Prosecution
  • Violent Crimes in Aid of Racketeering

One of them, however, newly added and the only woman on the list, breaks the mould.

She’s wanted for:

  • Conspiracy to Commit Money Laundering
  • Conspiracy to Commit Securities Fraud
  • Conspiracy to Commit Wire Fraud
  • Securities Fraud
  • Wire Fraud

According to the FBI, Ruja Ignatova, widely known as the Cryptoqueen, and famously dubbed the “Missing Cryptoqueen” by the makers of a popular BBC podcast series:

…is wanted for her alleged participation in a large-scale fraud scheme. Beginning in approximately 2014, Ignatova and others are alleged to have defrauded billions of dollars from investors all over the world. Ignatova was the founder of OneCoin Ltd., a Bulgaria-based company that marketed a purported cryptocurrency. In order to execute the scheme, Ignatova allegedly made false statements and representations to individuals in order to solicit investments in OneCoin. She allegedly instructed victims to transmit investment funds to OneCoin accounts in order to purchase OneCoin packages, causing victims to send wire transfers representing these investments. Throughout the scheme, OneCoin is believed to have defrauded victims out of more than $4 billion.

Do not adjust your screen

You read that correctly.

OneCoin, supposedly a BitCoin-like cryptocurrency, is said to have attracted more than $4,000,000,000 that was paid in by investors who were seduced by the chance of getting in on the ground floor of another Bitcoin-like value surge.

For all that the media is currently full of “Bitcoin and its crypto-friends are in meltdown” stories, anyone who still has a bunch of bitcoins left over from the early 2010s is nevertheless sitting on a fortune.

Back in 2010, for example, a user going by the name SmokeTooMuch allegedly owned 10,000 bitcoins.

If SmokeTooMuch never did sell those coins, and still has them today, he would have lost close to half-a-BILLION dollars between November 2021 and today, given that Bitcoin has lost more than two-thirds if its value in the past eight months.

But he’d still be worth close to $200 million, given that BTC 1 is currently worth about $19,000. [2022-07-01T15:40Z]

Yet when he tried to sell those bitcoins back in 2010, he wanted $50 for them, thus valuing them at just half a US cent each, but couldn’t find a buyer willing to meet his price.

Heck, bitcoins could plunge to as low as $100 each, and someone with BTC 10,000 that they’d held onto from the early days, when they were worth fractions of a cent each, would, on paper at least, still be a millionaire.

In on the ground floor

With stories like that doing the rounds, you can see why many people are desperate to buy into new cryptocurrency schemes, despite the regular and dispiriting stories of cryptocoin schemes that failed completely, costing their investors everything they’d paid in.

Cryptocurrencies scammers have even found credible ways to trick iPhone users into installing unofficial “test” apps, which aren’t vetted by Apple as keenly as software in the App Store itself.

The crooks seek you out on social network sites, notably on dating sites, work their way into a friendly relationship with you, and then pitch the fact that the app is still “in beta” as evidence that they’re giving you a “unique” chance to get in right at the start.

When everyone else joins the club, and the value of their “cryptocurrency” really takes off, then everyone is going to make lots of money, they’ll tell you…

…but those who got in really early will be extra-super-duper rich, just like the people who were into Bitcoin when it first began.

Thus the scammers lure you into trusting an app that looks just like a trading app; that accepts your deposits just like a trading the app; and that shows you the value of your “investment” steadily rising.

You may get regular “deposits” added to your account under the guise of dividends, bonuses and interest payments, and the crooks may offer you the chance to bring your close friends and family in on the “deal”, perhaps with a “commission” you can “earn” for doing so.

You may even be able to cash out modest amounts of your “investment” along the way, or get “payouts” and “spot bonuses” in a cash form, intended to convince you that the system is genuine, and not just a one-way street that never pays out.

In reality, those “payouts” come either from the money you’ve already put in yourself, or from the funds paid in by victims who joined after you.

That sort of scam is known to this day as a Ponzi scheme, after an early perpetrator of the scam called Carlo Pietro Giovanni Guglielmo Tebaldo Ponzi, better known as Charles.

All a pack of lies

Sadly, the whole thing is a pack of lies, as you’ll find if you decide to cash out your “investment”.

What happens next depends on the scammers, but typical outcomes include:

  • The crooks pretend to initiate a withdrawal, to allay your suspicions, only to convince you to “reinvest” because of a fantastic new development that they urge you to hang around for.
  • The crooks pay you back some of your funds, typically keeping 25%, claiming that it’s a compulsory government witholding tax or some other regulatory necessity that’s beyond their control.
  • You never hear from them again.

Missing Cryptoqueen

The Missing Cryptoqueen is accused of running a scam along those sort of lines, albeit without an iPhone app, allegedly operating what the FBI refers to above as “a purported cryptocurrency”.

The reward for information leading to her arrest is listed as “up to $100,000”.

Some of the henchpeople in the OneCoin crew have already been convicted of scam-related offences, including Mark Scott, a former equity partner at the law firm Locke Lord LLP, who was convicted in Manhattan Federal Court in 2019 for laundering about $400 million out of the scheme.

And Ignatova’s brother, Konstantin Ignatov, who allegedly took over the reins of the OneCoin empire when his sister dropped out of sight in 2017, was arrested at Los Angeles International Airport in March 2019, and subsequently admitted guilt on money-laundering and fraud charges.

What to do?

  • Beware any online schemes that make promises that a properly regulated investment would not be allowed to do. Investment regulations generally exist to keep the lid on wild and unachievable claims, so be sceptical of any scheme that sets out to sidestep that sort of control and expects you to invest without any regulatory protection at all.
  • Don’t be taken in by cryptocoin jargon and a smart-looking website or app. Anyone can set up a believable-looking website or build an app to show what look like upbeat real-time graphs and online comments that seem to be awash with upvotes and positivity. Open source website and blogging tools make it cheap and easy to create professional-looking content. But those tools can’t stop a crook filling a website with fake data.
  • Consider asking someone with an IT background whom you know and trust for advice. Find someone who isn’t already part of the scheme and doesn’t show any particular interest in it. Be wary of advice or endorsement from people who are (or claim to be) part of the scheme already. They could be paid shills, or fake personas, or they could be early winners who’ve been paid out with money Ponzied from later investors, and thus lured into promoting the scam themselves.
  • If it sounds too good to be true, it probably is. That advice applies whether it’s a new cryptocurrency, a special online offer, a new online service, a survey to win a prize, or even just the good old lure of “free stuff”. Take your time to understand what you’re signing up for.

If in doubt, don’t give it out, and that definitely includes your money!

News

S3 Ep89: Sextortion, blockchain blunder, and an OpenSSL bugfix [Podcast + Transcript]

by

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

DOUG.  More extortion scams, more crypto theft, and a bugfix for a bugfix.

All that more on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth, and he is Paul Ducklin.

Paul, how do you do?

DUCK.  I am super-duper, thank you, Douglas.

DOUG.  We like to start the show with a little bit of tech history, and I’d like to remind you that this week, in 2007, the first generation iPhone was released in the United States.

At a time when most high-end phones were selling for $200 with a two-year wireless service contract, the iPhone started at $500 with a two-year contract.

It also sported a slower connection speed than many phones at the time, with 2.5G, or EDGE, versus 3G.

Still, two-and-a-half months after its release, Apple had sold a million iPhones.

In the US alone.

DUCK.  Yes, I’d forgotten that thorny detail of the of the 2-dot-5 EDGE!

I just remember thinking, “You cannot be serious?”

I was in Australia at the time, and they were *expensive*.

I think that was still the era when I was just hanging onto my EDGE device… I keep calling it a JAM JAR, but it was actually called a JASJAR or a JASJAM, or something.

One of those sliding-keyboard Windows CE devices.

I was the only person in the world that loved it… I figured, well, someone has to.

You could write your own software for it – you just compiled the code and put it on there – so I remember thinking, this App Store thing, only 2.5GG, super-expensive?

It will never catch on.

Well, the world has never been the same since, that’s for sure!

DOUG.  It has not!

All right, speaking of the world not being the same, we’ve got more scams.

This one…why don’t I just read from the FTC about this scam?

The FTC (the Federal Trade Commission in the United States) says the criminals usually work something like this:

“A scammer poses as a potential romantic partner on an LGBTQ+ dating app, chats with you, quickly sends explicit photos, and asks for similar photos in return.

If you send photos, the blackmail begins.

They threaten to share your conversation and photos with your friends, family, or employer unless you pay, usually by gift card.

Other scammers threaten people who are closeted or not yet fully out as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll ruin your life by exposing explicit photos or conversations.

Whatever their angle, they’re after one thing your money.”

Nice people here, right?

DUCK.  Yes,. this is truly awful, isn’t it?

And what particularly caught me about this story is this…

A couple of years ago, the big thing of this sort, as you remember, was what became known as “sextortion” or “porn scamming”, where the crooks would say, “Hey, we’ve got some screenshots of you watching porn, and we turned on your webcam at the same time. we were able to do this because we implanted malware on your computer. Here’s some proof”, and they’ve got your phone number or your password or your home address.

They never show you the video, of course, because they don’t have it.

“Send us the money,” they say.

Exactly the same story, except that in that case we were able to go to people and say, “All a pack of lies, just forget it.”

[embedded content]

Unfortunately, this is exactly the opposite, isn’t it?

They *have* got the photo… unfortunately, you sent it to them, maybe thinking, “Well, I’m sure I can trust this person.”

Or maybe they’ve just got the gift of the gab, and they talk you into it, in the same way as traditional romance scammers… they don’t want explicit photos for blackmail, they want you to fall in love with them for the long term, so they can milk you for money for weeks, months, years even.

[embedded content]

But it is tricky that we have one kind of sexually-related extortion scam where we can tell people, “Don’t panic, they can’t blackmail because they actually don’t have the photo”…

…and another example where, unfortunately, it’s exactly the other way around, because they do have the photo.

But the one thing you should still not do is pay the money, because how do you ever know whether they are going to delete that photo.

Even worse, how do you know, even if they actually are – I can’t believe I’m going to use these words – “trustworthy crooks”?

Even if their intention is to delete the photo, how do you know they haven’t had a data breach?

They could have lost the data already.

Because dishonour among thieves and crooks falling out with one another is common enough.

We saw that with the Conti ransomware gang… affiliates leaking a whole load of stuff because they’d fallen out with the people at the core of the group, apparently.

And lots of cybercrooks have poor operational security themselves.

There’s been any number of cases in the past where crooks either ended up getting bust or ended up giving away the secrets of their malware because their systems, where they were supposedly keeping all the secrets, were wide open anyway.

DOUG.  Yes.

At a very personal and uncertain time in people’s lives, of course, when they finally trusted someone they’ve never met… and then this happens.

So that’s one of our tips: Don’t pay the blackmail money.

Another tip: Consider using your favorite search engine for a reverse image search.

DUCK.  Yes, lots of people recommend that for all sorts of scams.

It’s very common that the crooks will gain your trust by picking an online dating profile of someone that they’ve pre-judged you’ll probably like.

They go and find someone who actually might be a good match for you, they rip off that person’s profile, and they come steaming in, pretending to be that person.

Which gets them off to a very good start when it comes to romantic machinations, doesn’t it?

And so, if you do a reverse image search and somebody else’s profile comes up: bingo! You’ve busted them!

The bad news is that you can’t use that to prove anything about the people…

…in other words, if you do the reverse search and nothing comes up, it doesn’t mean that the person you’re speaking to really is the original owner of that photograph.

However, we have had people on Naked Security commenting saying, “I got one of these; I did a reverse image search; it instantly came out in the wash. Reverse search worked really well for me.”

You might trip the cook up at the very, very first hurdle.

DOUG.  Yes, I think I shared this in one of the first podcast episodes we did…

We were trying to rent a ski-house, and the place we were trying to rent looked a little too good to be true for the price.

And my wife called the person to ask them about it, and clearly woke someone up in the middle of the night on the other side of the world.

As she was doing that, I dropped the image into a reverse image search, and it was a Ritz Carlton Hotel in Denver or something like that.

It was not even close to where we were trying to rent.

So this works beyond just romance scams – it works for anything that just smells kind of fishy, and has images associated with it.

DUCK.  Yes.

DOUG.  OK. And then we have the tip: Be aware before you share.

DUCK.  Yes, that’s one of our little jingles.

It’s easy to remember.

And, in fact, it’s not just true for these sexual extortion scams, although, as you say, it’s especially troubling and evil-sounding in such cases.

It’s absolutely true in all cases where there’s someone that you’re not sure about – don’t give out information, because you can’t get it back later.

Once you’ve handed over the data, then you don’t just have to trust them… you have to trust their computer, their own attitude to cybersecurity and everything.

DOUG.  That dovetails nicely with our next tip, which is: If in doubt, don’t give it out.

DUCK.  Yes, I know some people say, “Oh, well, that sounds like you’re victim blaming.”

But once you hand out your data, you can *ask* for it back, but you can’t really do much more than that.

It’s trivial to share stuff, but it’s as good as impossible to call it back afterwards.

DOUG.  OK, then we’ve got some resources in the article about how to report such scams based on the country that you live in, which is pretty handy.

DUCK.  Yes, we put in online fraud reporting URLs for: the USA, the United Kingdom, the European Union, Canada, Australia and New Zealand.

The US one is https://reportfraud.ftc.gov.

And the FTC, of course, is essentially the consumer rights body in the United States.

I was very pleasantly surprised with that site – I found it very easy to navigate.

You can put in as much or as little information as you want.

Obviously, if you want to keep up with a case later, then you’re going to have to share information that allows them to contact you back – in other words, it would be difficult to remain completely anonymous.

But if you just want to say, “Look, I’ve got this scam, I must be one of a million people”…

…if nobody says anything, then essentially, statistically, nothing happened.

You can report things and just say, “I got this URL, I got this phone number, I got this information,” whatever it is, and you can provide as much or as little as you want.

And although it sometimes feels like reporting this stuff probably doesn’t make a difference – because obviously if you don’t give your email address and your contact details, you won’t get any reply to say whether it was useful or not – you just have to take it on faith.

And my opinion is: I don’t see how it can possibly do any harm, and it may do a little bit of good.

It may help the authorities to build a case against somebody where, without several corroborating reports, they might have found it very difficult to get to the legal standard they needed to actually do something about what is a particularly nasty crime.

DOUG.  OK, that is: FTC warns of LGBTQ+ plus extortion scams: Be aware before you share” on nakedsecurity.sophos.com.

And speaking of being aware, when are we going to have one week where we’re not aware of some sort of crypto theft?

Another $100 million vanished into thin air, Paul!

DUCK.  I didn’t realise that was a rhetorical question.

I was about to chime in and say, “Not this week, Doug.”

Actually, when you look at the current exchange rate of US dollar to Ether, I wonder if this one was even worth writing about. Doug?

It was not quite $100 million… It was, “I don’t know, $80 million, $90 million – it’s almost not worth getting out of bed to write about,” he said
very cynically.

Yes, this was yet another decentralised finance, or De-Fi, company disaster.

You wouldn’t know it to go to their website.

The company is called Harmony – they’re essentially a blockchain smart contract company… you go to the website, and it’s still full of how great they are.

If you go to their official blog from their website, there is a story on there which is “Lost Funds Investigation Report”.

But that’s not *these* lost funds; that’s *those* lost funds.

That’s from back in January… I think it was “only” something like a $5 million hack, maybe even less, Doug, that somebody made off with.

And that’s the last story on their blog.

They do have information on Twitter about it, to be fair, and they have published a blog article somewhere on Medium.com which details what little they seem to know.

It sounds like they had a whole lot of funds that were locked up centrally, funds needed to make the wheels work, and to allow those things to be moved in and out, they were using what’s called a “multi-signature” or “multisig” approach.

One private key wouldn’t be enough to authorise transferring out any of these particular funds.

There were five people who were authorised, and two of them had to come in together, and apparently each private key was stored sort-of split in half.

The person had a password to unlock it, and they needed to get some key material from a key server, and apparently each private key was on a different key server.

So, we don’t know how it happend… did somebody collude? Or did somebody just think they’d be really clever and say, “Hey, I’ll share my key with you, and you share your key with me, just in case, as extra backup?”

Anyway, the crooks managed to get two private keys, not one, so they were able to pretend to be more than one person, and they were able to unlock this large amount of funds and transfer it to themselves.

And that added up to some $80 million-plus US dollars worth of Ether.

And then, it seems, that Harmony, like they did back in January when they had the previous rip-off… they did that what everyone’s doing these days.

“Dear Mr. White Hat, dear Lovely Crook, if you send the funds back, we’ll write it up as a bug bounty. We’ll rewrite history, and we’ll try not to let you get prosecuted. And we’ll say it was all in the name of research, but please give us our money back.”

And you think, “Oh, golly, that smacks of desperation,” but I guess that’s all they’ve got to try.

DOUG.  And I like that they’re offering 1% of what was stolen.

And then the icing on the cake is they will “advocate for no criminal charges” when funds are returned, which seems hard to guarantee.

DUCK.  Yes, I guess that’s all they can say, right?

Well, certainly in England, you can have things called private prosecutions – they don’t have to be brought by the state.

So you could do a criminal prosecution as a private individual. or as a charity, or as a public body, if the state doesn’t want to prosecute.

But you don’t get the opposite, where you’re the victim of a crime and you say, “Oh, I know that guy. He was drunk out of his mind. He crashed into my car, but he repaired it. Don’t prosecute him.”

The state will probably go, “You know what? It’s actually not up to you.”

Anyway, it doesn’t seem to have worked.

Whoever it was has already transferred something like 17,000 Ether (something just shy of $20 million US, I think) out of the account where they’d originally collected the stuff.

So, it’s looking as though this is all going down the gurgler. [LAUGHS]

I don’t know why I’m laughing, Doug.

DOUG.  This just keeps happening!

There’s got to be a better way to lock down these accounts.

So, they’ve gone from two parties having to co-sign to four parties.

Now, does that fix this problem, or will this keep happening?

DUCK.  “Hey, two wasn’t enough. We’ll go to four.”

Well, I don’t know… does that make it better, or the same, or worse?

The point is, it depends on how the crooks, and why the crooks, were able to get those two keys.

Did they just target the five people and they got lucky with two of them and failed with three, in which case you can argue that making it four-out-of-five instead of two-out-of-five will raise the bar a bit further.

But what if the system itself, the way that they’ve actually orchestrated the keys, was the reason the crooks got two of them… what if there was a single point of failure for any number of keys?

And that’s just what we don’t know, so just go from two to four… It doesn’t necessarily solve the problem.

In exactly the same way that if someone steals your phone and they guess your lock code and you’ve got six digits, you think, “I know, I’m going to go to a ten-digit lock code. That will be much more secure!”

But if the reason the crooks got your lock code is that you have a habit of writing it down on a piece of paper and leaving it in your mailbox just in case you’re locked out of your house… they’ll go back and get the ten-digit, the 20-digit, the 5000-digit lock code.

DOUG.  All right, well, we’ll keep an eye on that.

And something tells me this won’t be the last of these stories.

This is called: Harmony Blockchain loses nearly $100 million due to hacked private keys, on nakedsecurity.sophos.com.

And now we’ve got a bug fix for a bug fix in OpenSSL.

DUCK.  Yes, we’ve spoken about OpenSSL several times on the podcast, mainly because it’s one of the most popular third party cryptographic libraries out there.

So, lots of software uses it.

And the problem is that when it has a bug, there are loads of operating systems (particularly lots of Linux is shipped with it) that need to update.

And even on platforms that have their own separate cryptographic libraries, like the Windows and the macOS systems of the world, you may have apps that nevertheless bring along their own copy of OpenSSL, either compiled in or brought along into the application folder.

You need to go and update those, too.

Now, fortunately, this is not a super-dangerous bug, but it’s kind of an annoying sort of bug that’s a great reminder to software developers that sometimes the devil’s in the details that surround the trophy code.

This bug is another version of the bug that was fixed in the previous bugfix – it’s actually in a script that ships along with OpenSSL, that some operating systems use, that creates a special searchable hash, an index, of system “certificate authority” certificates.

So it’s a special script you run called c_rehash, short for “certificate rehash”.

And it takes a directory with a list of certificates that have the names of the people who issued them and converts it into a list based on hashes, which is very convenient for searching and indexing.

So, some operating systems run this script regularly as a convenience.

And it turned out that if you could create a certificate with a weird name with magic special characters in it, just like the “dollar-sign round brackets” in Follina or the “dollar-sign squiggly brackets” in Log4Shell… basically they would take the file name off disk, and they would use it blindly as a command shell command line argument.

[embedded content]

Anyone who’s written Unix shell commands, or Windows shell commands. knows that some characters have special superpowers, like “dollar-sign round brackets”, and “greater than” sign, which overwrites files, and the “pipe” character, which says to send the output into another command and run it.

So it was, if you like, poor attention to detail in an ancillary script that isn’t really part of the cryptographic library.

Basically, this is just a script that many people probably never considered, but it was delivered by OpenSSL; packaged in with it in many operating systems; popped into a system location where it became executable; and used by the system for what you might call “useful cryptographic housekeeping”.

So the version you want is 3.0.4, or 1.1.1p (P-for-Papa).

But having said that, while we’re recording this, there’s a big fuss going on about the need for OpenSSL 3.0.5, a completely different bug – a buffer overflow in some special accelerated RSA cryptographic calculations, which is probably going to need fixing.

So, by the time you hear this, if you’re using OpenSSL 3, there might be yet another update!

The good side, I suppose, Doug, is that when these things do get noticed, the OpenSSL team do seem to get onto the problem and push out patches pretty quickly.

DOUG.  Great.

We’ll keep an eye on that, and keep an eye out for 3.0.5.

DUCK.  Yes!

Just to be clear, when 3.0.5, there won’t be a matching 1.1.1q (Q-forQuebec), because this bug is a new code that was introduced in OpenSSL 3.

And if you’re wondering… just like the iPhone never had iPhone 2, there was no OpenSSL 2.

DOUG.  OK, we’ve got some advice, starting with: Update OpenSSL as soon as you can, obviously.

DUCK.  Yes.

Even though this is not in the cryptographic library but in a script, you might as well update, because if your operating system has the OpenSSL package, this buggy script will almost certainly be in it.

And it will probably be installed where somebody with your worst interests at heart could probably get at it, possibly even remotely, if they really wanted to.

DOUG.  OK, with that: Consider retiring the c_rehash utility if you’re using it.

DUCK.  Yes, that c_rehash is actually a legacy perl script that runs other programs insecurely.

You can now actually use a built-in part of the OpenSSL app itself: openssl rehash.

If you want to know more about that, you can just type openssl rehash -help.

DOUG.  All right.

And then, we’ve said this time and time again: Sanitise your inputs and outputs.

DUCK.  Absolutely.

Never assume that input that you get from someone else is safe to use just as you received it.

And when you’ve processed data that you received from elsewhere, or that you’ve read in from somewhere else, and you’re going to hand it on to someone else, do the nice thing and check that you’re not passing them dud information first.

Obviously, you would hope that they would check their inputs, but if you check your outputs as well, then it just makes assurance double sure!

DOUG.  OK. And then finally: Be vigilant for multiple errors when reviewing code for specific types of bug.

DUCK.  Yes, I thought that was worth reminding people about.

Because there was one bug, where Perl performed what’s called command substitution, which says, “Run this external command with these arguments, get the output, and use the output as part of the new command.”

It was in sending the arguments to that command that something went wrong, and that was patched: a special function was written that checked the inputs properly.

But it seems that nobody went through really carefully and said, “Did the person who wrote this utility originally use a similar programmatic trick elsewhere?”

In other words, maybe they shell out to a system function elsewhere in the same code… and if you looked more carefully, you would have found it.

There’s a place where they do a hash calculation using an external program, and there’s a place where they do file copying using an external function.

One had been checked and fixed, but the other had not been found.

DOUG.  All right, good advice!

That article is called: OpenSSL issues a bugfix for the previous bugfix, on nakedsecurity.sophos.com.

And, as the sun slowly begins to set on our show for today, let’s hear from one of our readers on the OpenSSL article we just discussed.

Reader Larry links to an XKCD Web comic called Exploits of a Mom… I implore you to go and find it.

I realise that me trying to verbally explain a web comic is not really great fodder for a podcast, so go to https://xkcd.com/327 and see it yourself.

DUCK.  All you need to do, Doug, because many listeners will have thought, “I’m honestly hoping that someone would commented this”… I was!

It’s the one about Little Bobby Tables!

DOUG.  All right…

DUCK.  It’s become a kind of internet meme in its own right.

DOUG.  The scene opens up.

A mom gets a phone call from her son’s school that says, “Hi, this is your son’s school. We’re having some computer trouble.”

And she says, “Oh, dear, did he break something?”

And they say, “In a way. Did you really name your son Robert'); DROP TABLE Students;--?”

“Oh, yes. Little Bobby Tables, we call him.”

And they say, “Well, we’ve lost this year’s student records. I hope you’re happy.”

And she says, “And I hope you’ve learned to sanitize your database inputs.”

Very good.

DUCK.  A little bit of a naughty mum… remember, we’re saying sanitize your inputs *and your outputs*, so don’t go out of your way to trigger bugs just to be a smarty-pants.

But she’s right.

They shouldn’t just take any old data that they’re given, make up a command string with it, and assume that it’ll all be fine.

Because not everybody plays by the rules.

DOUG.  That’s from 2007, and it still holds up!

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com; you can comment on any one of our articles; or you can hit us up on social: @nakedsecurity.

That’s our show for today.

Thanks very much for listening… for Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…

BOTH.  …stay secure!

[MUSICAL MODEM]

Latest Blog

View All
go top