Saturday, June 15, 2024

New Windows WiFi RCE vulnerability

Full Disclosure: I am just posthing this because of the meme. It sure beats the usual "hacker (because wearing hoodie) in a dark room with computers" picture that is so common in these posts. Yes, I am looking at you Tom's Hardware.

A "Remote Command Execution" (RCE) vulnerability just means that someone can send remote commands to something whose software have this vulnerability. A classic case of a RCE Vulnerability that was exploited is the log4j one (hello 2021!). These commands can be something like uploading malicious code to the computer or application which can be unleashed in the computer running this application. On June 12th, Microsoft's Patch Tuesday to address 49 CVE-tagged security flaws. Amongst them there was a patch for CVE-2024-30078, which deals with the WiFi RCE Vulnerability that is the topic of this post.

The main difference here is that this vulnerability is on the (Windows) drivers for a network card. The beauty about such attack is the attacker does not need the help from the user (as in phishing) to get the malware into the computer. In fact, chances are unless the code is patched, there may not be much stopping such an attack; all they need it to send a malicious networking packet to enable the remote code execution, which would then be followed with them uploading their own code to start exploring their new acquisition.

To add insult to injury, the attackers may not even need to be in the same network; all they have to be is within the range of the vulnerable computer. Witht he right equipment, "within range" can be measured in feet or even miles.

Homer Simpson: No exploit code is available so far

Microsoft, who issued a patch for that, stated that there are no reported malware exploiting this vulnerability and that "Exploitation Less Likely" while the Cyber Security Agency of Singapore thinks it is a high-severity vulnerability and everyone using the Windows versions affected by this (pretty much everything remotely recent) should "update to the latest versions immediately". I do not know about you, but I would side with the Singapore agency on this one.

TL;DR:

Have Windows computer? Patch it. Immediately

Thursday, May 23, 2024

Browsers, expired certs, bad defaults, and risk ASSessment

I have had to access more device/websites with expired or self-signed certs than I would like to admit. There are also those which are just plain insecure (think passwords being sent unencrypted). If you never experienced that, either you are really lucky or, well, welcome to The Planet Earth!

There are those, some of them are my friends, who think that is not acceptable and the only solution is to replace all this junk with new junk which complies with current regulations. Some of them even have CISSP and CISM certificates and have titles like "Senior Security Engineer". They all live in another world with no relationship to ours and our reality.

There, I said it. Call me heretic, but do not be disappointed if you will need to pick a number; you will not be the first or the last. But, I will not change my mind.

Secure All the Things

One of those security concepts that those who are CISSP/CISM/etc certified should know by the very reason they are certified is risk. Everything has a vulnerability, a weakness that if exploited (intentionally or accientally) may, well, hurt. If you ever got electrocuted while working on house wires or trying to repair an appliance you know what I mean. Also, boiling oil in a pan can hurt. So you deal with it. For instance, you can just buy a new electric tea kettle instead of trying to replace the old wire. Or, if you are in a business setting, you can decree all computers will have the latest operating system with the latest patches even if that mean replacing the computers

And that is where we disagree

You see, sometimes that is not feasible. Perhaps I have the skills to replace a wire and doing so is much cheaper than getting a new kettle. Or, you have an old UNIX computer connected to a multimillion dollar test device whose software is hardcoded to that specific version of UNIX; replacing it would cost 50 million and you would be throwing away a perfectly good testing system. Or, that medical device only sends data through wireless to a ftp server, so its password is shown for all to see; each of these devices goes for $15,000 on a good day and really there are no better in its class for the service it provides. What to do?

You analysize the risk and make the best choice of how to deal with it. The options are not only "do nothing" (accept the risk) or "replace it" the "Secure All Things" crowd advocates. There are more alternatives (I am using CISSP parlance here):

  • Acceptance. Decide it does not worth trying to do something about it and move on.
  • Mitigation. Come up with something to eliminate the threat, like keeping all the computers running the latest versions of their software. This is where the "Secure All Things" crowd gathers.
  • Deterrence. Can we cut down the risk? In the case of the multimillion testing device, what if we take it off the network and use an external drive to transfer test data between it and a more modern computer we can secure? Or for a network appliance that can only be accessed by a web interface which has a self-signed certificate that may have already expired: if you cannot replace the certificate (licensing cost or just plain bad coding), put these appliances in a secure network with restricted access, and with a specific web browser configure to accept connecting to that appliance using that cert (and perhaps old encryptions).
  • Avoidance. Stop doing something that causes risk. If printers can be hacked, eliminating all printers takes care of this. If people can attack your wireless, remote the wireless.
  • Transference. Make it someone else's problem. Buy cybersecurity insurance. This can get expensive quickly and insurance companies have been raising the requirements. For instance, most of them will have a clause that if they found out you were careless, no money for you.
  • Rejection. The stick-your-head-on-the-ground approach to danger. Pretend it does not exist. I know it is a very common reaction, but try not to do it; this is considered lack of due care.

So, which one should you do? It depends, and we are way ahead of ourselves. We should start finding out what we have, knowing that getting a true full inventory may not be (economically) possible? But, let's say we did find out what we have. These are our assets, and we need to assign values to them, as risk can be seen as a number (usually money): we have to compare how much each risk response (that includes the bottom one, not doing anything) cost and figure out the cheapest one. You see, business exist to make money, and how we manage risk is a cost to the business. If the cost to mitigate the risk is close to that of deter it, maybe mitigation is the best solution. This kind of thought process is expected from someone who is called "senior security engineer/architect." I myself am fine with knowing that most solutions to minimize risk end up being finding a deterrence. And sometimes, you just have to accept the risk and move on. After all, companies (and individuals) have only so much money to deal with risk; a good senior level security professional will make each dollar count.

You are still on the soapbox

Right you are. We still have not detected the vulnerabilities. And the little dirty secret is that the findings generated by the security scanners should not be taken as face value. Some of these scanners are just mindless pattern-matching scripts. A novice security professional will just the tool and sound the alarm. A senior security professional will compare the findings with the information she has about the IT infrastructure (which may have required her sitting with the IT team) and eliminate what does not make sense for her setup and then prioritize it. Even if she uses AI (there, I said it), she will never blindly follow whatever the tool says.

Don't be what I call Qualysguy, that guy who runs Qualys and then sends a ticket to the IT team saying "fix all these things"

Tuesday, April 30, 2024

Logscale's free tier is dead, Jim

Some of you have deployed logscale at home or in a small setting as a way to get some experience with it. That was possible because Crowdstrike provided a free tier on the same lines as Splunk, Burpsuite, and even AWS/Azure/Google: some features were disabled and the amount of data was limited, but you were still able to get your feet wet in it. Now that is benefitial to both the company and you:

  • You learn how to use a well-known commercial product so when you go apply for a job that uses it knowing enough so you can start using it. Now some will claim the only experience that counts is experience you got from a paid job. Given how active I am in the open source community, I disagree. In fact, I will put my neck on the block and say there were many things I learned in a home lab I could not learn at work because, well, even when you work in a research institution what you can work on their time is dictated by what they think is important.
  • That does not mean if you install it in your homelab you will be just fiddling with some controls without really understanding the product. Logscale, AWS, Splunk, and Portswiggler (just using the same companies I mentioned because I can't be bothered finding links to others) offer free formal classes with hands-on exercises (and, yes, I know some of the AWS and Splunk videos are cringe but at least they are trying). These classed can lead yo you getting certfied, but that will cost and is a discussion for another post. Which leads to...
  • Microsoft, Splunk, and all of those companies want you to learn their product well. If you do, when you work at a company using it, you will not suck using it, so their product will not suck. And, if you get to the point you are the one recommeding products, guess which ones will you select?

So, what about this Logscale gripe you have?

Like the other vendors mentioned above, in early 2021 Crowdstrike acquired Humio, which later became Logscale. Later in that year, they announced the Humio Community Edition, the free version of Logscale with similar restrictions as, say, Splunk's (stealing the above from their announcement):

  • Ingest up to 16GB per day
  • 7-day retention
  • No credit card required
  • Ongoing access with no trial period
  • Index-free logging, real-time alerts and live dashboards
  • Access Humio’s marketplace and packages, including guides to build new packages
Screen capture of message acknowledging the signing up for Logscale Community Edition
Great! So now you can pick and choose between the two! Not quite. Fast forward to March 2024, when CrowdStrike stopped accepting applications for LogScale Community Edition (link accessible only if you have a customer account unfortunately). Also, while those of you who still have your community account will still access it, if you do not access the Community Account for more than 90 days, it will be removed. Do you want to try before you buy? Sign up for their 15-day trial version after providing enough info about your and your company. Oh, they too have a Crowstrike University, but to get in you need to be a current paying customer; not even Bezos does that.

Bottom line

  • If you want to learn Logscale, and by that I mean also practcing it, you will have to get hired by a company that already has it.
  • If you are considering using it but have never used similar products, you will have to spend money. So, you might as well hire someone to see if it is the best solution for your needs. Case in point, a lot of people, me included, make fun of Splunk's price. Thing is, someone who is a Splunk Engineer, as opposite to a Security Engineer with Splunk Experience, knows how to put it together so its yearly cost does not go up the roof.

Tuesday, December 19, 2023

T-Mobile, Firefox, and Incognito mode

Most browsers have what they call a privacy or incognito mode. The idea is that it deletes any cookies and cache created by a website you ventured into once you close the browser (important step here). Note it does not replace a VPN or anonymize your traffic in any way; there are other tools for that. Still, I not only like that but I set my browsers to always start in that mode (we can talk about how to do so in a future post). Cookies is one of the ways websites use to track you (as in what GDPR would consider to be personal data), your habits, so they can know more about you than you do. I would rather not they do that. Also, shadier individuals -- even shadier than certain commercial organizations that I rather not mention -- also like them when they gain access (think phishing attacks) to your system as these files may have fun stuff like session cookies and even passwords they can steal.

Understandly, some companies do not like when I get rid of their cookies, but it is hard for them to do a thing because this is done at the user's end. However, it seems T-Mobile found a way around that: they chose to detect and block the user of Firefox running in Incognito Mode in their website:

T-Mobile message stating they do not support Firefox in incognito mode

Even though I provided the link to the official page, here is the text for those who are using a text based browser or cannot see images:

Firefox is no longer supported in private mode The Firefox browser is no longer supported in private mode on our site. To continue, please take Firefox out of private mode or choose another browser. We recommend Chrome, Safari or Edge.

Why are they singling out Firefox and derivatives (I also tried LibreWolf before writing this article)?

  • Could it be they assume everyone either uses a Windows, a Mac computer, or at least a Google-derives ystem (think Chromebook and Android), and any user running neither (I use Linux) is to be treated with mistrust?
  • Could it be that Safari stopped supporting extensions such as UBlock Origin, and Edge, well, is Edge just like the normal (as in not ungoogled) version of Chrome talks too much back to the mothership? After all, these browsers do have their versions of privacy modes, so that can't be the main issue. Nor that most sites, banks included, seem to work just fine with Firefox incognito mode.

Contacting T-Mobile led to nothing, so all I have are the speculations I made here. You too can make your own!

Saturday, December 2, 2023

Websites whose login pages do not work correctly

It is late a night and I just had a thought I want to share: have you ever went to a website, say, your abnk, where when you try to login -- pasting the username and password so there is no possibility of a typo -- it does not work and sends you to a "login failed, try again" page, it then works there?

I do not know about you, but if I were going to try to steal credentials, creating a website that sits in front of the real one (think man in the middle attack) would come into mind.

That is all I have for now: just food for though.

Saturday, November 18, 2023

Online subscriptions: Giveth and Taketh Away

Like many, I too have a gmail account. And I have used it to buy magazines, tv shows, and even subscriptions. My reason is the same as everyone else: it is convenient. Recently I received an email stating

Here is the text version, so people can translate to their language or jut be able to read it without having to rely on the image:

Since 2020, new purchases of magazines have not been available in Google News and very few users now regularly access their magazine subscriptions. We wanted to inform you that support for magazine content in Google News is being discontinued beginning on December 18, 2023, which means access from Google News apps or news.google.com to the library of magazines you previously purchased or subscribed to will be removed. To continue to access previously purchased magazine content, you must export and save each purchased issue before December 18, 2023.

Claiming this to be a security or even privacy topic may sound like a bit of a stretch, but hear me out. When you buy a TV show, movie, or even magazine subscription through Google, Apple, Amazon, Barnes & Noble, or whoever, unless you can download that to your computer and view it without needing to use their website or app, you may lose access to them for different reasons:

Technical issues.

People have reported ebooks purchases they made and downloaded to their book reader -- usually a phone app or Kindle -- one day are no longer in their devices. Or said books are no longer even listed in their accounts. Or, even when said books are in their devices, pages are/became missing. Contacting the publisher (or should we call them streaming providers as they may only be licensing the sale/distribution of the product?) can lead to hours if not months of frustration; they may be equally baffled for the reason of these problems.

This also frustrates authors, whose present and future earnings is directly related to the popularity of their work: imagine if one of your books was #1 bestseller and then because of a computer glitch with the streaming provider it cannot be easily found, downgrading it to #150. This have happened already.

The Wikipedia Effect

Wikipedia is a living document: people are always editing and improving on its contents. So, what you have read last month may have been disputed and edited out of it. That leads to arguments that it should not be quoted as reference source. Some authors and producers may feel the initial version of their book or movie did not portray the story the way they intended and would love to be able to come back, months or years after publication, and change it. George Lucas is the posterchild of this.

With streaming that no longer means a new release: all the old versions can be now updated just like a computer program. I myself have seen shows whose opening credits for specific episodes have changed at least 3 times; the latest of which added hints to events in the episode which really do not add value to it. Bottom line is what you bought last year may no longer be what you have. Is this good or bad? That is up to you. In my opinion while there is a benefit for textbooks and study guides, when we are talking about a work of fiction or even a technical paper, that removes the power from you the buyer to decide which version you have. I am glad I am still able to see the original Star Wars trilogy without the cgi "enhancements" added later.

Licensing issues

Let me cut to the chase: you do not own what you paid for. According to the Amazon's Conditions of Use (not singling them out but it was the one I could easily found),

COPYRIGHT
All content included in or made available through any Amazon Service, such as text, graphics, logos, button icons, images, audio clips, digital downloads, data compilations, and software is the property of Amazon or its content suppliers and protected by United States and international copyright laws. The compilation of all content included in or made available through any Amazon Service is the exclusive property of Amazon and protected by U.S. and international copyright laws.

The part I highlighted (boldfaced?) is the one we want to look at. All those Kindle books and movies and music you bought at Amazon Prime belong to Amazon or whoever they licensed it from. You only paid a license to access them, and contrary to social media sites and even companies you work at this license is not perpetual. There has been cases where, for instance, Kindle owners found books they purchased were removed from their accounts. And it does not end there: the Amazon Services Terms of Use states that this license can be revoked. While its words claims that termination only happens if they decide your are not in strict compliance with the agreement, they do reserve the right to decide if that is the case.

How does that affect privacy?

Some books or movies were removed from streaming sites because they were considered inappropriate; that in itself can mean many things including not politically acceptable. Your purchase/subscription records are in possession of these streaming providers. Depending on the location of residence, what can possibly be personal information -- they can be used to infer religious beliefs, sexual orientation, and so on -- is sold to other merchants, which will certainly use this data to create a profile on you (called an avatar) to better market to you be it by ads on free phone apps or even plain old emails. Others such as government and more criminal-minded organizations can also acquire the data for their own purposes.

How to minimize personal data exposure?

If you like a movie or a book, why not buy the movie on DVD/Blueray or the book either printed or at least as a PDF? At the very least now you own it in a way they cannot remove your access to it. You can find privacy-respecting DPF readers for most phones and computers. You can still convert the movie available in some electronic form so you can watch it without worrying about damaging the disk. There may be legality issues which are beyond this post but the technology is there. As a bonus, you do not have to worry about the content of your purchase changing from the version you paid for.

Friday, October 20, 2023

Helping attackers collect your personal information: spearphishing and imgur

Since this is the cybersecurity month, let's talk about one of the sure ways to help malicious people attack you or steal your identity. Of course we are talking about companies which nudge people to place their personal information in public. In today's example, we will focus on imgur. It is not that bad of a website if you take the usual precautions with your images and what you post on it. Worried the bad guys will need to put some effort, its creators offer a "Cake Day":

For those who are not able to see the image (do not consider yourselves unlucky), here is the exceprt from that email I would like you to focus on (boldface is mine):

It is customary to celebrate your Cake Day (that's your account’s creation day) by sharing something excellent with the Imgur community. Perhaps a favorite GIF, a great personal story, a meme, or some interesting information would do? Head on over to Imgur to create a new post.

"What is so bad about that?" you may ask if you skipped the first paragraph in this post. Well, let's start with a phishing attack: while most of them are half-hearted attempts to con users with badly written emails laden with links to unscroupulous websites or malware-filled attachments, the better ones are more carefully crafted and aimed at specific people. For these to work, they need to have as much information on their targets. So, knowing the personal stories and interesting information requested by imgur help with this information gathering step.

Note that this is technically not a GDPR violation as it seems (I am not going to ask the person to click on the imgur tracking link just to get more info for this blog entry) that it requires you to go through the effort to enter it and it does not require you to enter it to continue. In a future post we will show examples where that is not the case.