Information Technology

Security researcher Mathy Vanhoef, who loves to poke holes in Wi-Fi security, is at it again, this time finding a dozen flaws that stretch back to cover WEP and seemingly impact every device that makes use of Wi-Fi. Thankfully, as Vanhoef explained, many of the attacks are hard to abuse and require user interaction, while others remain trivial. Another positive is Microsoft shipped its patches on March 9, while a patch to the Linux kernel is working its way through the release system. The details of FragAttacks follow a nine-month embargo to give vendors time to create patches. “An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices,” Vanhoef said in a blog post. “Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.” Several of the identified flaws relate to the ability to inject plaintext frames, as well as certain devices accepting any unencrypted frame or accept plaintext aggregated frames that look like handshake messages. Vanhoef demonstrated how this could be used to punch a hole in a firewall and thereby take over a vulnerable Windows 7 machine.

“The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network,” the security researcher wrote. “For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately … this last line of defense can now be bypassed.” Other vulnerabilities relate to how Wi-Fi frames are fragmented and how receivers reassemble them, allowing an attacker to exfiltrate data. Even devices that do not support fragmentation were at risk. “Some devices don’t support fragmentation or aggregation, but are still vulnerable to attacks because they process fragmented frames as full frames,” Vanhoef wrote. “Under the right circumstances this can be abused to inject packets.” Some networking vendors such as Cisco and Juniper are starting to push patches for some of their impacted products, while Sierra has planned some of its products to be updated over the next year, and others will not be fixed. The CVEs registered to due FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. “There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,” the Wi-Fi Alliance wrote. Vanhoef said anyone with unpatched devices can protect against data exfiltration by using HTTPS connections. “To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them,” the researcher wrote. “More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.” Related Coverage More

Image: Getty Images
Apple stopped nearly 1 million risky or vulnerable apps from being included in the App Store in 2020 as part of efforts to protect users from being manipulated.Of those rejections, 48,000 were executed due to the apps containing hidden or undocumented features, while more than 150,000 apps were rejected because they were found to be spam, copycats, or misleading to users in ways such as manipulating them into making a purchase, Apple said in a blog post.In 2020, Apple’s app review team also rejected over 215,000 apps due to developers either seeking more user data than they needed or mishandling user data.Apple added that it terminated 470,000 developer accounts in 2020 and rejected an additional 205,000 developer enrolments over fraud concerns. It claimed that its monitoring practices resulted in these fraudulent developer accounts, on average, being terminated less than a month after they were created.”Unfortunately, sometimes developer accounts are created entirely for fraudulent purposes. If a developer violation is egregious or repeated, the offender is expelled from the Apple Developer Program and their account terminated,” Apple said.By performing these monitor protocols, in addition to preventing more than 3 million stolen credit cards from being used, Apple claimed it prevented more than $1.5 billion in potentially fraudulent App Store transactions.

Apple’s App Store update comes shortly after documents were submitted into court that reportedly scrutinised its security capability.In a 2015 email entered into court last week, Apple managers said they uncovered 2,500 malicious apps that were downloaded 203 million times by 128 million users.Despite other emails indicating that Apple was considering whether to notify affected users of the malicious apps, Apple’s legal representatives did not provide evidence that they let users know they had installed malware, according to an ArsTechnica report.The emails were submitted as part of an ongoing three-week trial for a legal stoush between Apple and Epic Games. Epic Games raised the lawsuit against Apple in August last year, accusing the iPhone maker of misusing its market power to substantially lessen competition in-app distribution and payment processes. The US lawsuit is one among many that Epic Games has raised against Apple, with the Fortnite maker seeking legal action across other jurisdictions, such as Australia, the EU, and the UK.RELATED COVERAGE More

Image: Getty Images
The Australian Capital Territory Standing Committee on Justice and Community Safety has been looking into the 2020 ACT Election and the Electoral Act, covering among other things, systems for electronic voting.The COVID-19 Emergency Response Legislation Amendment Act 2020 introduced temporary amendments to the Electoral Act for the October 2020 election. These included the deployment of an overseas electronic voting solution for eligible ACT electors who were abroad. The amendments expired in April.The 2020 election also used the territory’s Electronic voting and counting (EVACS) system, which was previously used in the 2004, 2008, 2012, and 2016 elections. EVACS uses a PC to register an individual’s vote. These e-voting stations were also made available at pre-polling stations.Providing a submission [PDF] to the committee was a group of four security researchers — with vast experience in finding holes in electoral systems — who addressed the implementation, security, and transparency of electronic voting.They declared they have identified “serious problems” in the accuracy and integrity of ACT elections, the privacy of votes in ACT elections, and the transparent demonstration of accuracy, integrity, and vote privacy in ACT elections.”Secretive, unverifiable systems like the ones used in the ACT 2020 election, make it relatively easy to change the recorded list of votes cast, in a way that observers cannot notice,” they said. “It also makes accidental errors more likely to remain undetected.

“We are not claiming that corruption occurred, nor that the system was designed with that goal in mind. There certainly were errors undetected by Elections ACT, however.”Dr Andrew Conway, Dr Thomas Haines, ANU acting professor Vanessa Teague, and T Wilson-Brown reported finding three errors with EVACS that could potentially change the results of an election.The first is that EVACS incorrectly groups votes by transfer value, failing to recognise when votes deserve to be grouped because they acquired the same transfer value in different ways. “In 2020 this caused some tallies to be wrong by more than 20 votes; in general, it could cause much larger divergences,” they added.See also: Tech-augmented democracy is about to get harder in this half-baked worldAnother flaw was incorrect rounding. The ACT Electoral Act explicitly requires rounding down to six decimal places, but EVACS rounds to the nearest six decimal places. Thirdly, the group said EVACS has some other inaccuracies that are consistent with rounding transfer values, despite this not being specified in the legislation. “This is important because a transfer value’s effect may be multiplied by thousands of votes,” they wrote. “This causes errors on the order of thousandths of votes and could possibly make a difference in a very close race.”Fortunately, they said, these flaws did not change the result of the 2020 election.ACT uses four systems for processing votes: The EVACS Electronic Voting module that runs on computers in polling places; EVACS Paper Ballot Scanning module that scans and interprets paper ballots, recording the results electronically; the ACT Internet voting system (OSEV) that receives votes from the internet; and the EVACS Counting module tallies the votes and outputs a set of winning candidates.”The only system we have been able to examine is the counting module, and only because we can compare its inputs with its outputs and find errors without seeing the code,” they said.”We believe that the Internet voting system is new, and that the voting, paper ballot scanning, and counting modules have been completely rewritten since 2016. But we cannot be certain, because we have not seen any of the 2020 source code.”The group has asked that electronic voting code and system documentation be opened six months in advance to the research sector so serious errors and vulnerabilities could be found and rectified.They have also asked that the on-site e-voting system have a voter-verifiable paper record, so that an immutable record of the vote can be verified by the voter independently of the software; and that internet voting be discontinued, due to the high levels of risk involved in current internet voting technology.RELATED COVERAGEAEC confident in its security posture with external audits not welcomeThe Australian Electoral Commissioner said on Tuesday night that it is ‘very, very, very confident’ its systems are ‘incredibly robust’.Researchers want Australia’s digital ID system thrown out and redesigned from scratchResearchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.Flaws found in NSW iVote system yet againAnalysis of source code published at the request of the NSW Electoral Commission shows that the state’s election system software was still vulnerable to attack. More

Adobe has released a security update to address a vulnerability affecting both Windows and Mac versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017 and Acrobat Reader 2017.In a security bulletin, the company acknowledged that it has received reports of the vulnerability being “exploited in the wild in limited attacks targeting Adobe Reader users on Windows.” The flaw, labeled CVE-2021-28550, could lead to arbitrary code execution if successfully exploited.Cybersecurity experts, like nVisium director of infrastructure Shawn Smith, said code execution is a serious threat that can potentially cost hundreds of labor hours to manually verify every instance of some software has been updated. Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, said the use of malicious PDF files has been a staple of various nation-state actors, as well as criminal actors, for years because of the ubiquity of Adobe products in use for the private and public sectors. He called Adobe the “Microsoft of a lot of office productivity software” and added that attackers historically have used phishing emails with PDF attachments to entice users to download and open files, generally under the pretense of it being a critical document for review, such as a financial document, news article, or a shipping label. “In some other instances, a would-be attacker could create a malicious website that is also hosting weaponized PDF files,” Nikkel said. 

“Generally, PDF documents, which frequently are opened either via browser or a reader such as Adobe Acrobat or Reader, can contain malicious Javascript or allow some other system interaction that allows code execution or other vectors of attack to occur, sometimes without the user knowing.” Nikkel explained that some researchers are reporting massive increases in attacks with weaponized documents and theorizing the increase resulted from widespread remote work over the past year.  More

Microsoft is enabling IT pros to keep tabs on the security of their Linux devices using the company’s Defender for Endpoint product (formerly known as Microsoft Defender Advanced Thread Protection). The Threat and Vulnerability Management (TVM) capabilities already available for Windows, and Windows Server are now also in public preview for macOS and Linux as of today, May 11. And Microsoft plans to bring TVM to Android and iOS devices later this summer, officials said today. TVM allows users to review recently discovered vulnerabilities within applications and potential misconfigurations across Linux and remediate any affected managed and unmanaged devices. Users currently can discover, prioritize and remediate more than 30 known unsecure configurations in macOS and Linux with this capability. Initially, Microsoft is supporting RHEL, CentOS and Ubuntu Linux, with Oracle Linux, SUSE and Debian being added shortly, according to a Microsoft security blog post. The ability to assess secure configurations in threat and vulnerability management is a component of Microsoft Secure Score for Devices. It also will be part of Microsoft Secure Score all up once generally available. In other Patch Tuesday news, Microsoft rolled out the 21H1 of the Windows Holographic OS today. This is the version of Windows 10 that works on HoloLens devices, not 21H1 for regular PCs. (Windows 10 21H1 still has yet to start rolling out to mainstream users and remains in preview.) Windows Holographic 21H1 (build 20346.1002) features the new Chromium-based Edge; more granular controls in the settings app; support for “Swipe to Type” in the holographic keyboard; a new Power menu; the ability to display multiple user accounts on the sign-in screen and more. Today also is the last day that several versions of Windows 10 will get security updates. Windows 10 1803 for Enterprise and Education, Version 1809 for Enterprise and Education and Version 1909 Home/Pro are all at end-of-service as of today. Users should upgrade to a newer version of Windows 10 to continue to get security updates. More

Apple enterprise support services provider Jamf this afternoon said it will acquire nine-year-old startup Wandera of San Francisco, a provider of cloud-based software for “zero trust” security, in what it said would “close the gap” between what consumers and what enterprise wants. Minneapolis-based Jamf will pay $350 million up-front, plus an additional $50 million to be paid in two installments later this year, for a total considration of $400 million, which will be financed with cash and debt, said Jamf.Simultaneously, Jamf reported Q1 revenue and profit that topped Wall Street’s expectations, and an outlook that was higher as well. Jamf shares declined by 2% in late trading at $30.80.  The acquisition of Wandera “will provide our customers a single source platform that handles deployment, Application Lifecycle Management, policies, filtering, and security capabilities across all Apple devices,” said Jamf CEO Dean Hager in prepared remarks, “while delivering Zero Trust Network Access for all mobile workers.”Addressing Q1 results, Hager remarked that the company had seen “strong momentum and balanced growth across our business in the first quarter as current trends in mobile work, education technology and digital health continued to strengthen our value proposition to customers as well as our business results.”Added Hager, “The year is off to a great start, and with the strategic acquisition of Wandera, we will enhance our leadership position in security with a uniquely comprehensive platform, including advanced security solutions like zero trust network access. 

“We are excited to round out our offering to provide customers an Apple-first enterprise solution that connects, manages and protects all Apple devices, data and users.””Revenue in the three months ended in December rose 37%, year over year, to $81.2 million, yielding a net profit of 8 cents a share, excluding some costs.Analysts had been modeling $76.7 million and 5 cents per share.Jamf said its annualized recurring revenue rose 37% as well, to $308 million.Subscription revenue in the quarter rose to $74.9 million, it said.For the current quarter, the company sees revenue of $82 million to $84 million, above consensus for $79 million.For the full year, the company sees revenue in a range of $335 million to $341 million, versus consensus of $333.8 million.

Tech Earnings More

Can you run eBPF on Windows? Sure, if you’re using Windows Subsystem for Linux 2.0. Of course, there you’re running it on the Linux kernel on Windows 10. But running eBPF on Windows natively? Nah. That will change soon, however. Microsoft has started an open-source project to make eBPF work on Windows 10 and Windows Server 2016 and later. 

This is the ebpf-for-windows project. With it, Windows developers can use eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. This won’t be easy. Still, by building on the work of others, it should be possible. This project takes several existing eBPF open-source projects and adds the “glue” to make them run on Windows. Why would you want to do this? Linux developers already know the answer to that, but Windows programmers probably don’t. Here’s the story.First, it all started with a firewall program: The decades-old Berkeley Packet Filter (BPF). This was designed for capturing and filtering network packets on a register-based virtual machine (VM). That was useful. But, as the years went by, Alexei Starovoitov, Linux kernel developer and Facebook software engineer, realized that updating BPF to work with modern processors, extended BPF (eBPF), to run user-supplied programs inside of the kernel would make it far more powerful. It was introduced in the 3.15 Linux kernel and programmers quickly started using it for all kinds of programs. Today, eBPF remains very useful for network filtering, analysis, and management, but it has far more jobs. EBPF is also used for system call filtering and process context tracing. In short, it’s become a Swiss-army knife for programming tracing, system profiling, and collecting and aggregating low-level custom metrics. At a higher level, this means eBPF has become the foundation of security programs, such as Cilium, Falco, and Tracee; Kubernetes observation programs like Hubble and Pixie, and, of course, toolchains such as Clang.In Windows, here’s how it’s going to work: Existing eBPF toolchains will generate eBPF bytecode from source code in various languages. This bytecode can then be used by any application or manually through the Windows netsh command-line tool. This will be done using a shared library that exposes Libbpf APIs. This is still a work in progress.

The library will then send the eBPF bytecode to the PREVAIL static verifier. This, in turn, is hosted in a user-mode protected process, which is a Windows security environment that allows a kernel component to trust a user-mode daemon signed by a trusted key. If the bytecode passes all the verifier’s safety checks, the bytecode can be loaded either into the uBPF interpreter running in a Windows kernel-mode execution context or compiled by the uBPF just-in-time (JIT) compiler and have native code loaded into the kernel-mode execution context. The uBPF step is based on an Apache-licensed library for executing eBPF programs.Then, the eBPF programs running in the kernel-mode execution context will be attached to hooks that handle events and call helper APIs. These are exposed via the eBPF shim. This shim wraps public Windows kernel APIs. This enables eBPF to be used on Windows. So far, two hooks (XDP and socket bind) have been added. Other hooks, and not just network ones, will be added.This is in no way an eBPF fork. It’s just adding a Windows-specific hosting environment for eBPF. The name of the game is to enable Windows developers to use eBPF programs, which will be source code compatible across Windows and Linux. Some of this will be done by using the Libbpf APIs Of course, some eBPF code is very specific to Linux — for example, if it uses Linux internal data structures. But many other APIs and hooks will work across platforms. EBPF, as advanced Linux programmers know, gives Linux developers a great deal of power. Now, this take on eBPF will share the wealth with Windows developers.Related Stories: More

A new Android trojan has been identified by security researchers, who said on Monday that once it is successfully installed in the victim’s device, those behind it can obtain a live stream of the device screen and also interact with it via its Accessibility Services.

The malware, dubbed “Teabot” by security researchers with Cleafy, has been used to hijack users’ credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands.Cleafy’s Threat Intelligence and Incident Response team first discovered the banking trojan in January and found that it enabled fraud against more than 60 banks across Europe. By March 29, Cleafy analysts found the trojan being used against Italian banks and by May, banks in Belgium and Netherlands were also dealing with it. Research shows that Teabot is still under development but initially only focused on Spanish banks before moving on to banks in Germany and Italy. The malware now is currently supporting 6 different languages, including Spanish, English, Italian, German, French, and Dutch. The app was initially named TeaTV before repeatedly switching titles to “VLC MediaPlayer,” “Mobdro,” “DHL,” “UPS,” and “bpost.” “When the malicious app has been downloaded on the device, it tries to be installed as an “Android Service,” which is an application component that can perform long-running operations in the background. This feature is abused by TeaBot to silently hide from the user, once installed, preventing also detection and ensuring its persistence,” the Cleafy report said. Once the TeaBot is installed, it will request Android permissions to observe your actions, retrieve window content, and perform arbitrary gestures. ‍When the permissions are granted, the app will remove its icon from the device, according to Cleafy study.

Saumitra Das, CTO of cybersecurity firm Blue Hexagon said Teabot represents a shift in mobile malware from just being a sideline issue to being a mainstream problem just as malware on traditional endpoints. “Threat actors realize the true potential of mobile devices and the threat they can pose to the end-user,” Das said.  “It is important to remember that even though the apps are not on Google Play, the phishing/social engineering tactics used by the actors behind Teabot/Flubot are as good as any threat family on the PC side; that within a short time frame, they can manage to get a huge infection base. These threats should not be underestimated.” More