Information Technology

Image: Microsoft
The lead of Microsoft Edge Vulnerability Research Johnathan Norman has detailed an experiment in Edge that disabled the JavaScript just-in-time (JIT) compiler to enable some extra security protections. Describing JIT compiling as a “remarkably complex process that very few people understand and it has a small margin for error”, Norman pointed out that half of all vulnerabilities for the V8 JavaScript engine was related to the process. With the JIT engine turned off, it was possible for Edge to turn on protections — such as the hardware-based Control-flow Enforcement Technology (CET) from Intel, and Windows’ Arbitrary Code Guard (ACG) and Control Flow Guard (CFG) — that were previously incompatible with JIT. “This is unfortunate because the renderer process handles untrusted content and should be locked down as much as possible,” Norman said. “By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult. “This reduction in attack surface kills half of the bugs we see in exploits and every remaining bug becomes more difficult to exploit. To put it another way, we lower costs for users but increase costs for attackers.”
Image: Microsoft
In testing Edge with JIT disabled, Norman said users rarely noticed a difference in daily browsing, but the JIT-less Edge was hosed in benchmark tests, with performance reduced by as much as 58%.

“Our tests that measured improvements in power showed 15% improvement on average and our regressions showed around 11% increase in power consumption. Memory is also a mixed story with negatively impacted tests showing a 2.3% regression, but a larger gain on the tests that showed improvements,” Norman wrote. “Page Load times show the most severe decrease with tests that show regressions averaging around 17%. Startup times, however, have only a positive impact and no regressions.” Super Duper Secure Mode is currently available via edge://flags for users of canary, dev, and beta release channels of the browser, and currently switches CET on, but is not currently compatible with WebAssembly. “It will take some time, but we hope to have CET, ACG, and CFG protection in the renderer process. Once that is complete, we hope to find a way to enable these mitigations intelligently based on risk and empower users to balance the tradeoffs,” Norman said. “This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature.” On Twitter, Norman said plans were afoot to take Super Duper Mode to MacOS and Android, and to get WebAssembly working. Related Coverage More

Image: Getty Images/iStockphoto
A report from Western Australia’s Auditor-General has found that some former staff at state entities still had access to IT systems and equipment despite their employment being terminated.The finding was made as part of the Office of the Auditor-General’s (OAG) probe into staff exit controls in place at three state government agencies. The audit [PDF] assessed if the Department of Planning, Lands and Heritage (DPLH), the Department of Finance, and the Department of Local Government, Sport and Cultural Industries (DLGSC) effectively and efficiently managed the exit of staff to minimise security, asset, and financial risks.The audit covered the period 1 July 2019 to 31 December 2020 with a sample of 30 staff from DLGSC, 27 from DPLH, and 26 from Finance, including consultants and third-party contractors, that left during that period.While the report found all entities cancelled exiting staff’s IT system access, it was not always done immediately. According to the report, it took between two and 161 days to deactivate or withdraw access to information systems after staff left the entity. At Finance, OAG said it took between six and 161 days to cancel access to IT systems after the last day of employment. The case that took 161 days was related to a secondment arrangement where the former employee continued undertaking work on behalf of the entity, however. Setting that case aside, Finance took, on average, seven days to cancel IT systems access, despite its security management framework noting that IT access for terminated staff is meant to be disabled on the last day of employment. DPLH does not record specific dates when IT access is cancelled, but in probing system log information, where it was available, OAG found late cancellations ranged between one and 124 days after the individual had left.

Similarly, the OAG said DLGSC did not have sufficient information to determine when access to IT systems was cancelled for all 30 people in its audit sample. “System logs showing the dates of when this occurred were not recorded. In the absence of this information, we checked whether any of the individuals had accessed the IT systems and found that 29 did not access the system after they left,” the report said.”One person had accessed the system four days after their exit date.”The report also found that DPLH and DLGSC both lacked adequate information to show that office access passes were returned or deactivated for 72% of the sampled former staff. OAG said staff at DLGSC were charged a AU$12 fee for any changes to the status of passes from the private operator that managed the building and were therefore disincentivised to undertake the process.All access passes were cancelled or deactivated after staff left Finance, however for five out of the sample of 26, OAG said the cancellation of passes was not timely. For four people, OAG said it took between six and 44 days. The individual on secondment still had physical building access for the 116 days they continued to have systems access.Also under scrutiny was the asset returns process at the three entities, with OAG finding none had a complete and easily accessible record of all assets, including IT equipment, provided to staff.The report said OAG was unable to verify whether all IT assets had been returned to DPLH because there were insufficient records of what was issued to the 27 people in its sample. It said 15 staff had left with no evidence of laptop return. Only two of the 27 people were known to have had a phone issued, with evidence proving only one had been returned.At DLGSC, the OAG found records of only six exited staff in its sample of 30 pertaining to laptop returns and Finance demonstrated that 19 of 26 staff in the sample returned their IT equipment.To minimise the risk of unauthorised access to premises when staff leave, OAG recommended entities maintain an accurate register of all access passes including returns and cancellation/deactivation, conduct regular audits of all active passes, and ensure all access passes are returned when staff leave.The OAG has also requested the entities to ensure access to IT systems are removed or disabled immediately when staff leave. It has also asked the entities to clearly record when the removal of IT system access occurred and maintain a register of all assets issued to staff at commencement, during employment, and what is returned at exit.In addition, entities have been asked to minimise the risk of financial loss from overpayments to terminated employees, better manage the risks with different circumstances of employment termination, and improve communication between business functions responsible for staff exits.MORE FROM THE WEST More

Cybersecurity company Nozomi Networks Labs has warned the industrial control system (ICS) security community about five vulnerabilities affecting Mitsubishi safety PLCs.In a new report, the company said Mitsubishi acknowledged the issues — which are focused on the authentication implementation of the MELSOFT communication protocol — after they were discovered at the end of 2020. The Japanese manufacturing giant has devised a strategy to patch the issues but Nozomi Networks Labs said software updates for safety PLCs or medical devices often take longer to deploy than other software products. Vendors must go through specific certification processes before patches can be released, the report explained. “Depending on the type of device and regulatory framework, the certification procedure could be required for each individual software update,” Nozomi Networks Labs researchers wrote.”While waiting for the patch development and deployment process to be completed, we deployed detection logic for customers of our Threat Intelligence service. At the same time, we started researching more general detection strategies to share with asset owners and the ICS security community at large.”The researchers noted that the vulnerabilities they found “likely” affect more than one vendor and said they were concerned that “asset owners might be overly reliant on the security of the authentication schemes bolted onto OT protocols, without knowing the technical details and the failure models of these implementations.”The security company disclosed the first batch of vulnerabilities through ICS-CERT in January 2021 and another batch more recently, but patches are still not available. 

Mitsubishi has released a number of mitigations and Nozomi Networks Labs urged customers to assess their security posture in light of the advisories. The report specifically leaves out technical details or proof of concept documents in an effort to protect systems that are still being secured. Researchers discovered the vulnerabilities while researching MELSOFT, which is used as a communication protocol by Mitsubishi safety PLCs and corresponding engineering workstation software GX Works3. They found that Authentication with MELSOFT over TCP port 5007 is implemented with a username/password pair, which they said are “effectively brute-forceable” in some cases. The team tested multiple methods that gave them access to systems and found that there are even instances where attackers can reuse session tokens generated after successful authentication.”An attacker that can read a single privileged command containing a session token is able to reuse this token from a different IP after it has been generated, within a window of a few hours,” the report said.”If we chain together some of the identified vulnerabilities, several attack scenarios emerge. It’s important to understand this approach as real world attacks are often executed by exploiting several vulnerabilities to achieve the final goal.” Once an attacker gains access to a system, they can then take measures to lock other users out, forcing the last-ditch option of physically shutting down the PLC to prevent further harm.Nozomi Networks Labs suggested asset owners protect the link between the engineering workstation and the PLC so that an attacker cannot access the MELSOFT authentication or authenticated packets in cleartext. They also suggest protecting access to the PLC so an attacker cannot actively exchange authentication packets with the PLC. More

Facebook is facing significant backlash from lawyers and professors at two New York universities after the platform shut down a study being done on political ads and the spread of misinformation. New York University (NYU) and Columbia University released a statement on Wednesday condemning the decision by Facebook, which decided to shut down the accounts of New York University researchers Laura Edelson and Damon McCoy Tuesday evening.In a statement, Edelson said they had been negotiating with Facebook for months over a research tool called Ad Observer. The tool is part of work of NYU Cybersecurity for Democracy, where Edelson is lead researcher and a Ph.D. candidate in computer science at New York University Tandon School of Engineering.Ad Observer is a browser plugin that gave Facebook users the chance to share “limited and anonymous information” about the political ads they see on a daily basis. The tool also allows researchers and reporters to look through political advertising trends on Facebook in their states.”Yesterday evening, Facebook suspended my Facebook account and the accounts of several people associated with Cybersecurity for Democracy, our team at NYU. This has the effect of cutting off our access to Facebook’s Ad Library data, as well as Crowdtangle,” Edelson said.”Over the last several years, we’ve used this access to uncover systemic flaws in the Facebook Ad Library, to identify misinformation in political ads, including many sowing distrust in our election system, and to study Facebook’s apparent amplification of partisan misinformation. By suspending our accounts, Facebook has tried to shut down all this work.” Edelson added that Facebook had effectively cut off access to more than two dozen other researchers and journalists who get access to Facebook data through our project, including work measuring vaccine misinformation with the Virality Project and other partners.

Facebook did not respond to a request for comment, but Facebook product management director Mike Clark released a blog post accusing the university of studying political ads “using unauthorized means to access and collect data from Facebook” that was in violation of the website’s Terms of Service. “We took these actions to stop unauthorized scraping and protect people’s privacy in line with our privacy program under the FTC Order. The researchers gathered data by creating a browser extension that was programmed to evade our detection systems and scrape data such as usernames, ads, links to user profiles and ‘Why am I seeing this ad?’ information, some of which is not publicly-viewable on Facebook,” Clark said. “The extension also collected data about Facebook users who did not install it or consent to the collection. The researchers had previously archived this information in a now offline, publicly-available database.”Clark corroborated what NYU said, writing that the two sides had been negotiating since Facebook sent both Edelson and McCoy a cease-and-desist letter last fall demanding they stop using the tool. Facebook wanted the two to take down all of their previous research as well. Clark said they told NYU the tool was against their Terms of Service before they even deployed it in the summer of 2020. He compared the research project to “scraping,” a widespread problem many social media sites now face from cybercriminals and political actors who abuse privileges to steal troves of data from sites like LinkedIn and Facebook. In April, information belonging to 553 million Facebook users was posted online following a scraping incident.

The researchers also turned down an attempt by Facebook to give them data collected by the social media platform itself on political ad targeting data from the 2020 US election. Facebook has set up internal programs similar to Ad Observer. “We made it clear in a series of posts earlier this year that we take unauthorized data scraping seriously, and when we find instances of scraping we investigate and take action to protect our platform,” Clark said, arguing further that the violations of privacy outweighed the research’s value.  “While the Ad Observatory project may be well-intentioned, the ongoing and continued violations of protections against scraping cannot be ignored and should be remediated.”Edelson said the work they were doing to “make data about disinformation on Facebook transparent” was “vital to a healthy internet and a healthy democracy.”She added that Facebook is “silencing” the two because they were calling attention to the platform’s issues dealing with misinformation in political ads, which has become a sensitive topic for the social media giant. “Worst of all, Facebook is using user privacy, a core belief that we have always put first in our work, as a pretext for doing this,” Edelson said. “If this episode demonstrates anything it’s that Facebook should not have veto power over who is allowed to study them.”McCoy pointed out that Facebook made this decision right as it is facing widespread backlash from the US government for the spread of COVID-19 vaccine disinformation. Last month, President Joe Biden made waves when he said Facebook was “killing people” through COVID-19 misinformation. McCoy also criticized Facebook for citing privacy violations considering advertisers “consented to making their ads public.”The two noted that reporters across the country used the tool to write about the 2020 election and that Facebook waited months to shut down their accounts. Hours before their accounts were shut down, they told Facebook they were “studying the spread of disinformation about January 6 on the social media platform.”The researchers’ lawyer, Seth Berlin, called it “remarkable” that Facebook would argue political advertising is private considering its purpose and disputed the platform’s claims that the Ad Observer team collect private user information. “Facebook’s primary justification for trying to shut down this important research simply doesn’t hold up,” Berlin said.  More

BLACK HAT USA: What began as an incredible job offer for a naive, young security analyst turned into an explosive case of former US experts unwittingly helping a foreign service create an offensive security branch.

Known as Project Raven, a team of over a dozen former US intelligence operatives was poached with promises of job roles that seemed too good to be true — only for them to participate in activities on behalf of the United Arab Emirates (UAE) that were, at the least, dubious.  Project Raven, as previously reported by the New York Times and Reuters, involved the clandestine surveillance of other governments, militant groups, human rights activists, journalists, and other parties of interest to — or, critical of — the monarchy.  One of these operatives was David Evenden, a former offensive intelligence analyst, member of the Navy, and now founder of StandardUser LLC who once worked for the US National Security Agency (NSA).  At Black Hat USA in Las Vegas, Evenden described his time working for the UAE, a story that has also previously been covered extensively in the Darknet Diaries podcast.  After working for the NSA for roughly three years, in 2014, a recruiter from CyberPoint, reported to have been vetted by the US government, approached Evenden with a new career opportunity.  He was told he would be involved in security work in Abu Dhabi and would be helping to tackle terrorist activity and reduce the workload on government agencies in his homeland, as part of a wider defense agreement with the United States. 

“It was all above board and we all felt confident in what we were doing,” Evenden said. As noted in “This is how they tell me the world ends,” penned by Nicole Perlroth, the overarching contract was known as Project DREAD — or Development Research Exploitation and Analysis Department. Perlroth writes that Project DREAD relied “heavily” on subcontractors including CyberPoint as well as the “dozens of talented former NSA hackers like Evenden.”The security specialist explained that upon arrival, two back-to-back briefings were set up. The “cover” story, in a purple folder, was that he would be working on defensive measures. However, in the following meeting, a black folder was issued.  The black folder revealed that Evenden would be working with NISSA, the UAE’s NSA counterpart, in offensive security, surveillance, and collecting data on targets of interest — and this was never to be acknowledged to the general public.  If this wasn’t a red flag, the use of a converted villa for operations — as well as the promise of a tax-free lifestyle and a lucrative salary — should have tipped Evenden off to something not being quite right.  For the first few months, reconnaissance was performed to combat terrorism, such as pulling data from the Twitter API, keyword analytics, and computational deltas of social media chatter.However, while originally told he would be working on behalf of the US and allies, the operative said in Darknet Diaries that it wasn’t long before CyberPoint was hacking “real and perceived” Emirati enemies on behalf of its clients, rather than terrorist operatives. ISIS was one of the first groups in scope, but this eventually turned to everyone from civil rights activists to journalists and individuals criticizing the UAE on Twitter. “We then began to get questions about following the money,” the security expert said, adding that the group was then asked to gain access to Qatar to see if there was any cash being funneled to support the Muslim Brotherhood — and when told that they would need to hack the country’s systems, permission was granted. Intel submissions then started to deviate — such as requests made for the Qatari royal family’s flight plans. It was the moment that emails belonging to Michelle Obama landed on his PC, in 2015, that changed the game. The emails related to the former First Lady’s team and a trip to the Middle East to promote the “Let Girls Learn” initiative.  “This was the moment I said, “We shouldn’t be doing this. This is not normal,” Evenden told Perlroth.In late 2015, a local entity, DarkMatter, took over the Project Raven operation. The group was allowed to perform offensive operations against foreign organizations, and operatives were told to join or go home. “People who are loyal to the United States are not going to do that, so we jumped ship and moved home,” Evenden said. Another member of the team was Lori Stroud, a cybersecurity specialist who had previously worked for the NSA. A request from DarkMatter reportedly came in to target a US journalist, and once Stroud voiced her concerns, she was promptly removed from the project. Speaking to Reuters, Stroud said that at that moment, she became “the bad kind of spy.”The red flags Evenden missed can be taken as a lesson to other security professionals considering a move abroad, and he has some advice to give — in the hope that others do not make the same mistakes. “Vet your leadership — that’s one of the main things I learned out of this,” Evenden commented. “If you get those hairs standing up on your arms, you need to step back [and] make sure you have an exit strategy — whether or not an organization provides you with one, you need one, too.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new report from Accenture has found that for the first half of 2021, the volume of cyber intrusion activity is up 125% globally compared to last year.Accenture said the report is based on their work with clients recovering from incidents. They attributed the increase in intrusions to web shell activity, ransomware incidents and supply chain attacks. While the US (36%) led the way as it usually does on the list of most targeted countries, the UK (24%) and Australia (11%) were not far behind.Consumer goods and services companies faced the highest number of attacks among Accenture’s customers, followed by organizations in the manufacturing industry, banking and hospitality. Robert Boyce, who leads Accenture’s Cyber Investigations, Forensics & Response business globally, said organizations are only protecting their core corporate systems and leaving themselves vulnerable to attack through third parties and other supply chains they are part of. Any subsidiary or affiliate also needs to be secured, Boyce said. “Industries that previously experienced lower levels of cyberattacks during the pandemic — such as consumer good & services, industrials, travel & hospitality, and retail — should reevaluate their cybersecurity posture as increased consumer activity in these industries present renewed opportunities for cybercriminals,” Boyce added. 

Ransomware dominated the report’s section on malware, with the now-defunct REvil/Sodinokibi group accounting for 25% of attacks seen by Accenture’s team. Accenture’s insurance industry customers were targeted most often by ransomware groups making up 23% of all ransomware targets. Consumer goods and services companies as well as telecommunications companies were targeted heavily as well. The report also made clear what their main targets are. The report found that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion.The researchers also found that there has been a rise in the number of backdoors, droppers and credential stealers being used by cybercriminals in the first half of 2021.  More

BLACK HAT USA: Researchers have revealed how security vulnerabilities could be exploited to compromise hotel Internet of Things (IoT) devices — and take revenge on loud neighbors.

IoT devices are now commonplace both in businesses and in the home. These internet and often Bluetooth-connected products range from security cameras to smart lighting; fridges that monitor your foodstuffs, pet trackers, intelligent thermostats — and in the hospitality space, IoT is also employed to give guests more control over their stay. These services are sometimes offered through dedicated apps and tablets, allowing the management of lights, heaters, air conditioning, televisions, and more. However, the moment you network IoT and hand over control to third parties, you may also give individuals the keys to a digital kingdom — and the ability to cause mischief, or worse. Vulnerabilities in IoT devices vary. They can range from hardcoded, weak credentials to bugs that allow local attackers to hijack devices; remote code execution (RCE) flaws, information-leaking interfaces, and to a lack of security and firmware updates — the latter of which is a frequent problem in legacy and early IoT products. Speaking at Black Hat USA, Las Vegas, security consultant Kya Supa from LEXFO explained how a chain of security weaknesses were combined and exploited to gain control of rooms at a capsule hotel, a budget-friendly type of hotel offering extremely small — and, therefore, cozy — spaces to guests, who are stacked side-by-side.Supa was traveling and checked in to a capsule hotel abroad. When they arrived, guests were issued an iPod Touch. The capsules contained a bed and curtain for privacy, as well as a ventilation fan. The technology in use included NFC cards for each floor, the option to mirror a device screen on the curtain, and on the iPod Touch, guests could control the lights, ventilation fan, and change the position of the adjustable bed via an app.

The app was connected via either Bluetooth or Wi-Fi. A neighbor, “Bob,” kept waking Supa up by making loud phone calls in the early hours of the morning. While Bob had agreed to keep it down, he did not keep his promise — and the researcher set to work since he needed his sleep, especially during his vacation. The first thing Supa did was to explore his room, finding an emergency light installed for safety reasons; a Nasnos automaton center for use in controlling products in case the iPod Touch was lost; an electric motor used to manage the incline of the capsule’s bed; and a Nasnos router, hidden in the wall. If you connected to the router via a smartphone, it was then possible to control other devices on the network, and this was the setup the hotel chose to use.It was not possible to exit the app or turn off the iPod Touch, and Apple’s Gateway software was in use to stop the device from being tampered with, and so a passcode was required for any other action. To circumvent these protections, Supa was able to drain the battery and then explore the iPod Touch’s settings. He found that two networks were connected — the hotel Wi-Fi and the router. To retrieve the router key, Supa targeted WEP, a protocol that has been known to be weak for years. Access points, each being one of the bedrooms, were found. Supa inspected the traffic and found weak credentials in place — “123” — and you can guess the rest. By using an Android smartphone, the iPod Touch, and a laptop, the researcher created a Man-in-The-Middle (MiTM) architecture and inspected the network traffic. No encryption was found and he created a simple program to tamper with these connections, allowing the researcher to seize control of his bedroom through his laptop. Now, it was to be determined if the key would be applicable for the other bedrooms. Supa downloaded a Nasnos router app and reverse-engineered the software to see how the Wi-Fi key was generated, and while this investigation failed, he was able to find that packets were sent via UDP port 968, and a lack of authentication meant he was still able to secure Wi-Fi keys. Only four digits in each key appeared to be generated differently, confirmed via a dictionary attack, and so a quick exploit program later, Supa had control of each bedroom’s smart features. 
Kya Supa
Now that he could “control every bedroom,” and Bob was still there, Supa then tampered with the lights of different bedrooms until he found the right one. He created a script that, every two hours, would change the bed into a sofa and turn the lights on and off. The script was launched at midnight. We can probably assume Bob did not enjoy his stay.”I hope he will be more respectful in the future,” Supa commented. While this case is amusing — although, not for Bob — it does also highlight how a single access point can be used to tamper with and hijack IoT devices: and this goes for the home, too. While intelligent technology can be convenient, we need to be aware of the potential security ramifications, too.The hotel and Nasnos were both contacted afterward, and the hotel has since improved its security posture.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Graph Foundation has launched a bug bounty program promising rewards of up to $2.5 million for smart contract vulnerabilities. 

The Graph Foundation is the overseer of an indexing protocol, created by the community, for querying blockchains and networks including the Ethereum, Celo, and IPFS ecosystems.Blockchain data is indexed by the decentralized protocol, based on the “subgraph manifest,” a system that defines smart contracts and network events, and participants are able to publish their own subgraph open APIs.  On Wednesday, the project said a new bug bounty program has been launched on Immunefi, a DeFi-based bug bounty platform that has paid out over $3 million in rewards to date.  The bug bounty program will focus on some of the most common threats to blockchain systems — the potential loss of user funds, data leaks, and severe security issues leading to remote code execution (RCE), service degradation, network tampering, and more. Rewards are based on Immunefi’s five-level scale, ranging in severity from “critical” to “none.” The most severe issues, deemed critical, are eligible for rewards of up to $2.5 million, made in The Graph tokens (GRT). According to the team, the reward is based on the potential economic damage — such as the loss of user funds. 

“For instance, if the bug were to be exploited and we knew that a total of 1000 GRT could be drained, that is considered critical because it involves loss of funds, but the reward would only be 100 GRT,” the team explained. “As there are over three billion GRT staked in the network at the moment, and assuming that would be the considered economic damage (worst case scenario), the actual maximum amount for that particular bug would be 300 million GRT.” Severity payouts range from roughly $5,000 to $200,000 for low and high-risk vulnerability discoveries.  “Last year more than $200 million were stolen by hackers through DeFi exploits and hacks that indeed question the effectiveness of traditional security methods,” commented Mitchell Amador, Immunefi CEO. “We at Immunefi strive to protect projects against smart contract hacks by helping create, run, and promote best practice bug bounty programs, and we’re excited to move forward with The Graph.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More