Information Technology

NSA whistleblower Edward Snowden took to Twitter today to ask US President Donald Trump to pardon Wikileaks founder Julian Assange during his last days in office.

“Mr. President, if you grant only one act of clemency during your time in office, please: free Julian Assange. You alone can save his life,” Snowden tweeted.
Assange, who has gained international fame for founding the WikiLeaks portal, is currently in custody in London, UK.
He was arrested in April 2019 for breaking pre-trial release conditions in a 2012 UK case.
At the time, Assange absconded and requested political asylum in the Ecuador embassy in London, where he lived until his arrest in 2019 when Ecuadorian officials withdrew the WikiLeaks founder’s asylum status.
US authorities formally charged Assange for conspiring to leak US classified materials a month after his arrest. The indictment was updated a month later to include accusations that Assange tried to recruit famous hacker groups like Anonymous and LulzSec to carry out hacks on his behalf and steal sensitive files to publish on WikiLeaks.
The WikiLeaks founder has been fighting the extradition case ever since his arrest, but a first ruling is expected on January 4, 2021.

Assange has repeatedly threatened to commit suicide if extradited to the US, threats that his lawyers have been using as the central piece of their defense case — and the reason why Snowden mentioned that a pardon from Trump would save Assange’s life.
Trump previously also considered pardoning both Snowden and Assange.
Last week, Tulsi Gabbard, a House representative for the state of Hawaii, also asked Trump to pardon both Assange and Snowden. In October, Gabbard also introduced a bill to have the 2013 legal case against Edward Snowden dropped and allow the former NSA threat analyst to return to the US.
However, the pardon requests may come at a bad time for Trump, recently embroiled in a bribery-for-pardon scheme. More

Image: Dell
PC maker powerhouse Dell announced today a flurry of new enterprise security solutions for the company’s line of enterprise products.

The new services can be grouped into two categories, with (1) new solutions meant to protect the supply chain of Dell products while in transit to their customers and (2) new features meant to improve the security of Dell products while in use.
Physical supply-chain security
While Dell has previously invested in securing its customers’ supply chains, the company has announced today three new services.
The first is named SafeSupply Chain Tamper Evident Services and, as its name implies, involves Dell adding anti-tampering seals to its devices, transport boxes, and even entire pallets before they leave Dell factories.
The anti-tampering seals will allow buyers of Dell equipment to determine if any intermediary agents or transporters have opened boxes or devices to alter physical components.
The second supply chain security offering, named the Dell SafeSupply Chain Data Sanitization Services, is meant for tampering made at the storage level.
“With a NIST-compliant hard drive wipe, Dell Technologies helps businesses ensure their device has a clean slate before they add their company image,” Dell said today about this new service.

Further, Dell is also adding a new security feature named Secured Component Verification for its line of PowerEdge custom-ordered servers.
Dell says that with the help of an embedded cryptographically-signed certificate, companies would be able to verify that their PowerEdge servers arrive as they were ordered and built after the server is sealed and shipped from the factory.
According to Dell, the new Secured Component Verification will help by:
verifying that changes are not made to system components (e.g., memory or hard drive swap, I/O changes, etc.);
protecting against cybersecurity risks by meeting supply chain security standards across highly regulated industries such as financial and healthcare;
allowing customers to validate and deploy multiple servers efficiently, without having to audit each component in part.
New security features for in-use products
But Dell also rolled out updates to existing solutions to make managing the security of its devices much easier. One of these is an update to the Dell EMC Data Sanitization for Enterprise and Data Destruction for Enterprise service that allows bulk management of Dell gear, which now supports the entire Dell Technologies infrastructure portfolio and third-party products, and not just a select list of products.
In addition, Dell will also launch next year a new security offering named Dell EMC Keep Your Hard Drive for Enterprise and Keep Your Component for Enterprise.
While it’s a mouthful of a product name, this service allows companies to keep sensitive data stored on their devices and under their control while sensitive hardware parts are being replaced — a crucial privacy regulation that many companies must abide by while servicing their outdated enterprise infrastructure.
In addition, Dell is also rolling out the ability to customize the boot process of PowerEdge servers via its new PowerEdge UEFI Secure Boot Customization, which also comes with advanced mitigation for industry-wide bootloader vulnerabilities.
The same PowerEdge servers are also getting an update to their integrated Dell Remote Access Controller (iDRAC) service.
The new update will allow system administrators to lock down Dell systems by cutting off their network access without having to reboot systems.
Other security features included in the iDRAC updates include the ability to use multi-factor authentication when accessing iDRAC accounts and more scripting capabilities via the Redfish API.
And last but not least, iDRAC will also add support for Dell EMC OpenManage Ansible Modules so that system administrators can automate some PowerEdge security workflows such as user privilege configuration and data storage encryption.
Availability for the new services:
Dell SafeSupply Chain is currently available in the US for commercial PCs.
Dell Technologies Secured Component Verification on PowerEdge Servers will be available by the end of the calendar year 2020.
Dell EMC Data Sanitization for Enterprise and Data Destruction for Enterprise Services are currently available.
Dell EMC Keep Your Hard Drive for Enterprise and Keep Your Component for Enterprise Services are currently available.
Dell Technologies PowerEdge UEFI Secure Boot Customization is currently available.
iDRAC security updates will be available by the end of the calendar year 2020.
Dell EMC OpenManage Ansible Modules will be available beginning January 31, 2021. More

The job of a USB condom is simple: Turn any USB port into a charge-only port by blocking all the data lines, thereby reducing the attack surface for hackers, pranksters, and vandals to cause damage and mayhem.
And they’re cheap. If you use random USB ports for charging devices when out and about, I recommend you get one because they’re a little insurance in an increasingly chaotic world.
USB condoms have limitations. But you can build your own super USB condom.
Must read: Paying money to make Google Chrome faster and use less RAM

The other day I came across USBCondom.org, and on that site are plans for three different types of USB condom, from a basic data blocker to a more sophisticated one that allows for switching between charge to data transfer modes to a really smart one that features anti-USB-killer features to prevent your device being fried by high voltage.
And you can grab everything you need, from the files to get the circuit boards printed (either do it yourself the old fashioned way — expect a lot of hit and miss initially — or have a company make them). There’s even a full component list of everything you need (which really isn’t much, even for the most complicated one!).
Of you can just buy some basic ones that just isolate the data lines from the charge lines. These won’t protect you from attacks such as Juice Jacking or having your equipment nuked by a USB killer, but if you are that worried, stop using random USB charging ports and carry around a power bank with you instead. More

Image: Mateus Campos Felipe
The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months.

The security snafu was discovered by reporters from Brazilian newspaper Estadao, the same newspaper that last week discovered that a Sao Paolo hospital leaked personal and health information for more than 16 million Brazilian COVID-19 patients after an employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub.
Estadao reporters said they were inspired by a report filed in June by Brazilian NGO Open Knowledge Brasil (OKBR), which, at the time, reported that a similar government website also left exposed login information for another government database in the site’s source code.
Since a website’s source code can be accessed and reviewed by anyone pressing F12 inside their browser, Estadao reporters searched for similar issues in other government sites.
They found a similar leak in the source code of e-SUS-Notifica, a web portal where Brazilian citizens can sign up and receive official government notifications about the COVID-19 pandemic.
Reporters said the site’s source code contained a username and password stored in Base64, an encoding format that can be easily decoded to obtain the initial username and password, with little to no effort.
The login information allowed access to SUS (Sistema Único de Saúde), the official database of the Brazilian Ministry of Health, which stored information on all Brazilians who signed up for the country’s public-funded health care system, established in 1989.

The database contained all the personal information a Brazilian provided to its government, from full names to home addresses, and from phone numbers to medical details.
The credentials have now been removed from the site’s source code, but it remains unclear if anyone has accessed the system and pilfered data on Brazilian citizens.
If unauthorized access would be discovered, this would be the largest security breach in the country’s history. More

Microsoft-owned GitHub, the world’s largest platform for open-source software, has found that 17% of all vulnerabilities in software were planted for malicious purposes. 
GitHub reported that almost a fifth of all software bugs were intentionally placed in code by malicious actors in its 2020 Octoverse report, released yesterday. 

Open Source

Proprietary software makers over the years have been regularly criticized for ‘security through obscurity’ or not making source code available for review by experts outside the company. Open source, on the other hand, is seen as a more transparent manner of development because, in theory, it can be vetted by anyone. 
SEE: Security Awareness and Training policy (TechRepublic Premium)    
But the reality is that it’s often not vetted due to a lack of funding and human resource constraints. 
A good example of the potential impact of bugs in open source is Heartbleed, the bug in OpenSSL that a Google researcher revealed in 2014, which put a spotlight on how poorly funded many open-source software projects are. 
Affecting a core piece of internet infrastructure, Heartbleed prompted Amazon, IBM, Intel, Microsoft, Cisco and VMware to pour cash into The Linux Foundation to form the Core Infrastructure Initiative (CII).

For the past few years, GitHub has been investing heavily in tools to help open-source projects remediate security flaws via its Dependency Graph, a feature that works with its Security Alerts feature. 
The security alerts service scans software dependencies (software libraries) used in open-source projects and automatically alerts project owners if it detects known vulnerabilities. The service supports projects written in Java, JavaScript, .NET, Python, Ruby and PHP. 
GitHub’s 2020 Octoverse report fond that the most frequent use of open-source dependencies were JavaScript (94%), Ruby (90%), and .NET (90%). 
While almost a fifth of vulnerabilities in open-source software were intentionally planted backdoors, GitHub highlights that most vulnerabilities were just plain old errors. 
“These malicious vulnerabilities were generally in seldom-used packages, but triggered just 0.2% of alerts. While malicious attacks are more likely to get attention in security circles, most vulnerabilities are caused by mistakes,” GitHub notes. 
As ZDNet’s Charlie Osborne reported, vulnerabilities in open-source projects remain undetected for four years on average before they’re revealed to the public. Then it takes about a month to issue a patch, according to GitHub. In other words, there’s still room for improvement despite GitHub’s efforts to automate bug fixing in open-source projects. 
GitHub notes in its report that the “the vast majority” of the intentional backdoors come from the npm ecosystem. ZDNet’s Catalin Cimpanu reported this week that the npm security team had to remove a malicious JavaScript library from the npm website that contained malware for opening backdoors on programmers’ computers. Using this venue to distribute malware to developers makes sense given that JavaScript is the most popular programming language on GitHub.
SEE: Google: Here’s how much we give to open source through our GitHub activity
GitHub notes that only 0.2% of its security alerts were related to explicitly malicious activity.
“A big part of the challenge of maintaining trust in open source is assuring downstream consumers of code integrity and contitinuity in an ecosystem where volunteer commit access is the norm,” GitHub explains. 
“This requires better understanding of a project’s contribution graph, consistent peer review, commit and release signing, and enforced account security through multi-factor authentiticatition (MFA).” 
GibHub notes that flaws can include ‘backdoors’, which are software vulnerabilities that are intentionally planted in software to facilitate exploitation, and ‘bugdoors’, which are a specific type of backdoor that disguise themselves as conveniently exploitable yet hard-to-spot bugs, as opposed to introducing explicitly malicious behavior.
The most blatant indicator of a backdoor is an attacker gaining commit access to a package’s source-code repository, usually via an account hijack, such as 2018’s ESLint attack, which used a compromised package to steal a user’s credentials for the npm package registry, GitHub said.The last line of defense against these backdoor attempts is careful peer review in the development pipeline, especially of changes from new committers. Many mature projects have this careful peer review in place. Attackers are aware of that, so they often attempt to subvert the software outside of version control at its distribution points or by tricking people into grabbing malicious versions of the code through, for example, typosquatting a package name.  More

A Google Project Zero (GPZ) bug hunter who specializes in iPhone security has revealed a nasty bug in iOS that allowed an attacker within Wi-Fi range to gain “complete control” of an Apple phone. 
GPZ is a security research group in Google tasked with finding vulnerabilities in all popular software spanning Microsoft’s Windows 10 to Google Chrome and Android as well as Apple’s iOS and macOS.  

Ian Beer, a GPZ hacker who specializes in iOS hacks, says the vulnerability he found during the first COVID-19 lockdown this year allowed an attacker within Wi-Fi range to view all an iPhone’s photos and emails, and copy all private messages from Messages, WhatsApp, Signal and so on in real time. 
SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)
“For 6 months of 2020, while locked down in the corner of my bedroom surrounded by my lovely, screaming children, I’ve been working on a magic spell of my own…a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity,” he writes.
Apple fixed the bug ahead the the launch of Privacy-Preserving Contact Tracing, which arrived in iOS 13.5 in May. 
Beer, who regularly finds critical flaws in iOS and macOS, is using his bug to stress to iPhone owners that they may have a false sense of security when it comes to thinking about adversaries. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” notes Beer. 
“Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”
The contact-tracing connection Beer highlights is important because the bug he found was in an iOS feature called AWDL or Apple Wireless Direct Link – a proprietary Apple peer-to-peer networking protocol used for features like Apple AirPlay and the iOS-to-macOS file-sharing feature AirDrop. 
AWDL is used in all Apple iOS and macOS devices. Researchers last year found serious flaws in the protocol that allowed an attacker on a network to intercept and change files being sent over AirDrop. The most concerning part of that batch of AWDL flaws was that they allowed an attacker to track an iPhone user’s location with a high degree of accuracy. Apple fixed those AWDL bugs last May in iOS 12.3, tvOS 12.3, watchOS 5.2.1, and macOS 10.14.5.
The details of the flaw itself are important, but Beer is using his exploit to make a bigger point about the economics of software exploits. 
As Beer notes, there are professional exploit brokers that sell iOS exploits to governments. 
“Unpatched vulnerabilities aren’t like physical territory, occupied by only one side. Everyone can exploit an unpatched vulnerability,” notes Beer. 
“It’s important to emphasize … that the teams and companies supplying the global trade in cyberweapons like this one aren’t typically just individuals working alone,” he continues. 
“They’re well-resourced and focused teams of collaborating experts, each with their own specialization. They aren’t starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on.”
SEE: 10 tech predictions that could mean huge changes ahead
The AWDL bug itself was due to the common category of memory security flaws, which Beer describes as a “fairly trivial buffer overflow” due to programming errors Apple developers made in in C++ code in Apple’s XNU (X is Not Unix) kernel. Microsoft and Google have found that memory vulnerabilities make up the vast majority of flaws in software. 
In this case, Beer didn’t need a series of vulnerabilities in iOS to take control of a vulnerable iPhone, unlike the three iOS bugs Apple patched in iOS 14.2 last month. In other words, the one Beer found is highly valuable because of its relative simplicity to use. 
“This entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write,” he writes.  More

I dumped Google Authenticator a while ago. Sure, it’s the granddaddy of two-factor authentication apps, but it’s old and has some severe downsides.
The biggest downside being that you couldn’t transfer accounts between devices. It was a case of blitz everything and start again. I’ve come across a lot of people who entered the tarpits when this happened.
But finally, as 2020 draws to a close, this feature comes to iOS and iPadOS.
Must read: Paying money to make Google Chrome faster and use less RAM
Earlier this year, Google Authenticator for Android received a revamp which saw it getting dark mode and the ability to transfer accounts between devices. It works pretty well, but wasn’t much use to you if you were an iOS user.

The newly-released version 3.1.0 is the first refresh the iOS app has had in over two years, and adds the following:
–       Added the ability to transfer accounts to a different device, e.g. when switching phones

–       Refreshed the look and feel of the app
–       Dark Mode support
Personally, I moved over to Authy and have had no problems. This app is more feature-rich, and also works on Windows, Mac, and even Linux (along with, of course, iOS and Android). However, for those still using Google Authenticator on iPhones and iPads, this will be a welcomed update. More

Image: Check Point
Around 8% of Android apps available on the official Google Play Store are vulnerable to a security flaw in a popular Android library, according to a scan performed this fall by security firm Check Point.
The security flaw resides in older versions of Play Core, a Java library provided by Google that developers can embed inside their apps to interact with the official Play Store portal.
The Play Core library is very popular as it can be used by app developers to download and install updates hosted on the Play Store, modules, language packs, or even other apps.
Earlier this year, security researchers from Oversecured discovered a major vulnerability (CVE-2020-8913) in the Play Core library that a malicious app installed on a user’s device could have abused to inject rogue code inside other apps and steal sensitive data — such as passwords, photos, 2FA codes, and more.
A demo of such an attack is available below:
[embedded content]
Google patched the bug in Play Core 1.7.2, released in March, but according to new findings published today by Check Point, not all developers have updated the Play Core library that ships with their apps, leaving their users exposed to easy data pilfering attacks from rogue apps installed on their devices.
According to a scan performed by Check Point in September, six months after a Play Core patch was made available, 13% of all the Play Store apps were still using this library, but only 5% were using an updated (safe) version, with the rest leaving users exposed to attacks.

Apps that did their duty to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp, and Chrome; however, many other apps did not.
Among the apps with the largest userbases that failed to update, Check Point listed the likes of Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com.

Image: Check Point
Check Point researchers Aviran Hazum and Jonathan Shimonovich said they notified all the apps they found vulnerable to attacks via CVE-2020-8913, but, three months later, only Viber and Booking.com bothered to patch their apps after their notification.
“As our demo video shows, this vulnerability is extremely easy to exploit,” the two researchers said.
“All you need to do is to create a ‘hello world’ application that calls the exported intent in the vulnerable app to push a file into the verified files folder with the file-traversal path. Then sit back and watch the magic happen.”
This research shows, once again, that while users may be using an up-to-date version of their apps, that doesn’t necessarily mean all of an app’s inner components are up-to-date as well, with software supply chains often being in complete disarray, even at some of the world’s biggest software/tech firms. More