Information Technology

Image: ZDNet

Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed over the summer.
Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol.
BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible.
Due to its battery-saving features, BLE has been massively adopted over the past decade, becoming a near-ubiquitous technology across almost all battery-powered devices.
As a result of this broad adoption, security researchers and academics have also repeatedly probed BLE for security flaws across the years, often finding major issues.
Academics studied the Bluetooth “reconnection” process
However, the vast majority of all previous research on BLE security issues has almost exclusively focused on the pairing process and ignored large chunks of the BLE protocol.
In a research project at Purdue University, a team of seven academics set out to investigate a section of the BLE protocol that plays a crucial role in day-to-day BLE operations but has rarely been analyzed for security issues.
Their work focused on the “reconnection” process. This operation takes place after two BLE devices (the client and server) have authenticated each other during the pairing operation.
Reconnections take place when Bluetooth devices move out of range and then move back into range again later. Normally, when reconnecting, the two BLE devices should check each other’s cryptographic keys negotiated during the pairing process, and reconnect and continue exchanging data via BLE.
But the Purdue research team said it found that the official BLE specification didn’t contain strong-enough language to describe the reconnection process. As a result, two systemic issues have made their way into BLE software implementations, down the software supply-chain:
The authentication during the device reconnection is optional instead of mandatory.
The authentication can potentially be circumvented if the user’s device fails to enforce the IoT device to authenticate the communicated data.
These two issues leave the door open for a BLESA attack — during which a nearby attacker bypasses reconnection verifications and sends spoofed data to a BLE device with incorrect information, and induce human operators and automated processes into making erroneous decisions. See a trivial demo of a BLESA attack below.
[embedded content]
Several BLE software stacks impacted
However, despite the vague language, the issue has not made it into all BLE real-world implementations.
Purdue researchers said they analyzed multiple software stacks that have been used to support BLE communications on various operating systems.
Researchers found that BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack were all vulnerable to BLESA attacks, while the BLE stack in Windows devices was immune.
“As of June 2020, while Apple has assigned the CVE-2020-9770 to the vulnerability and fixed it, the Android BLE implementation in our tested device (i.e., Google Pixel XL running Android 10) is still vulnerable,” researchers said in a paper published last month.
As for Linux-based IoT devices, the BlueZ development team said it would deprecate the part of its code that opens devices to BLESA attacks, and, instead, use code that implements proper BLE reconnection procedures, immune to BLESA.
Another patching hell
Sadly, just like with all the previous Bluetooth bugs, patching all vulnerable devices will be a nightmare for system admins, and patching some devices might not be an option.
Some resource-constrained IoT equipment that has been sold over the past decade and already deployed in the field today doesn’t come with a built-in update mechanism, meaning these devices will remain permanently unpatched.
Defending against most Bluetooth attacks usually means pairing devices in controlled environments, but defending against BLESA is a much harder task, since the attack targets the more often-occurring reconnect operation.
Attackers can use denial-of-service bugs to make Bluetooth connections go offline and trigger a reconnection operation on demand, and then execute a BLESA attack. Safeguarding BLE devices against disconnects and signal drops is impossible.
Making matters worse, based on previous BLE usage statistics, the research team believes that the number of devices using the vulnerable BLE software stacks is in the billions.
All of these devices are now at the mercy of their software suppliers, currently awaiting for a patch.
Additional details about the BLESA attack are available in a paper titled “BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy” [PDF, PDF]. The paper was presented at the USENIX WOOT 2020 conference in August. A recording of the Purdue team’s presentation is embedded below.
[embedded content] More

Image: Catalin Cimpanu

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The US Department of Justice has charged today two hackers with orchestrating a mass-defacement campaign against US websites following the killing of Iranian military general Qasem Soleimani by US forces earlier this year.
According to an indictment unsealed today, the two hackers were identified as Behzad Mohammadzadeh (aka Mrb3hz4d), 19, from Iran, and Marwan Abusrour (aka Mrwn007), 25, from Palestine.
Mohammadzadeh, considered the primary perpetrator of the attacks, was accused of breaking into at least 51 US websites and posting images of the late Soleimani and messages such as “Down with America.”
The defacements primarily hit US-hosted domains and started on January 3, a day after US officials announced the killing of general Qasem Soleimani in a drone strike attack against his car near the Baghdad International Airport.
According to the indictment, following this announcement, Mohammadzadeh began a wide-ranging hacking campaign.
While the indictment accused Mohammadzadeh of defacing 51 websites, US officials say that a profile on Zone-H, a website where hackers often index and brag about their defacements, lists more than 1,100 websites defaced by the Iranian hacker, with 400 of these sites showing pro-Soleimani messages.

Image: ZDNet
In all of this, Abusrour was charged with a minor role. Prosecutors said that the young Palestinian provided Mohammadzadeh with access to seven websites that his Iranian counterpart later defaced part of his larger campaign.
Nonetheless, US officials said that Abusrour also had a history in defacing websites, with his hacker monicker found on more than 337 websites defaced with pro-Palestinian messages, dating back to June 2016.
The defacements executed by the two hackers received considerable media coverage earlier this year. However, the coverage was slightly over-hyped, with some news outlets calling these low-level hacks as the Iranian government’s response as part of an upcoming “nuclear cyber war.”
Nothing of the sort happened, and the most high-profile websites hacked by Mohammadzadeh was the portal for the US Federal Depository Library Program, which was almost immediately taken down and restored following the defacement.
The defacements, although on the lower spectrum of cyber-attacks, are still illegal. The two hackers have now been charged and risk sentences of up to 10 years in prison and fines of up to $250,000, if found guilty, according to the DOJ.
Both hackers remain at large. More

Microsoft has released a new open-source security tool called Project OneFuzz, a testing framework for Azure that brings together multiple software security testing tools to automate the process of detecting crashes and bugs that could be security issues.
Google’s open-source fuzzing bots have helped it detect thousands of bugs in its own software and other open-source software projects. Now Microsoft is releasing its answer to the same challenge for software developers. 

Project OneFuzz is available on GitHub under an open-source MIT license like Microsoft’s other open-source projects, such as Visual Studio Code, .NET Core and the TypeScript programming language for JavaScript.
Microsoft describes Project OneFuzz as an “extensible fuzz testing framework for Azure”. 
Fuzzing essentially involves throwing random code at software until it crashes, potentially revealing security issues but also performance problems. 
Google has been a major proponent of the technique, pushing coders and security researchers towards fuzzing utilities and techniques. Its open-source fuzzers include OSS-Fuzz and Cluster Fuzz. 
OSS-Fuzz is available developers to download from GitHub and use on their own code. It’s also available as a cloud service for select open-source projects. 
Microsoft previously announced that it would replace its existing software testing toolset known as Microsoft Security and Risk Detection with the automated, open-source fuzzing tool. 
The Redmond company also says it’s solving a different and expensive challenge for all businesses that employ software developers, and gives credit to Google for pioneering the technology. 
OneFuzz is the same testing framework Microsoft uses to probe Edge, Windows and other products at the company. It’s already helped Microsoft harden Windows 10, according to Microsoft.
“Fuzz testing is a highly effective method for increasing the security and reliability of native code – it is the gold standard for finding and removing costly, exploitable security flaws,” said Microsoft Security’s Justin Campbell, a principal security software engineering lead, and Mike Walker, a senior director, special projects management. 
“Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. 
“That complexity required dedicated security engineering teams to build and operate fuzz-testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.” 
As Microsoft notes, “recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code”. 
These advances make it cheaper for developers to handle what was once attached and instead bake these processes into continuous build systems, according to Microsoft. This includes crash detection, which was previously attached via tools such as Electric Fence. Now they can be baked in with asan. 
It also addresses previously attached tools such as iDNA, Dynamo Rio, and Pin that are now built in with sancov.
“Input harnessing, once accomplished via custom I/O harnesses, can be baked in with libfuzzer’s LLVMFuzzerTestOneInput function prototype,” Campbell and Walker note. 
Microsoft has also been adding experimental support for these features to Visual Studio so that test binaries can be built by a compiler, allowing developers to avoid the need to build them into a continuous integration (CI) or continuous development (CD) pipeline. It also helps developers scale fuzzing workloads in the cloud.   More

MITRE and cyber-security industry partners have launched a new project that promises to offer free emulation plans that mimic today’s biggest hacking groups in order to help train security teams to defend their networks.
Named the Adversary Emulation Library, the project is the work of the MITRE Engenuity’s Center for Threat-Informed Defense.
The project, hosted on GitHub, aims to provide free-to-download emulation plans.
Emulation plans are a collection of step-by-step guides, scripts, and commands that describe and perform malicious operations commonly observed in the playbook of a specific adversary.
The goal of an emulation plan is to test network defenses and see if automated security systems or human operators detect attacks before, during, and after they’ve taken place — and then update security procedures to account for any lapses.
First emulation plan — FIN6
The first entry in MITRE’s Adversary Emulation Library is an emulation plan for FIN6, one of today’s biggest financially-motivated cybercrime groups.
FIN6 has been active since 2015 and is primarily known for targeting companies operating high-traffic POS (Point-of-Sale) payment terminals, where it compromises internal networks to install POS malware that steals payment card information.
The FIN6 plan is the first of many that MITRE intends to make freely available in the coming months.
The plans are being put together by MITRE and multiple industry partners that are part of MITRE Engenuity, a non-profit currently comprised of 23 organizations from around the globe with highly sophisticated security teams.
Microsoft, Fujitsu, and AttackIQ are MITRE Engenuity members and worked with MITRE on the FIN6 plan released today.
Prior to establishing the MITRE Engenuity non-profit to work on these plans and make them available for free, the MITRE Corporation previously released two other emulation plans, the first for APT3 (Chinese state-sponsored hacking group) in 2017, and a second one for APT29 (Russian state-sponsored hacking group) earlier this year in 2020.
The positive feedback from these two releases inspired MITRE leadership to work on codifying a structure for emulation plans together with industry partners, according to a blog post published earlier this week by Jon Baker, Department Manager at The MITRE Corporation.
A little known fact about FIN6 is that the group also sometimes dabbles in deploying ransomware on some of the networks it hacks, along with Magecart-like skimmers, small details that are included in MITRE’s FIN6 emulation plan, something that speaks about the quality and accuracy of the documents released today.
Until MITRE Engenuity releases additional plans, security teams looking to quench their curiosity can also take a look at the adversary emulation plans released by Scythe over the summer.

General structure of the FIN6 emulation plan More

There’s been a sharp rise in sophisticated hands-on hacking campaigns over the course of this year, with the first six months of 2020 seeing more of these intrusions than the total number for the whole of 2019.
A hands-on intrusion is when human hackers actively explore compromised systems themselves rather than relying on programmed scripts which perform automated tasks.
The rise in attacks is attributed to a combination of cyber criminals continuing to evolve their tools, techniques and procedures, as well as the way hacking groups have exploited the rise in remote working driven by the COVID-19 pandemic as a means of gaining access to accounts and networks.
The findings are detailed in Crowdstrike’s Threat Hunting Report 2020, based on potential ‘hands-on’ intrusions identified by the cybersecurity company’s team. The first half of 2020 saw 41,000 intrusions, a higher figure than the 35,000 detected during all of 2019 according to the company.
“The most alarming thing from a 2020 perspective has been the volume and the reach of the amount of intrusions we’ve observed,” Jennifer Ayers, VP at Crowdstrike told ZDNet.
“Keep in mind that the report is essentially the first half of the year and in half a year we’ve already significantly exceeded the volume of what we observed in 2019 and 2018. It’s really a testament to how troubled the landscape truly is”.
The hands-on campaigns are based around hackers gaining access to the network – often via leaked or stolen credentials to an employee account or an exposed RDP server – then using the legitimate access those accounts or systems offer to move across the network, gradually securing the means to gain more and more access. And because this is gained legitimately, it’s often difficult to notice unusual activity.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | Download the PDF version  
It used to be that this type of sophistication was reserved for nation-state backed hacking groups, but now it’s regularly demonstrated by cyber criminal gangs too.
“Hands-on keyboard sophistication used to be just the domain of nation-states. As we’ve seen more and more criminal organisations start to explore that we’ve really saw the explosion,” said Ayers.
“Sophistication has definitely changed over the last two years and we’re seeing much, much more of that in 2020”.
But while nation-states are using these intrusions for cyber espionage campaigns and stealing intellectual property, cyber criminal groups are often using these kinds of intrusions to lay down the ground work for expansive ransomware campaigns which result in whole networks being encrypted and millions of dollars being demanded in return for the decryption key.
According to the report, almost all sectors have seen an increase in intrusive cyber attacks over the course of this year, with technology, telecommunications and finance some of the most frequently targeted. Manufacturing has also seen a dramatic increase in attacks, rising to the second most targeted industry this year when it didn’t feature in the top ten in 2019.
However, despite the increasing number of hands-on, sophisticated hacking campaigns, it’s still very much possible for organisations to protect themselves from attacks by following security basics such as applying patches and security updates, and avoiding the use of vulnerable passwords.
“Keep with the basics of security. If there’s one area you should really be focusing on it’s on your perimeter, make it difficult for them to get in in the first place. Keep security awareness going and make sure your employees know that a lot of hacks still start with phishing emails,” Ayers said.
Multi-factor authentication can also play a vital role in protecting users and systems.
“There’s so many ways to do this, it’s not remotely expensive anymore. And so for ten bucks to enable multi-factor authentication, just pay the ten bucks. Because it’s going to be better than paying millions after a ransomware attack,” Ayers said.
READ MORE ON CYBERSECURITY More

Tencent is looking to set up its Southeast Asian base in Singapore where it currently is looking to fill dozens of job positions. The move comes amidst China’s worsening relations with the US and India, which have led to Chinese apps being banned in both countries. 
In a statement sent to ZDNet and other media outlets, Tencent said it was “expanding its business presence” in Singapore to support the company’s expansion in Southeast Asia. It added that the new Singapore office would be a “strategic addition” to its current offices in Malaysia, Indonesia, and Thailand. 

Tencent added that the new outfit would allow the company to tap the rapid pace of digitisation and meet demand for internet-based services in Singapore. It did not provide any investment figures.
A quick check on LinkedIn showed dozens of job openings in the city-state from the Chinese tech giant, including roles in business development, data science, cloud, WeChat product operations, and security. 
Its expansion plans in Singapore comes amidst China’s increasingly tensed relationships with the US, where Donald Trump last month issued executive orders banning Chinese apps, specifically, TikTok and WeChat, in his country. The Indian government followed suit early this month, restricting 118 apps it alleged were “stealing and surreptitiously transmitting” of user data to servers outside of India. Amongst these were apps from Baidu, WeChat, AliPay, and Sina News.
Tencent in March had launched an international version of its cloud-based video conferencing tool, called Tencent Meeting or VooV Meeting on app stores, in more than 100 markets, including Singapore, India, Japan, Thailand, and Malaysia. 
Often dubbed as Asia’s Switzerland for its staunch neutrality, Singapore had said it would not take sides in global disputes and viewed both China and the US as “good friends”. Singapore’s Prime Minister Lee Hsien Loong had noted that US was a major defence security partner, which purchased advanced military equipment from Singapore, including missiles and military aircraft, while Singapore also had economic partnerships with China that included three major city projects between both governments in Suzhou, Tianjin, and Chongqing.
Tiktok’s parent company ByteDance reportedly was looking to set up its Asian hub in Singapore, where it planned to invest several billion dollars. Citing sources familiar with the issue, a Bloomberg report said the Chinese company would hire hundreds over the next three years and had applied for a digital bank license in Singapore. 
RELATED COVERAGE More

US prosecutors and Daimler AG have agreed on a settlement worth $1.5 billion to lay to rest the emissions cheating scandal. 

On Monday, the US Department of Justice (DoJ) said the deal, proposed between the DoJ, Environmental Protection Agency (EPA), California Air Resources Board (CARB), and Daimler — as well as its US subsidiary Mercedes-Benz USA — will wipe the slate clean when it comes to allegations of violating the US Clean Air Act.
Under the terms of the settlement, set in the US District Court for the District of Columbia, Daimler will agree to pay $945 million in penalties, civil and otherwise. In addition, the automaker will recall and repair every Mercedes-Benz diesel vehicle sold in the US with a defeat device, the gadget at the heart of the emissions scandal. 
The emissions scandal involving Volkswagen and Daimler came to light back in 2016. So-called “clean diesel” engines were developed to enable the sale of vehicles in the United States, but engineers realized the engines were pumping out more nitrogen oxide (NOx) than legally allowed.
See also: Volkswagen engineer sentenced over emissions cheating scandal
Defeat devices were developed to ensure tests in laboratories would show that clean diesel vehicles conformed to US laws, but in real-world situations, NOx levels were far higher. 
The discrepancy and defeat devices were discovered by the US Environmental Protection Agency (EPA) and the California Air Resources Board (CARB), leading to the complaint. Volkswagen was previously ordered to pay up to $14.7 billion to resolve Clean Air Act violation charges. 
The DoJ says that Daimler must recall and repair vehicles sold in the US between 2009 and 2016. At no cost to customers, the company will remove defeat devices and update vehicle software to bring cars in line with US environmental laws. 
In addition, the Stuttgart, Germany-based company must extend warranties for updated software and hardware in the repaired vehicles, and launch “projects” to further reduce NOx emissions from these vehicles.
CNET: 2022 Hyundai Tucson unveiled with bold style, hybrid and plug-in options
These projects are expected to cost Daimler roughly $436 million, while another $110 million has been earmarked for mitigation projects in California alone. The settlement is worth approximately $1.5 billion in total. 
A deadline has been set for repairs, too. Daimler is not being allowed to drag its feet, with the imposition of a two-year period to repair at least 85% of cars, and a three-year timeline has been set to patch up at least 85% of affected vans. Repaired vehicles must be tested once a year for the next five years to ensure they meet environmental standards.
If Daimler does not meet these targets, the DoJ warns that the automaker “will face stiff penalties.” 
TechRepublic: 3 crucial security policies you need to strengthen your network defenses
Furthermore, the automaker is required to implement new internal procedures, including testing both diesel and gas engines properly in real-world conditions, creating a whistleblower channel, and performing internal audits available for review by an external consultant. 
“By requiring Daimler to pay a steep penalty, fix its vehicles free of charge, and offset the pollution they caused, today’s settlement again demonstrates our commitment to enforcing our nation’s environmental laws and protecting Americans from air pollution,” Deputy Attorney General Jeffrey Rosen commented.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The federal government is hoping to “modernise” and “streamline” its use of the data it holds as well as set guidelines on how it shares that data between agencies and with the private and research sectors.
An exposure draft of the Data Availability and Transparency Bill 2020 was published this week, with Minister for Government Services Stuart Robert delivering the message that the data reforms presented in the draft Bill are an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.
See also: Consuming government services like Netflix: Minister Robert’s pipedream for Australia
“The reforms encourage our academics and the research community to innovate and find new insights from public sector data without having to go through stifling and vague bureaucratic processes when working with data custodians,” the draft Bill’s consultation paper [PDF] says.
The government initially announced its intentions to introduce the Data Availability and Transparency Act (DATA) in May 2018 when it stood up the Office of the National Data Commissioner (NDC) to draft the legislation in response to the 2016 Productivity Commission Data Availability and Use report.
The government in 2018 also pledged AU$65 million to “reform” the Australian data system, with the National Data Advisory Council then being established the following year to provide advice to the NDC on ethical data use, community expectations, technical best practice, and industry and international developments.
The new Bill, in a nutshell, creates a scheme of controlled access to public sector data.
“When data is shared, access is granted to users in a controlled manner, for example, under memoranda of understanding or through contracts. Currently, sharing is done in an ad hoc manner, with users potentially having to establish their credentials every time they interact with the system,” the paper continues.
“Sharing is subject to legislative protections and the individual agencies’ interpretations of them. Often interpretations are not revisited as technology evolves and community expectations around reasonable use and reuse of data change.
“This sharing space is ripe for reform. Modernising the safeguards and regulating the sharing space can enable Australians to benefit from better services, policies, programs, and research.”
The Bill aims to: Promote better availability of public sector data, enable consistent safeguards for sharing public sector data, enhance integrity and transparency in sharing public sector data, build confidence in the use of public sector data, and establish institutional arrangements for sharing public sector data.
According to the paper, the Bill would provide an alternative pathway to share data where it is currently prevented by secrecy provisions or where it simplifies existing pathways.
“The Bill will authorise sharing of public sector data by data custodians with an accredited user, only for the permitted data sharing purposes and only if effective safeguards are in place,” the paper adds.
Under the proposed legislation, data would only be shared for three purposes: Government services delivery, informing government policy and programs, and research and development.
The Bill does not authorise sharing for precluded purposes, including law enforcement or national security purposes. It also excludes the sharing of operational data and evidence before courts, tribunals, and certain agencies with oversight or integrity functions.
It also stipulates that the five data sharing principles would need to be applied for each data sharing project. The data sharing principles are based on the Five Safes Framework that already guides several agencies on how to safely share data; that is, data is shared only for appropriate projects, only with appropriate people, and in an appropriately controlled environment. In addition, only the appropriate data is shared and outputs need to be as agreed and appropriate for future use.
In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.
It proposed that the Data Sharing and Release legislation not require consent for the sharing of personal information.
“Instead, we are placing the responsibility on data custodians and accredited users to safely and respectfully share personal information where reasonably required for a legitimate objective,” the discussion paper said.
The government’s position on consent has since become more nuanced, with the paper saying that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent.
“For projects where data scheme entities do not seek consent, other safeguards outlined by the data sharing principles can be dialled up to protect privacy,” it added.
The NDC is empowered under the Bill to provide advice, guidance, regulatory, and advocacy functions in order to oversee the scheme.
“The Commissioner will promote better sharing and release of public sector data by driving cultural change and supporting capability building among data scheme entities,” the paper continues.
The Commissioner would also accredit entities to “build trust in the system, and standardise and streamline existing processes”.
“Now more than ever, it is clear that we need to get better at using the information we already collect, instead of asking the same questions again and again,” Robert said.
“For too long, there has been a lack of a consistent and clear framework for making good use of data. We need to make sure the information the government collects and holds can be accessed in a safe and timely way to respond to the needs of Australians.”
Submissions on the exposure draft close 6 November 2020.
RELATED COVERAGE More