Information Technology

Image: Rupprecht et al.

A team of academics has detailed this week a vulnerability in the Voice over LTE (VoLTE) protocol that can be used to break the encryption on 4G voice calls.
Named ReVoLTE, researchers say this attack is possible because mobile operators often use the same encryption key to secure multiple 4G voice calls that take place via the same base station (mobile cell tower).
Academics say they tested the attack in a real-world scenario and found that multiple mobile operators are impacted, and have worked with the GSM Association (GSMA), the organization that governs telephony standards, to have the issue resolved.
What are LTE, VoLTE, and encrypted calls
But to understand how the ReVoLTE attack works, ZDNet readers must first know how modern mobile communications work.
Today, the latest version of mobile telephony standards is 4G, also commonly referred to as Long Term Evolution (LTE).
Voice over LTE (VoLTE) is one of the many protocols that make up the larger LTE/4G mobile standard. As the name suggests, VoLTE handles voice communications on 4G networks.
By default, the VoLTE standard supports encrypted calls. For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call.
How the ReVoLTE attack works
However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law.
Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key.
In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls.
In a real-world scenario, academics say that if an attacker can record a conversation between two 4G users using a vulnerable mobile tower, they can decrypt it at a later point.
All an attacker has to do is place a call to one of the victims and record the conversation. The only catch is that the attacker has to place the call from the same vulnerable base station, in order to have its own call encrypted with the same/predictable encryption key.
“The longer the attacker [talks] to the victim, the more content of the previous conversation he or she [is] able to decrypt,” David Rupprecht, one of the academics said.
“For example, if attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.”
The attacker can compare the two recorded conversations, determine the encryption key, and then recover the previous conversation. A demo of a typical ReVoLTE attack is available embedded below:
[embedded content]
Researchers say that the equipment to pull off a ReVoLTE attack costs around $7,000. While the price might seem steep, it is certainly in the price range of other 3G/4G mobile interception gear, usually employed by law enforcement or criminal gangs.
Issue reported to the GSMA, patches deployed
The research team said it conducted thorough research on how widespread the problem was in real-world deployments of 4G mobile cell towers.
Researchers analyzed a random selection of base stations across Germany and said they found that 80% were using the same encryption key or a predictable one, exposing users to ReVoLTE attacks.
Academics said they reported the issues to both German mobile operators and the GSMA body back in December 2019, and that the GSMA issued updates for the 4G protocol implementation to address and prevent ReVoLTE attacks.
“We then tested several random radio cells all over Germany and haven’t detected any problems since then,” Rupprecht said today.
App available for mobile telcos
But researchers say that while German mobile operators appear to have fixed the issue, other telcos across the world are most likely vulnerable.
That is why the research team released today an Android app that mobile operators can use to test their 4G networks and base stations and see if they are vulnerable to ReVoLTE attacks. The app has been open-sourced on GitHub.
Details about the ReVoLTE attack are available on a dedicated website the research team published today after presenting their work at the USENIX 29 security conference. A video of the ReVoLTE presentation the research team gave at USENIX is available on this page.
A scientific paper detailing the ReVoLTE attack is also available for download as PDF from here and here. The paper is titled “Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE.”
The research team behind the ReVoLTE attack is the same team who earlier this year discovered the IMP4GT attack on the 4G protocol, a vulnerability that allowed 4G users to impersonate other subscribers and sign up for paid services at another user’s expense.
Today’s ReVoLTE disclosure is the latest in a long list of vulnerabilities identified in the 4G/LTE protocol over the past years. Previous findings were also published in March 2019, February 2019, July 2018, June 2018, March 2018, June 2017, July 2016, and October 2015. More

NHS staff were hit with a wave of malicious email attacks at the height of the COVID-19 pandemic, with doctors, nurses and other key workers reporting over 40,000 spam and phishing attacks between March and the first half of July.
Data from NHS Digital obtained through a Freedom of Information request sent by UK think tank, Parliament Street, revealed that NHS staff reported 21,188 malicious emails in March alone. In April, 8,085 emails were reported by staff, with 5,883 emails reported in May, 6,468 in June and 1,484 in the first half of July.

The data only includes emails that were reported to spamreports@nhs.net – the official NHSmail reporting address – meaning the actual number of attempted email attacks on the NHS is likely to be higher.
Neil Bennett, Chief Information Security Officer at NHS Digital, said the increase in reporting showed that NHS staff were “taking seriously their responsibilities to keep information safe.”
SEE: ‘There’s no going back after COVID-19’ – Inside the unexpected tech revolution at the NHS
Bennett said: “This is an unprecedented time for the NHS, including the cyber security and IT teams who are continuing to work hard in all NHS organisations to keep patient data and systems secure to support the delivery of safe patient care. 
 “As part of NHS Digital’s cyber security operations, we collaborate with all areas of the system to ensure they are aware of potential threats. This includes highlighting the need for staff to report suspicious emails by raising awareness through our Keep I.T. Confidential campaign.”
The global pandemic has brought with it a sharp increase in the number of coronavirus-related cyber-attacks from criminals looking to exploit the widespread confusion and uncertainty the pandemic has created.
Both the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have both warned that under-pressure services involved in the response to coronavirus have been targeted.  
In June, NHS Digital reported that more than 113 NHSmail mailboxes had been compromised and used to send malicious emails to external recipients.
St Helens and Knowsley Hospitals NHS Trust issued a warning to staff about scammers that were impersonating employees and sending emails to HR and payroll departments, asking them to change the bank accounts their salaries were paid in to.
The hospital warned of additional phishing attacks that invited employees to click on malicious links to verify their details and ensure they received their paycheck.
SEE: Security Awareness and Training policy (TechRepublic Premium)  
Jake Moore, cybersecurity specialist at ESET, warned that the NHS faced a second wave of attacks once information around potential vaccines for COVID-19 started to surface, with the current work-from-home scenario making the situation particularly problematic.
“Many people are still working from home in the NHS, and must remain vigilant to the constant threats,” Moore added.
“As phishing emails continue to be the most prominent vehicle to infiltrate or disrupt systems, I would urge staff to verify every email they receive.”
Bennett said that NHS Digital had published additional advice and guidance for NHS staff around cybersecurity best practice while working remotely.

Coronavirus More

Almost 70% of consumers in Asia-Pacific will give up their privacy for better user experience, but just 25% feel it is their duty to safeguard their own data, with the rest pushing this responsibility to governments and businesses. China’s consumers appear most willing to forgo their privacy for richer experiences, while their counterparts in Japan are least likely to do likewise. 
Across the region, just 4% refrained from using an app after a security breach. However, trust in an organisation’s ability to safeguard their data had dipped from a previous 2018 report, with social media platforms seeing the biggest drop of 19%, revealed a survey by F5 Networks. Conducted from March to April this year, the Curve of Convenience 2020 report polled 4,100 respondents from eight Asia-Pacific markets, including Singapore, India, Indonesia, Australia, and Taiwan. 
The report noted that a majority of consumers in the region pushed the responsibility of protecting their data to others, with 43% believing businesses should assume this role while 32% pointed to their governments. 

In addition, 27% were unaware of security breaches including incidents that involved government agencies and popular apps. 
This would be cause for worry, especially in China where 82% would give up their privacy in exchange for better user experience, as would 79% in India as well as in Indonesia. In comparison, 43% in Japan were willing to do the same, alongside 50% in Australia and 58% in Singapore.
Across the region, however, a whopping 96% would opt for convenience and seamless app user experience over security. Such behaviours, alongside a belief that businesses and governments should assume responsibility for consumers’ data protection, indicated a need for these organisations to beef up their security infrastructures as well as tighten regulations and compliance policies, according to the F5 report. 
However, the lack of breach awareness amongst consumers also underscored the need for these users to be more involved and vigilant when sharing their personal data as well as demand for more transparency with regards to the use of their data.
F5’s Asia-Pacific senior vice president Adam Judd said: “As the pandemic redefines our lives, and businesses step up their digital transformation efforts, consumers are demanding more from the applications that they use to work, play, and connect. To truly integrate convenience and security, businesses should proactively involve consumers across the development of the applications, not only at the end. 
“This is especially the case in an age where both application consumption and security vulnerabilities are multiplying by the day,” Judd said. “Partnering with consumers means that the industry can thrive, and businesses, together with their digital partners, can create better solutions that deliver seamless yet secure experiences, any time, all the time. Ultimately, showing users what’s at stake will help them feel that they should be invested in their own protection.” 
F5 further urged businesses and governments to educate and work alongside consumers, so the latter were aware of the consequences when they chose to trade their data or privacy in exchange for more seamless user experience.
RELATED COVERAGE More

Hackers can gain access to the internal networks of corporations by exploiting two security failings and in as little as 30 minutes.
Ethical hackers and cybersecurity researchers at Positive Technologies perform penetration testing against organisations in a wide variety of sectors, but find common security vulnerabilities across all industries. The findings have been detailed in a new report, Penetration Testing of Corporate Information Systems.
The report, based on anonymised data from real organisations which have had their networks tested, said that for 71 percent of companies, there’s at least one obvious weakness which could provide malicious outsiders with entry into the network.
One of the most common security issues is weak passwords, allowing hackers to gain access to accounts by using brute force attacks. Cracking the password of one account shouldn’t be enough to gain full access to an internal network, but in many cases, it just takes this and the ability to exploit known vulnerabilities to gain further access to systems.
“The problem lies in the low levels of protection even for large organizations. Attack vectors are based primarily on exploiting known security flaws. This means that companies do not follow basic information security rules,” Ekaterina Kilyusheva, head of information security analytics at Positive Technologies told ZDNet.
In addition to weak passwords, over two thirds of organisations are using vulnerable versions of software which hasn’t received the required security updates, leaving it open to being exploited.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“An attacker can quickly gain access to an internal network if a web application contains a known vulnerability for which a public exploit exists,” Kilyusheva explains.
For example, in one instance, ethical hackers were about to use a brute force attack to access a remote desktop application – something which has become more commonly used due to the increase in working from home in 2020.
The user didn’t have access to many applications, but by opening a mapping application, the security testers were able to gain access to the Windows Explorer processes and command lines, allowing the ability to execute commands on the operating system and gain more access.
In a third of penetration exercises, researchers were able to gain access to the internals of the corporate network by combining the brute forcing and software vulnerabilities. In this instance, attacks could be protected against by ensuring the use of strong passwords and any applications being used having security patches applied, so they can’t be exploited in attacks.
In these examples, the networks were being accessed by ethical hackers as part of security testing, but cyber criminals are looking to exploit these vulnerabilities – and could use them to gain access to vast swathes of corporate networks.
The average time it took ethical hackers to get to the internal network was four days, but in one case it was possible in just thirty minutes.
“An attacker can develop an attack on critical business systems, for example, financial systems, gain access to computers of top managers, or conduct an attack on a company’s customers or partners. In addition, hackers can sell the obtained access on the darknet to other criminals to conduct attacks – for example, ransomware,” said Kilyusheva.
However, by following some common security procedures, such not using weak passwords, applying multi-factor authentication ensuring the network is patched with software updates, it’s possible for organisations to protect themselves against many forms of attempted cyber attacks.
READ MORE CYBERSECURITY More

Google Project Zero (GPZ) is refusing to give Microsoft further extensions on disclosing a Windows 10 authentication bug because it says a patch Microsoft delivered in the August 2020 Patch Tuesday update is incomplete.
One of the 120 security bugs Microsoft released patches for on Tuesday was CVE-2020-1509, which was reported to Microsoft on May 5 by GPZ Windows researcher James Forshaw.  

Windows 10

The bug allows a remote attacker who’s already gained credentials for a Windows account on a network to elevate privileges after sending a specially crafted authentication request to the Windows Local Security Authority Subsystem Service (LSASS).  
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
While the bug is only rated as medium severity by Google and ‘important’ by Microsoft, LSASS is a key process for authenticating users when they log on to a Windows PC managed via Active Directory. 
LSASS has been targeted by advanced hackers who use it to dump credentials from memory to move laterally on a network. The bug affects all supported versions of Windows 10 through to the latest release, version 2004.  
Google’s refusal to extend the disclosure deadline in this case appears to be more a formality, given it had already published details and a proof of concept under the belief that Microsoft’s patch was complete. 
Forshaw listed the bug as ‘fixed’ on Tuesday but then added to the report a few hours later to say “after review it seems that this hasn’t been completely fixed”.
GPZ’s 2020 disclosure policy states: “Details of incomplete fixes will be reported to the vendor and added to the existing report (which may already be public) and will not receive a new deadline.”
According to Forshaw, LSASS doesn’t properly enforce the ‘Enterprise Authentication capability’. This allows any UWP app – whether it’s from the Microsoft Store or a custom enterprise app – that’s wrapped in the Windows AppContainer sandbox to perform network authentication with the user’s credentials via single sign-on. 
Microsoft’s documentation of the feature suggests there is an exception to the rule to support organizations that need to install line of business (LOB) applications if they authenticate to a network proxy. But there’s a problem with this exception, according to Forshaw.
“If the target is a proxy then the authentication process is allowed, even if the [Enterprise Authentication capability] is not specified. The issue is, even if LsapIsTargetProxy returns false, the authentication is still allowed to proceed but an additional flag is set to indicate this state. I couldn’t find any code which checked this flag, although it’s a bit unclear as it comes from a TLS block so tracking down usage is awkward,” explained Forshaw. 
“What this means is that an AppContainer can perform Network Authentication as long as it specifies a valid target name to InitializeSecurityContext, it doesn’t matter if the network address is a registered proxy or not. This is probably not by design, but then this behavior only warrants a few throw-away comments with no in-depth detail on how it’s supposed to behave, maybe it is by design.”
SEE: Ransomware: These warning signs could mean you are already under attack
Since an attacker can specify any target name they could “authenticate to a network-facing resource as long as the application has network access capabilities which aren’t really restricted”.
“Also, as you can specify any target name, and you’re doing the actual authentication, then server protections such as SPN checking and SMB Signing are moot,” added Forshaw. 
Google extended the disclosure deadline for this bug at the end of July, presumably to give Microsoft to release a complete patch in its August update.  More

Adobe’s latest security update has tackled a set of critical and important bugs in Acrobat and Reader.

On Tuesday, the company issued its standard monthly round of fixes, the majority of which relate to the popular PDF viewing and editing software. 
In total, 26 vulnerabilities have been resolved, 11 of which are deemed critical and could lead to remote code execution. 
The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines. 
See also: Adobe releases Acrobat web experience for Box platform
Two critical vulnerabilities (CVE-2020-9693, CVE-2020-9694) are out-of-bounds write security flaws that lead to arbitrary code execution if exploited. Two further critical bugs (CVE-2020-9696, CVE-2020-9712) are security bypass problems that can be exploited to circumvent existing security controls. 
Arbitrary code vulnerabilities account for seven of the critical vulnerabilities resolved in the Acrobat and Reader update. The first five (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, and CVE-2020-9704) are buffer issues, whereas the remaining two (CVE-2020-9715, CVE-2020-9722) are use-after-free flaws that can also lead to arbitrary code execution in the context of the current user. 
The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems. Adobe says that if exploited, these issues could result in memory leaks to information disclosure and application denial-of-service.  
CNET: How China uses facial recognition to control human behavior
In addition to the main security update, the tech giant also fixed a single vulnerability in Lightroom Classic, versions 9.2.0.10 and earlier, on Windows machines. Tracked as CVE-2020-9724, the insecure library loading issue could be abused for privilege escalation purposes. 
It is recommended that users accept automatic updates to apply the new set of patches. 
Adobe thanked researchers from Fortinet’s FortiGuard Labs, Qihoo 360, Offensive Security and iDefense Labs, and Palo Alto Networks, among others. 
TechRepublic: How companies are getting employees to take vacation this summer rather than hoard PTO
In July, Adobe released an out-of-band patch to resolve 13 vulnerabilities — 12 of which deemed critical — impacting Photoshop, Prelude, and Bridge. The fixes relate to out-of-bounds read and write issues leading to arbitrary code execution attacks. 
Over Patch Tuesday, Microsoft released a massive security update tackling 120 vulnerabilities. In total, 17 vulnerabilities are considered critical, and two are considered zero-day vulnerabilities that are being actively exploited in the wild.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A US city has explained why it gave into the demands of cyber criminals and paid a ransom demand of $45,000 following a ransomware attack.
Lafayette, Colorado fell victim to ransomware on July 27, which encrypted the city’s computer networks and caused disruptions to phone services, email and online-payment and reservation systems.

More on privacy

It’s thought that the ransomware – which hasn’t been identified – entered the city’s network via a phishing or brute force attack and wasn’t part of a targeted campaign, but rather one that just set out to exploit vulnerable systems.
SEE: Security Awareness and Training policy (TechRepublic Premium)
After examining the incident the city of Lafayette opted to pay the cyber criminals the ransom they demanded, perceiving it to be the quickest and most cost effective way to restore municipal services to residents, rather than attempting to restore services from scratch.
“I can tell you that using taxpayer funds to pay a ransom was definitely not the direction the city wanted to take. We attempted to pursue any possible avenue to avoid paying the ransom,” Lafayette Mayor Jamie Harkins said in a video statement.
“After a thorough examination of the situation and cost scenarios, and considering the potential for lengthy, inconvenient service outages for residents, we determined that obtaining the decryption tool far outweighed the cost and time to rebuild data and systems,” she explained.
As a result, the decision was taken to pay a ransom of $45,000 to cyber criminals to retrieve the ransomware decryption key and the city is restoring the encrypted data in an effort to return services to normal – although at the time of writing, many services still remain unavailable. 
“Our city encountered something that unfortunately an increasing number of agencies are dealing with. We have struggled to manage the impacts but are now on a path forward due to quick response and the help of regional partners,” said Harkins.
In order to avoid falling victim to additional ransomware attacks in future, the city says it’s installing new backups, deploying additional cybersecurity across the network and will take regular vulnerability assessments to help prevent additional cyber threats.
Cities are a common victim of ransomware attacks because budget constraints often mean they don’t have the fully up-to-date cybersecurity protocols required to keep ransomware and other malware from entering the network.
And while the authorities warn that victims of ransomware attacks should never pay the ransom, many victims don’t feel as if they have any other choice – especially those like cities that need services up and running as soon as possible in order to meet the needs of citizens.
SEE: Ransomware: These warning signs could mean you are already under attack
The city of Lafayette could be considered fortunate because the ransom demand was ‘only’ $45,000 – other cities across the US have paid hundreds of thousands of dollars to criminals in exchange for returning the network.
However, paying ransomware gangs isn’t a guarantee that the network will be restored because it isn’t unknown for them to take the money and run or to provide faulty decryption keys.
Cities and other organisations can go a long way to avoiding falling victim to ransomware attacks in the first place by following a handful of basic cybersecurity hygiene protocols.
Ensuring that security patches are applied as soon as possible helps prevents cyber attackers from using known vulnerabilities to gain a foothold inside the systems in the first place, while organisations should also apply multi-factor authentication across the network, because that can prevent hackers gaining control of accounts, systems and servers.
MORE ON CYBERSECURITY More

Job search engine Seek confirmed while it suffered an “internal technical issue” on Monday, which resulted in the exposure of other candidate details when they were logged into their Seek Profiles, it does not view the incident as a notifiable data breach and will not be reporting it to the Office of Australian Information Commissioner (OAIC).
“We identified an internal technical issue that occurred during a 23-minute period on Monday 10 August 2020,” the company told ZDNet.  
“During that time period, due to a cache error, incorrect information such as career history and education was able to be viewed across profiles logged in at that time.”
The data breach was highlighted in a Reddit thread when one user posted how they could view other users’ profiles while logged into their own account. 
Seek however, assured that no names, contact details, or resumes of candidates in Seek profiles were impacted.
The error impacted fewer than 2,000 Seek profiles, the company said, adding 206 job applications that were being submitted during the period were also affected.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia    
“This involved incorrect details relating to the most recent role a candidate held being included within their job application. Again, this did not include information from the name, contact details or email address fields, nor did it impact any resumes sent as part of job applications,” Seek said.
Seek said the “technical issue” was identified and corrected quickly, and all affected candidates and hirers have since been contacted.
“We sincerely apologise for any inconvenience caused,” the company stated.
Given a “very limited” amount of information from candidate profiles were exposed, the job search engine said it will not be reporting the incident to the OAIC. 
“Given that this incident involved a very limited amount of information from candidate profiles being inadvertently shown to other candidates, who happened to be logged into the website during the brief period of time during which this occurred, the incident is not a notifiable data breach and therefore one that did not require reporting to the OAIC,” Seek told ZDNet. 
“Notwithstanding this, Seek takes our candidates’ s privacy seriously and has contacted all candidates affected by this incident as well as conducted significant due diligence to determine the cause and impact as well as remedial/preventive step to be taken.”
Under the Notifiable Data Breaches scheme, agencies and organisations in Australia that are covered by the Privacy Act are required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach.
Last month, the OAIC revealed the number of reported data breaches in Australia for the 2019-20 financial year totalled 1,050.
For the six months spanning January to June 2020, 518 breaches were notified under the Notifiable Data Breaches (NDB) scheme, down 3% from the 532 reported in July to December 2019.
Data breaches resulting from human error was the case for 176 breaches from January through June, with personal information sent to the wrong recipient via email accounting for 68 of those cases. In two cases, a fax with personal information was sent to the wrong recipient.
There was a loss of paperwork or storage device on 14 of the reported occasions.
Related Coverage More