Information Technology

The Chinese government is currently using the Great Firewall censorship tool to block certain types of encrypted HTTPS connections.
The block has been in place for more than a week, according to a joint report authored by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report.
ZDNet also confirmed the report’s findings with two additional sources — namely members of a US telecommunications provider and an internet exchange point (IXP) — using instructions provided in a mailing list.
Neither of the two sources wanted their identities and employers named due to China’s known habit of direct or indirect reprisals against entities highlighting its internet censorship practices.
China now blocking HTTPS+TLS1.3+ESNI
Per the report, China’s Great Firewall (GFW) is now blocking HTTPS connections set up via the new TLS 1.3 encryption protocol and which use ESNI (Encrypted Server Name Indication).
The reason for the ban is obvious for experts.
HTTPS connections negotiated via TLS 1.3 and ESNI prevent third-party observers from detecting what website a user is attempting to access. This effectively blinds the Chinese government’s Great Firewall surveillance tool from seeing what users are doing online.
There is a myth surrounding HTTPS connections that network observers (such as internet service providers) cannot see what users are doing. This is technically incorrect.
While HTTPS connections are encrypted and prevent network observers from viewing/reading the contents of an HTTPS connection, there is a short period before HTTPS connections are established when third-parties can detect to what server the user is connecting.
This is done by looking at the HTTPS connection’s SNI (Server Name Indication) field.
In HTTPS connections negotiated via older versions of the TLS protocol (such as TLS 1.1 and TLS 1.2), the SNI field is visible in plaintext.
In TLS 1.3, a protocol version launched in 2018, the SNI field can be hidden and encrypted via ESNI.
As the TLS 1.3 protocol is seeing broader adoption today, ESNI usage is increasing as well, and more HTTPS connections are now harder to track for online censorship tools like the GFW.

Image: Qualys SSL Labs (via SixGen)
According to iYouPort, the University of Maryland, and the Great Firewall Report, the Chinese government is currently dropping all HTTPS connections where TLS 1.3 and ESNI are used and temporarily blocking the IP addresses involved in the connection for between two and three minutes — depending on the location of the Great Firewall where the “unwanted” connection settings are detected.
Some circumvention methods exist… for now
Luckily for app makers and website operators catering to Chinese audiences, the three organizations said they found six circumvention methods that can be applied client-side (inside apps and software) and four that can be applied server-side (on servers and app backends) to bypass the Great Firewall’s current block.
“Unfortunately, these specific strategies may not be a long-term solution: as the cat and mouse game progresses, the Great Firewall will likely to continue to improve its censorship capabilities,” the three organizations wrote in their joint report. More

Image: Erik Hunstad

At the DEF CON 28 security conference this week, a security researcher has released a new tool that can help the makers of sensitive applications evade censorship and bypass firewalls to keep services up inside problematic areas of the globe.
The new tool, named Noctilucent, was developed by Erik Hunstad, Chief Technical Officer at cyber-security firm SixGen.
According to Hunstad, Noctilucent comes to fill a role left void by cloud providers like Amazon and Google blocking “domain fronting” on their infrastructure.
Hunstad said he used the new TLS 1.3 protocol to revive domain fronting (sort of) as an anti-censorship technique, but in a new format, the researcher calls “domain hiding.”
What is domain fronting
Domain fronting is a technique that has been made popular by mobile app developers in the 2010s and has been used to allow apps to bypass censorship attempts in oppressive countries.
The domain fronting technique allows clients (apps) to connect to a “front” domain, which then forwards the connection to the aapp maker’s real infrastructure.
Countries who want to block an app protected by domain fronting only see the front domain, due to a technicality in how HTTPS connections would be negotiated. See the Wikipedia explanation below:
“In a domain-fronted HTTPS request, one domain appears on the “outside” of an HTTPS request in plain text-in the DNS request and SNI extention-which will be what the client wants to pretend they are targeting in the connection establishment and is the one that is visible to censors, while a different domain appears on the “inside”-in the HTTP Host header, invisible to the censor under HTTPS encryption-which would be the actual target of the connection.”
If a country blocks the front domain, an app’s operators only have to rotate to a new front domain, while keeping their actual and larger infrastructure in the same place — without having to migrate thousands of servers.

Image: Erik Hunstad
Domain fronting still works today, but there are very few hosting providers that allow it. Most companies fear that they might have their entire infrastructure blocked inside a country wanting to block one or more applications.
While some providers still support it, domain fronting died in the spring of 2018, when Amazon and Google dropped support for the technique, under threats from the Russian government, which at the time wanted to block access to the Telegram app at any cost.
Telegram found other ways to hide from Russian internet censors, and the Russian government eventually rescinded the ban; however, domain fronting was never restored on AWS and Google Cloud — effectively ending its broad use.
What is domain hiding
But since 2018, new technologies have had a chance to grow. TLS 1.3, which was barely a few weeks old in its life as a stable protocol at the time domain fronting was banned, is now widely used across the internet.
Hunstad says that under certain and easy-to-recreate conditions, apps can revive domain fronting with the help of newer technologies, and create new types of “front” domains that keep internet censors and firewalls blind to the true destination of a network connection.
“This new technique, which I’m calling domain hiding, accomplishes the same goals as domain fronting, but uses different technologies,” Hunstad said in his DEF CON talk.
The technique is not entirely identical to domain fronting, but is actually much clever because it also tricks firewalls and other network monitoring technologies into thinking the user is accessing another website than the one’s the app/user is actually accessing.
For example, in a “domain hiding” connection, an app might appear that it’s initiating an HTTPS connection to firefox.com, but behind the scene, it’s actually connecting to desired-site.com.
This is possible because the client (app) displays incorrect information in the HTTPS connection’s plaintext fields, but the connection’s encrypted fields contain the different information, and the one that’s honored by servers.
TLSHost — firefox.com (plaintext/visible)SNI — firefox.com (plaintext/visible)
HTTP Host header — desired-site.com (encrypted/not visible)ESNI — desired-site.com (encrypted/not visible)

Image: Erik Hunstad
Hunstad’s new Noctilucent tool, open-sourced on GitHub this week, automates the process of hiding domains with the researcher’s new technique.
The tool was built to use Cloudflare as a host for “front” domains.
To use Noctilucent, Hunstad says apps have to support TLS 1.3 when initiating HTTPS connections, and also have to have their domain DNS records managed via Cloudflare (as the true domain is hidden among other Cloudflare-hosted domains).
Hunstad says domain hiding has advantages when compared to domain fronting. The biggest is that apps don’t have to host all their infrastructure on the same provider as they had to do with the older domain fronting technique.
Domain hiding now allows to host their domain DNS records on Cloudflare, but host their actual servers anywhere and with any hosting provider they want.
However, just like most tools, Noctilucent has its good and bad sides. While the tool can help apps set up a new form of domain fronting and avoid censorship, it can also be useful in hiding malware command-and-control servers as well — something that some security researchers might need to take note for future incident response investigations.
Additional technical details are available in Noctilucent’s GitHub repo and Hunstad’s DEF CON talk below.
[embedded content] More

TikTok has condemned the Trump administration’s executive order to ban the popular Chinese social media app, pledging to explore all possible actions to ensure “the rule of law is not discarded”. It describes the US move as one that lacked due process and based on unsubstantiated information. 
Expressing “shock” over the executive order, TikTok said in a statement Friday it had reached out to the US government for almost a year in efforts to resolve concerns it had over data security. “What we encountered instead was that the administration paid no attention to facts, dictated terms of an agreement without going through standard legal processes, and tried to insert itself into negotiations between private businesses,” it said. 

US President Donald Trump this week signed two executive orders barring any US transaction with TikTok, its parent company ByteDance, and its subsidiaries, as well as with popular Chinese messaging app WeChat and its parent company Tencent. The orders would take effect in 44 days. TikTok has hit more than 175 million downloads in the US, and 800 million worldwide, while WeChat has more than 1.2 billion monthly active users across the globe.
Trump had alleged that apps developed in China threatened his country’s national security, foreign policy, and economy. “TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the order noted. “This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information, potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
In its statement, TikTok noted that it had been willing to work with the relevant officials to identify a solution that could benefit its users and partners, amongst others, as well as the broader US community. However, there had been no due process or adherence to the law on the part of the US government. 
Instead, the administration had relied on unnamed reports that carried no citations and played up fears, which had “no substantiation”, that the app might be used misinformation campaigns. 
The US also had cited concerns about the collection of data that was “industry standard” for thousands of mobile apps available in the market today, the app maker said. 
“We have made clear that TikTok has never shared user data with the Chinese government or censored content at its request. In fact, we make our moderation guidelines and algorithm source code available in our transparency center, which is a level of accountability no peer company has committed to. We even expressed our willingness to pursue a full sale of the US business to an American company.” 
It said Trump’s executive order risked undermining global businesses’ trust in the US government’s adherence to the rule of law and set a “dangerous precedent” for free expression and open markets. 
“We will pursue all remedies available to us in order to ensure that the rule of law is not discarded and that our company and our users are treated fairly — if not by the administration, then by the US courts,” TikTok said.
Adding that 100 million Americans used its platform, the company called on its users and partners to made their voice heard to their elected government representatives as well as the White House. 
Microsoft earlier confirmed it was in discussions with ByteDance to acquire TikTok’s operations in the US as well as Canada, Australia, and New Zealand, and was looking to complete its negotiations before September 15. Trump had suggested the US government should receive a “substantial” cut of the acquisition for “making it possible”.
In an earlier statement this week, TikTok unveiled new measures it said aimed to stem misinformation and content designed to disrupt the US elections in November. These included updates to its policies for better clarity on what was and was not allowed on its platform and wider collaboration with fact-checking partners as well as the US Department of Homeland Security, such as on efforts to verify election-related information, in-app reporting of election misinformation, and safeguard against foreign interference. 
RELATED COVERAGE More

Image: ZDNet
A massive hack has hit Reddit today after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign.
The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels.
A partial list of impacted channels (subreddits) is available below. This includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.
The Reddit security team said the hack took place after the intruder(s) took over subreddit moderator accounts. Several moderators have also come forward to admit that their accounts have been hacked and that they did not use two-factor authentication. Channel owners who are having problems have been asked to report problems in this Reddit ModSupport thread.
An account on Twitter took credit for the hack. However, the account’s owners did not respond to a request for comment so ZDNet can verify its claims. The account is now suspended.

Image: ZDNet
The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters, in late June. Reddit said it took the decision to ban the channel for breaking its community rules after reports of harassment, bullying, and threats of violence.
Today’s stunt is reminiscent to a similar one that took place at the end of June and the start of July, when more than 1,800 Roblox accounts were hacked and defaced with a similar pro-Trump reelection message. More

Image: Hacker’s website
Bulgarian law enforcement has arrested on Wednesday a local hacker going by the name of Instakilla on accusations of hacking, extorting companies, and selling hacked data online.
Authorities raided two of the hacker’s residences in Plovdiv, a city in central Bulgaria, and confiscated several computers, smartphones, flash drives, and cryptocurrency, according to a press release from the Ministry of Interior.
The hacker was identified as a young Bulgarian male. His name was not released to the public, and he is currently detained on a three-day arrest warrant.
Prior to his arrest this week, the hacker has been a staple on the underground hacking scene. He has been active since 2017 but has only recently risen to notoriety.
Although he was not directly involved in the hack of the Bulgarian National Revenue Agency (NRA) in the summer of 2019, Instakilla is one of the hackers who tracked down the database and later offered it for download on a popular hacking forum, helping the data spread across the hacker community.

Image: ZDNet
The hacker also ran a website where he offered hacker-for-hire services.
Prior versions of this website were indexed by the Wayback Machine and included links to a Bulgarian individual’s Facebook account. The account, prior to being deleted, belonged to a young male from Plovdiv, when ZDNet reviewed the page last year during our NRA hack story.

Image: ZDNet
Earlier this year, the hacker also took credit for hacking the forum of Stalker, a Russian first-person shooter online game, from where he stole more than 1.2 million user records, which he later put up for sale on a hacking forum.
On the same forum, the hacker also ran a so-called store, where he sold the data of multiple companies, including two Bulgarian entities — an unnamed local hosting provider and an unnamed email service.
Most of the hacked entities were forums, and based on conversations ZDNet had with the hacker in May, Instakilla appears to have been an avid fan of using vBulletin exploits to target unpatched forums and pilfeer their databases.

Image: ZDNet More

Image: Facebook

Facebook has formally launched today one of Instagram’s secret tools for finding and fixing bugs in the app’s vast Python codebase.
Named Pysa, the tool is a so-called static analyzer. It works by scanning code in a “static” form, before the code is run/compiled, looking for known patterns that may indicate a bug, and then flagging potential issues with the developer.
Facebook says the tool was developed internally, and, through constant refinement, Pysa has now reached maturity. For example, Facebook said that in the first half of 2020, Pysa detected 44% of all security bugs in Instagram’s server-side Python code.
Developed for security teams
Behind this success stands the work of the Facebook security team. Even though Pysa was based on the open-source code of the Pyre project, the tool has been built around the needs of a security team.
While most static analyzers look for a wide range of bugs, Pysa was specifically developed to look for security-related issues. More particularly, Pysa tracks “flows of data through a program.”
How data flows through a program’s code is very important. Most security exploits today take advantage of unfiltered or uncontrolled data flows.
For example, a remote code execution (RCE), one of today’s worst types of bugs, when stripped down, is basically a user input that reaches unwanted portions of a codebase.
Under the hood, Pysa aims to bring some insight into how data travels across codebases, and especially large codebases made up of hundreds of thousands or millions of lines of code.
This concept isn’t new and is something that Facebook has already perfected with Zoncolan, a static analyzer that Facebook released in August 2019 for Hack — the PHP-like language variation that Facebook uses for the main Facebook app’s codebase.
Both Pysa and Zoncolan look for “sources” (where data enters a codebase) and “sinks” (where data ends up). Both tools track how data moves across a codebase, and find dangerous “sinks,” such as functions that can execute code or retrieve sensitive user data.
When a connection is found between a source and a dangerous sink, Pysa (and Zoncolan) warn developers to investigate.

Image: Facebook
Because the Facebook security team was closely involved with creating Pysa, the tool has been already fine-tuned across months of internal testing to find the source-sink patterns specific to common security issues like cross-site scripting, remote code executions, SQL injections, and more.
Built for speed and large codebases
But as Facebook security engineer Graham Bleaney told ZDNet in a phone call this week, Pysa’s ability to find security issues wouldn’t be that useful if it took days to scan Instagram’s entire codebase.
As such, Pysa was also built for speed, being capable of going over millions of lines of code from anywhere between 30 minutes and hours. This allows Pysa to find bugs in near real-time and lets developers teams feel safe about integrating the tool in their regular workflows and routines without having to fear that using it might delay shipping their code or not hitting hard deadlines.
This focus on not disrupting Facebook developers and their regular work processes has been a goal for the Facebook security team, as the Facebook security team has said in a recent episode of the Risky Business podcast.
Extendable
But Pysa also has another ace down its sleeve, and that’s extendability. Instagram, which mostly runs on Python code, was never developed as a cohesive unit from the get-go.
Just like most major platforms, its code was stitched together and improved as the company grew. Currently, its codebase includes lots of different Python frameworks and Python libraries, all running different Instagram components and features.
For Pysa, this also means the tool was created under a plug-and-play model, where the tool can be extended to adapt to new frameworks on the fly.
“Because we use open source Python server frameworks such as Django and Tornado for our own products, Pysa can start finding security issues in projects using these frameworks from the first run,” Bleaney said. “Using Pysa for frameworks we don’t already have coverage for is generally as simple as adding a few lines of configuration to tell Pysa where data enters the server.”
Facebook has formally open-sourced Pysa on GitHub today, along with several bug definitions required to help it find security issues. The Zulip server project has already embedded Pysa in their codebase after the tool was used to discover a major security issue last year.

Image: ZDNet More

A reported ransomware attack suffered by Canon appears to have been confirmed by an internal memo, with Maze threat actors taking the credit. 

As reported by Bleeping Computer, a six-day outage beginning July 30 on the image.canon website, a service for uploading and storing photos through Canon’s mobile applications, led to suspicions that a cyberattack may have taken place. 
See also: Black Hat: Entropy – the solution to malvertising and malspam?
While now service has resumed, in the website’s last status update, Canon revealed that an issue “involving 10GB of data storage” was under investigation, leading to the temporary suspension of related mobile apps and the online platform. 
Canon said that “some of the photo and image files” saved prior to June 16 were “lost,” but in the same breath, insisted that there “was no leak of image data.” 
“Currently, the still image thumbnails of these lost image files can be viewed but not downloaded or transferred,” the company said. “If a user tries to download or transfer a still image thumbnail file, an error may be received.”
This, in itself, may suggest nothing more than a technical issue with back-end servers. However, at the same time, an internal memo obtained by the publication warned employees of “company-wide” IT issues, including apps, Microsoft Teams, and email. 
CNET: Browser privacy: Change these settings now, whether you use Chrome, Safari or Firefox
It is believed that Maze is to blame, after the threat group said they had stolen 10TB in data after launching a successful ransomware attack against the tech giant. 
Maze, however, denied responsibility for the image.canon issues, and so the timing of the outage and the ransomware infection may simply be coincidental. Another memo sent internally suggested a “ransomware incident” had occurred, and a third-party cyberforensics company has been hired to investigate. 
Maze operators use a form of ransomware that generally targets enterprise companies. The group’s malware encrypts networks and a ransom note is then displayed, with exhortation attempts sometimes reaching thousands of dollars — far more than could be asked for by targeting individuals or the general public.
The group’s operus morandi is to exfiltrate sensitive, corporate information and threaten to release it unless payment is made. 
Canon said the company is “currently investigating the situation.”
TechRepublic: Security analysts want more help from developers to improve DevSecOps
Earlier this week, for example, Maze published gigabytes of data belonging to LG and Xerox after both companies refused to bow to blackmail. 
Ransomware, however, was not deployed on LG’s network. Speaking to ZDNet, the group said they simply infiltrated LG and stole information instead, deciding to withhold ransomware deployment as LG clients were “socially significant.” Xerox has remained quiet when it comes to the incident.
Back in May, delivery network Pitney Bowes suffered a ransomware attack caused by the same cybercriminals. At the time, Maze published a set of screenshots online as evidence of network intrusion, having encrypted the firm’s IT systems in the quest for a ransom payment. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

As the use of Microsoft’s Office 365 grows – encompassing services including Exchange, Teams, SharePoint, OneDrive and more –the sheer amount of data stored in the cloud is proving to be a tempting target for some of the most sophisticated hacking operations in the world, according to cybersecurity researchers at FireEye Mandiant.
“The amount of data in Office 365 is just huge and attackers are obviously interested in data. But also they can now access that data from pretty much anywhere in the world,” Doug Bientock, principal consultant at Mandiant told ZDNet, ahead of the research being presented at the Black Hat USA security virtual conference.

“Office 365 is also a gateway for organisations to access other applications as a single sign-on platform,” Bienstock explained.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | Download the PDF version  
It often doesn’t take much for hackers to compromise the networks of organisations they’re targeting; it’s possible to acquire lists of email addresses of employees at a company, and attackers will attempt to use brute-force attacks to crack any common or weak passwords. It doesn’t even have to involve a spear-phishing attack. Some attacks, however, are significantly more sophisticated.
“The attacker will take those valid credentials, login to the VPN and they will move around the network with the intent of escalating their privileges to a global admin account for Office 365,” Josh Madeley, principal consultant at Madiant and co-author of the presentation, told ZDNet.
It’s believed that a significant majority of – if not all – state-backed advanced persistent threat (APT) groups are interested in deploying this kind of attack, but one that definitely has is APT35, a hacking operation working out of Iran, which Madeley described as “notorious” for exploiting cloud services to gain access to the sensitive information it wants to see.
“They’ll gain access to your Office 365 environment then use the security tooling to search the contents of every mailbox, every Teams chat, every SharePoint document,” he explained.
From there, APT35 search for credentials that’ll give them access to other departments, even other companies, and anywhere they can extract sensitive information from. 
The hackers are not trying to exploit a weakness in Office 365; simply the way in which it has become a core part of corporate IT infrastructure makes it an attractive target. But the way corporations and users are securing Office 365 could be improved to protect against attacks of this kind. The first step organisations can take to prevent attacks is to make sure that common, easily guessable passwords aren’t being used.
Organisations should also ensure that multi-factor authentication is applied to as many employee accounts as possible, so in the event of a password being stolen or beached, there’s an additional layer of defence to stop attacks.
“The biggest two things we recommend are enabling multi-factor and doing it intelligently with as few exceptions as possible. So everyone in the organisation and every application needs to apply multi-factor – and think about how often you want to prompt that,” said Bienstock.
SEE: Black Hat: Hackers are using skeleton keys to target chip vendors
It’s also recommended that organisations take the time to understand activity on their networks, so it’s possible to detect and stop suspicious activity before it can do significant damage.
“There’s good security out of the box in Office 365, but if you need to protect against APTs, there needs to be some time and effort into understanding the logs and building up robust monitoring so you can see something is happening when it shouldn’t be so you can cut them off,” he said.
MORE ON CYBERSECURITY More