- Exzec Cyber Newsletter
- Posts
- 8th Edition
On average 1.4 billion social media accounts are hacked every month. My guess, half of the passwords are: password. After a short hiatus, we’re back! On the menu this week:
So Meta: I ain’t afraid of no ghosts
This week’s can’t miss: Ivanti on the JetBrains again
xz Utils: The new Debi-an downer
Might have missed: Cambodian kidnappers and five-eyes
The hotel, motel: You can get in
Big News
‘Project Ghostbusters’. So Meta.
Well, well, well. If it isn’t some seedy practices from a company known for seedy practices. Who woulda thunk it? Meta, the artist formerly known as Facebook, has been known to employ questionable practices when it comes to copying from its competitors. But, they went awful far to capture usage analytics from Snapchat users as it was on the rise in 2016, when Meta rolled out its own version of Snapchat’s ‘Stories’.
What happened: In newly released documents from a class action lawsuit against Meta, details emerged about ‘Project Ghostbusters’, which aimed at decrypting Snapchat’s traffic so Meta could analyze how its users interacted. Meta essentially used a ‘Man-in-the-middle’ approach, by leveraging a VPN service it acquired in 2013, Onavo. This approach meant they could decrypt the traffic to certain domains from users’ phones, like Snapchat, and acquire usage analytics to improve their product.
"Given how quickly they're growing, it seems important to figure out a new way to get reliable analytics about them, perhaps we need to do panels or write custom software. You should figure out how to do this."
Why is it important: Encryption and VPNs are supposed to help provide privacy for users. Intercepting traffic that a user believes is encrypted is bad. Rather than state the importance myself, here’s a quote from the head of security engineering at Meta, Pedro Canahuati: “I can’t think of a good argument for why this is okay, no security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”
The other side: There really isn’t a side where Meta looks good here. Granted, is there ever? Meta had to shut down Onavo in 2019 when it came out that they were paying teens to use the service to study their traffic. While this particular article is about Snapchat, they were likely employing this method for other competing apps as well via this ‘solution’.
The takeaway: Social media is icky. Numerous studies have shown its effects on our brains. Understanding and manipulating usage is what drives users to spend more time in an app. Time spent is what advertisers want to see since more time equals more opportunities to service ads. Meta’s quest to create a ‘sticky’ app has driven it to multiple questionable practices over the years.
tl;dr: Meta wanted info on competitors. Meta created an app to spy. Meta bad.
More: TechCrunch | ArsTechnica | Mashable
Can’t Miss
Breaches, vulns, and more.
Microsoft: The US government released a report on Microsoft and what they perceive to be a lack of cyber vigilance. Microsoft has tried to head this off with its recently announced ‘Secure Future Initiative’, aimed at quicker patches, and setting higher security standards internally. They both talk a big game, time to back it up.
Ivanti: I should just leave Ivanti in this section. In not-so-surprising news, they’ve pushed patches for four new vulnerabilities that could lead to code execution or denial of service attacks. Patch it! They’ve claimed to enter a new era of secure design. Sure.
Google: Incognito wasn’t so Incognito. In response to a class action lawsuit, Google will delete billions of data records related to users browsing activities while in Incognito mode, the purported private mode.
Poland: In a past edition, we wrote about the Polish government using the Pegasus spyware against its political opponents. Poland is now launching a criminal investigation into this activity and will alert any victims it finds. Somewhere, someone powerful is saying ‘shiiiiiiiiitttttt’.
Apple: Many Apple users have reported being ‘MFA Bombed’, where they get continuous push notifications to approve a login. This appears to be part of an advanced phishing campaign. If they ignored the push attempts, their phone would ring with someone pretending to be from Apple to try and get them to approve. Never trust someone is who they say they are on the phone.
TeamCity/JetBrains: The somewhat recently revealed vulns are still actively being exploited to spread malware, deploy ransomware, and all sorts of other bad things. They also released a patch for 26 new ‘security problems’. Uh-oh. Patch it already!
Supply Chains = Nation-State gains
Who is Jia Tan? It doesn’t quite have the same sound as ‘Who is Keyser Soze?’, the villain in ‘The Usual Suspects’, but the intrigue is there. Jia Tan is the person (likely fictional) responsible for what could have been one of the worst supply chain attacks we’ve seen utilizing open-source Linux distros. Check out a couple of helpful links for those new to open-source software and supply chains.
What happened: Jia Tan worked as a developer for over two years, submitting code for multiple projects on GitHub. Eventually, they made their way to being designated as a maintainer of xz Utils, a compression utility used in almost every major version of Linux. After taking primary control of the project, Jia built and deployed an updated version of the utility that contained code for a backdoor.
Why is it important: Supply-chain attacks are scary. Think about it like poisoning. If you go to someone’s house, you can poison an individual’s food. If you go to where the food is made, you can poison everyone’s food. In this scenario, had this back-doored version made it into the stable versions of Debian and RedHat (a widely used Enterprise version of Linux), the attackers would have had a backdoor into thousands of companies across the globe.
The other side: Luckily for the world (dramatic but true), a developer at Microsoft found the issue while troubleshooting an issue with SSH on a version of Linux that had received the updated package. Through thorough detective work, the dev found the problem was caused by the backdoored utility snooping on traffic. Also Luckily, the updated utility was not deployed to most versions of Linux, so it was caught and removed.
The takeaway: Open-source software is generally considered safer. Anyone can review and investigate the code online for themselves. As per usual though, people are where the real vulnerabilities lie. Jia took advantage of a developer who was the lone person responsible for xz Utils, who was overworked, and looking for help. This was a patient, long-term campaign that looks to have been carried out by a Nation-State threat actor. At least this will bring attention to Jia’s other work, where there may be other potential malicious code.
tl;dr: Bad guy convinces the devs he can help. Bad guy deploys malicious code that could deploy to thousands of servers. Smart dev finds code and blows the whistle.
More: CyberScoop | Wired | ArsTechnica
Tip of the week
While always a constant problem, fake news tends to greatly increase in an election cycle. Arm yourself to decipher what’s real and what’s not.
Might have missed
Cambodian Cybergang: The Indian government has rescued 250 citizens who were in forced labor in a cybercrime gang. They joined the ‘company’ and moved to Cambodia believing they were getting high-paying jobs. Instead, they were forced into labor hacking. Yikes!
Chinese Hackers: Multiple hackers believed to be associated with the Chinese gov’t, who are involved in targeting critics of the Chinese gov’t, including US citizens, have been indicted. Here’s bettin’ they never see a US courtroom.
Omni Hotels: Hopefully you’re not traveling to an Omni Hotel this week. The luxurious hotel chain has revealed that a cyberattack (likely ransomware) has been underway since March 29. I better still get my massage and spa day.
Five Eyes: The multi-national cyber advisory group urged critical infrastructure organizations to take action and prevent Chinese hackers from wreaking more havoc, similar to the recent attack against Change Healthcare.
Israeli Planes: while this one is a bit old, it didn’t get much news. El Al, Israel’s national airline, confirmed that hackers targeted the communications of a mid-air flight, leading the plane to divert to a new destination. Cool, there aren’t enough airplane problems right now, let’s add hackers.
AT&T: Yes, AT&T again. This time, they had to reset all users’ account passcodes, after initially saying the data dump from earlier in March was not of their customers, they have now acknowledged and force reset all customers’ passcodes.
Off Track
Smart lock? More like a shit lock.
Everyone likes to feel secure in their hotel room. Ready for bed? Lock the bolt, move that little metal door stopper, then lock and unlock to make sure you lock it right. It’s like hitting the lock button on your car key seven times and hearing it chirp or beep 7 times. We like to think those locks work.
What happened: It turns out, that one particular brand of bolt lock isn’t as secure as it should be. Saflock, a manufacturer who produces locks for over 13K hotels, protecting about 3 million doors, has an easily exploited vulnerability that allows an attacker to open of these doors. All it requires is an Android phone and any keycard from the targeted property.
Why was it important: Well, a lock should lock, and stay that way until the key holder unlocks it. To top it off, Saflock rolled out a fix in November, but not all door locks are internet-connected, which means only about 36% have been patched. The non-internet-connected locks will require a physical replacement or manual update, new keycards, new card encoders, and things like elevators, parking turnstiles, or other equipment that needs to be adjusted.
The other side: Hopefully, this is a wake-up call for manufacturers to test things like this. It should also bring about an evolution of something additional to having a key, similar to MFA with passwords. Things like biometric data (think fingerprints), or a second token. Granted, that would be at the cost of convenience.
The takeaway: Any electronic lock, whether it’s wifi enabled, Bluetooth enabled, or just an RFID frequency eventually has the potential to be exploited. While exploiting this lock turned out to be easy, I’m willing to bet there are simpler ones in the wild. Primarily because they’re older and use older tech. Hell, I could pick up a FlipperZero tool and probably get into most office buildings.
tl;dr: 3 million hotel locks are vulnerable to being unlocked. Hotels are struggling to update them.
More: DarkReading | Futurism
Pups N’ Stuff
This week, our featured pup is Ellie! She enjoys frolicking, playing with her food, and hacking dog gates to get places she shouldn’t be.
Thanks for reading this week’s edition. If you have feedback or advice, want to submit a dog, or just hate everything you see? Hit this link!