Missing parameter type validation in the DRM module. Successful exploitation of this vulnerability may affect availability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the October 2022 Android security bulletin:

Critical: CVE-2022-25720

High: CVE-2022-20412, CVE-2022-20413, CVE-2022-20422, CVE-2022-20421, CVE-2021-0696, CVE-2021-0699, CVE-2021-0951, CVE-2022-20423

Medium: CVE-2021-39758, CVE-2022-20415, CVE-2022-25664, CVE-2022-25666, CVE-2022-20253, CVE-2022-20257, CVE-2022-20269, CVE-2022-20273, CVE-2022-20278, CVE-2022-20290, CVE-2022-20313, CVE-2022-20314, CVE-2022-20333, CVE-2022-20334

Low: none

Already included in previous updates: CVE-2022-20247, CVE-2022-20271, CVE-2022-20272, CVE-2022-20292, CVE-2022-20297, CVE-2022-20302, CVE-2022-20399, CVE-2021-0986

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-46851: Vulnerability of unstrict verification of the memory's security attribute in the DRM module

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability by attackers may cause the video playback to be abnormal.

CVE-2021-46852: Logic bypass vulnerability in the memory management module

Severity: Medium

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-44546: Vulnerability that the kernel module automatically frees the memory but does not clear the mapping

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2022-44547: UAF vulnerability in the Display Service module

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may cause Display Service to reset and restart.

CVE-2022-44548: Vulnerability of unstrict permission verification during Bluetooth pairing

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause the dialog box for confirming the pairing not to be displayed during Bluetooth pairing.

CVE-2022-44549: Geofencing API access vulnerability in the LBS module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause third-party apps to access the geofencing API without authorization, affecting user confidentiality.

CVE-2022-44550: UAF vulnerability when traversing layers in the graphics display module

Severity: High

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-44551: Thread security vulnerability in the iaware module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality, integrity, and availability.

CVE-2022-44552: Vulnerability of defects being introduced in the design process in the lock screen module

Severity: Medium

Affected versions: EMUI11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-44553: Vulnerability of not filtering third-party apps out when the HiView module traverses to invoke the system provider

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause third-party apps to be activated periodically.

CVE-2022-44554: Unstrict permission verification vulnerability in the power module

Severity: Medium

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may cause the status of a module to be abnormal.

CVE-2022-44555: Service hijacking vulnerability in the DDMP/ODMF module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause service unavailability.

CVE-2022-44556: Missing parameter type validation in the DRM module

Severity: High

Affected versions: EMUI12.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2022-44557: Vulnerability of obtaining the read and write permissions on arbitrary system files in the SmartTrimProcessEvent module

Severity: High

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-44558: Mismatch between serialization and deserialization in the AMS module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause privilege escalation.

CVE-2022-44559: Mismatch between serialization and deserialization in the AMS module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause privilege escalation.

CVE-2022-44560: Intent redirection vulnerability in the launcher module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause launcher module data to be modified.

CVE-2022-44561: Permission verification vulnerability in the preset launcher module

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability allows unauthorized apps to add arbitrary widgets and shortcuts without interaction.

CVE-2022-44562: Mismatch between serialization and deserialization at the system framework layer

Severity: Medium

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability may cause privilege escalation.

CVE-2022-44563: Race condition vulnerability in SD upgrade mode

Severity: High

Affected versions: EMUI12.0.1, EMUI12.0.0, EMUI11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-44556: November

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

CVE-2020-35473: ACM CCS 2022

Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.

Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.

The release of CBA in Azure AD, announced during last month's Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It's a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.

Further, this week, Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.

**Meeting Federal Standards**

CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden's 2021 Executive Order (14028) on Improving the Nation's Cybersecurity.

The executive order directs all federal government agencies and those it does business with to move to zero trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).

OMB's memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.

SMS phishing attacks, also called "smishing," are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. "Smishing has turned increasingly into a meaningful attack vector; I see it all the time," says Andrew Shikiar, executive director of the FIDO Alliance.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio's broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.

Experts anticipate such attacks will rise next year. "I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year," Shikiar says.

**Moving From ADFS to Azure AD**

Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president's executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.

Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization's public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. "What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they're supporting that natively," says Derek Hanson, VP of solutions architecture and standards at Yubico.

"This removes the last major blocker for those of you who want to move all of your identities to the cloud," said Joy Chik, president of Microsoft's identity and network access division, during a session at the company's Ignite conference.

Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. "ADFS has become a primary attack vector," she said.

Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.

"I really don't know of any organizations that are not using ADFS," Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. "I think they will likely make the migration within the next two years," he says.

**Fulfilling the Government Mandates**

During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD. "Certificate-based authentication is critical for customers in regulated industries," Chik said. But she added, "This includes US federal agencies, which must deploy phishing resistant MFA to comply with White House executive order on cyber security."

Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards. "From what I understand, Microsoft needs Azure to stay ahead of the FedGov game or risk being further being overtaken by Google, AWS and others," Simmons explains. "So, this would be necessary to demonstrate said compliance and fully integrated support."

Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure Active Directory and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.

"With Entra, they are making a significant investment in multi-cloud administrative security," Simmons adds. "Multicloud is key because they realize the world doesn't end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn't enough for some organizations, especially when it comes to the US government and defense."

**Bringing Azure AD CBA Support to Mobile Devices**

Microsoft's release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico's YubiKey. Microsoft's director of identity security Alex Weinert announced the release in a brief blog post.

"With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," Weinert wrote.

Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.

"CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt," said Yubico solutions architect Erik Parkkonen in a blog post. Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft's latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Microsoft's Certificate-Based Authentication Enables Phishing-Resistant MFA

An analysis by RSA Conference's security operations center found 20% of data over its network was unencrypted and more than 55,000 passwords were sent in the clear.

Even cybersecurity professionals need to improve their security posture.

That's the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

"As the RSA Conference is mostly attended by cybersecurity professionals and supporting roles within the security industry, we generally consider the demographic to represent more of a 'best-case' level of security awareness," she says. "Somewhat shockingly, unencrypted email is still being used in 2022."

The annual report presents a view into network usage among a security-focused group of users. Cisco and NetWitness emphasized that the wireless network at the RSA Conference is not configured in the most secure way, but configured to be monitored for educational purposes. For that reason, the network has a flat architecture, allowing any device to contact any other device on the network. Host isolation, which allow devices a route to the internet but not to other devices on the network, would be more secure but less interesting.

**User Credentials at Risk**

At approximately 19,900 attendees, the 2022 RSA Conference only had about half the number of people as the previous conference in 2020, but about the same number of users on the network, the report stated.

The major issue was failure to use encryption for the authentication step when using email and other popular applications. Nearly 20% of all data passed through the network in the clear, the report stated.

"Encrypting traffic does not necessarily make one more secure, but it does stop individuals from giving away their credentials, and organizations from giving away corporate asset information in the clear," the report stated.

Yet the situation isn't as bad as it could be. Because the wireless network includes traffic from the show floor, many of the usernames and passwords are likely from demo systems and environments, the report stated. Moreover, most of the cleartext usernames and passwords — almost 80% — were actually leaked by devices using the older version of the Simple Network Management Protocol (SNMP). Versions 1 and 2 of the protocol are considered insecure, while SNMP v3 adds significant security capabilities.

"This is not necessarily a high-fidelity threat," the report stated. "\[H\]owever, it does leak information about the device as well as the organization it's trying to communicate with."

In addition to the continued use of plaintext usernames and passwords, the SOC found that the number of online applications continues to grow rapidly, suggesting that the attendees are increasingly relying on mobile devices to get work done. The SOC, for example, captured unencrypted video camera traffic connecting to home security systems on port 80 and the unencrypted data used for setting up voice-over-IP calls.

**CISO Mistake**

For the most part, the unencrypted traffic is likely from small-business users, the companies stated in the report. "It is difficult to send email in cleartext these days, and analyzing these incidents found similarities," the report stated. "Most of this traffic was to and from hosted domains. This means email services on domains that are family names or small businesses."

Yet in one case, a chief information security officer had misconfigured their email client and ultimately exposed their email username and password by sending the data in the clear. The SOC discovered the issue when it found a receipt for a CISSP payment sent in the clear from an Android-based email client.

"The discovery sparked an investigation that confirmed dozens of emails from and to the person were downloaded across the open network in the unsecure protocol," the report stated.

Companies should verify that the technologies used by employees have created end-to-end encrypted connections and should apply zero-trust principles to check — at appropriate times — that the encryption is still being applied.

"We've found applications and websites that authenticate encrypted and then pass the data without encryption across the open networks," Cisco Secure's Oppenheimer says. "Alternatively, some will pass unencrypted credentials across open networks and then encrypt the data. Both scenarios are less than ideal."

Virtual private networks are not a panacea but can strengthen the security of unencrypted applications. Finally, organizations should use cybersecurity and awareness training to educate their hybrid workers in how to be secure when working from remote locations.

Unencrypted Traffic Still Undermining Wi-Fi Security

Investment round led by 11.2 Capital, Okta Ventures, and Mango Capital.

**LONDON and SAN FRANCISCO, Nov. 7, 2022 /PRNewswire/** — The newly available SURF zero-trust, identity-first enterprise browser reinforces organizational security by providing the critical visibility necessary to prevent attacks while simultaneously ensuring every user's privacy. The platform streamlines collaboration and delivers easy, secure access to applications and data for managed and unmanaged (BYOD) devices.

"The browser has become the main productivity tool for employees, which has turned it into the largest attack surface as well," said Pramod Gosavi, 11.2 Capital. "We invested because SURF directly addresses companies' security needs without compromising on the productivity and privacy of the end users."

The platform leverages identity first and already has deep integration with Okta's market-leading identity platform and access management (IDP) technology.

"The secure enterprise browser is one of the fastest growing markets," said Austin Arensberg, Senior Director, Okta Ventures. "We wanted to make sure we backed the most comprehensive solution - SURF, which simultaneously delivers on companies' critical priorities of identity, security, and privacy."

Founders Moty Jacob and Ziv Yankowitz spent five years working together as CISO and CTO at London-based ICAP-NEX Group, which was acquired by CME Group (the world's leading derivatives marketplace) for $5.4 billion. They built Chromium-based applications to strengthen security and ease management of financial transactions.

SURF Security was established to allow global enterprises to close security gaps – without affecting productivity -- by collapsing the security stack into one single powerful control point: the enterprise browser.

"Ziv and I have taken a pragmatic approach to building the browser, completely eliminating the trade-off between strengthening security at the expense of agility and productivity. We wanted to be business enablers," says Moty. "After many years of trying to stay one step ahead of threat actors with too many niche tools, we decided to integrate many security tools into a single solution, reinforced with zero trust and identity - while making everything easy for administrators and users."

Led by 11.2 Capital, Mango Capital, Okta Ventures, and security-focused Angel investors, the Seed round, combined with the already expanding customer base, allows the company the resources and support to grow significantly over the coming years.

"SURF has completely rethought browser endpoint security by natively designing the solution around Chromium and CDN/edge platforms, such as Cloudflare and Fastly," said Robin Vasan, Founder and Partner at Mango Capital. "They are also providing tight integration with key identity platforms like Okta and HashiCorp in user and machine identity security respectively, strengthening their market position."

The SURF browser observes every interaction between users and applications to discover policy breaches while enabling complete administrative visibility and control – without collecting individual personal data.

After quick and easy provisioning, enterprises can enforce security controls like DLP, content disarming and reconstruction, phishing prevention, session killswitch, on-the-fly file encryption, browser extension management, device posture checks, transactional MFA, watermarking, and more.

SURF replaces existing tools like VDI, VPN, RBI, DaaS, etc. Instead of adding overhead layers of virtualization, cost, and complexity and fracturing the user experience, the security and access controls are built directly within the browser. Users get full native experiences and streamlined performance, without any middle tiers, as if they were using the consumer version of any browser.

The platform delivers a complete end-to-end zero-trust experience for both on-prem and cloud applications, all built inside the browser. The comprehensive solution eliminates shadow IT, data leakage, social engineering, credential stuffing, unwanted extensions, browser-based attacks, and many other threats. Enterprises can streamline access to all software development tools and processes as well.

The SURF browser is available for Windows, Android, Apple, and Linux.

_Visit SURF at Oktane22 Nov. 8-10 at Moscone West in San Francisco._

**SOURCE:** SURF

Out of Stealth: New SURF Zero-Trust Enterprise Browser

By Habiba Rashid
The apps reported by Malwarebytes contain Android trojan yet the developer is still active on Google Play, continuing their scam.
This is a post from HackRead.com Read the original post: Google Fails To Remove “App Developer” Behind Malware Scam

  
One can never be too sure about an **app’s legitimacy** even if it is found to have approving ratings on the Google Play store. On 1st November 2022, Malwarebytes Labs analyst Nathan Collier reported on a family of malicious apps developed by Mobile apps Group that are currently available on Google’s app store even at the time of writing.

Before proceeding to discuss the details of the malware’s workings, we advise our readers to watch out for the following apps and delete them from their devices immediately:  

*   Bluetooth Auto Connect
*   Bluetooth App Sender
*   Driver: Bluetooth, Wi-Fi, USB
*   Mobile transfer: smart switch

All four apps are infected with the hidden ads trojan and the developer seems to be familiar with common tactics used to **evade detection of malware** because they have created a self-delaying schedule for the displaying of these ads.

If you have any of these apps on your Android device remove them now

The Bluetooth Auto Connect app, for example, takes approximately four days from the time it is installed to display its first ad in Chrome. This is followed by further timed delays which are always succeeded by a sequence of new ads.

The **phishing sites** opened in Chrome vary and range from harmless sites used to produce pay-per-click to more dangerous sites that attempt to trick unwary users by stating that their device has been infected and needs to be updated.

This activity continues in the background even while the mobile device is locked which means that upon unlocking their phones, users will be faced with numerous phishing website tabs in Chrome that they will have to close each time. 

In their must-read **blog post**, the analysts at Malwarebytes have compiled a list that shows the long history of the variants of HiddenAds that have infected this particular app. This behavior, it seems, is also common for the other apps from the Mobile apps Group.

What’s shocking is that previous versions of these apps have been found to contain varying versions of Android/Trojan.HiddenAds, the developer is still active on Google Play, distributing more HiddenAds malware. 

Although it’s unclear why the company’s built-in malware defense program, **Google Play Protect**, is unable to detect these apps, it turns out that this is not the first time such an issue has been brought to light.

A recent **report from Bitdefender,** a cybersecurity company, showed that there were up to 35 malicious apps being listed on Play Store that have over 2 million downloads combined. They also noted that these apps rename themselves and change their app icon after being installed in order to confuse users and remain undetected. 

At times like this where users cannot even rely on the good ratings that an app presumably has to verify its authenticity (three of the malicious apps listed above have favorable ratings themselves), it is difficult to conclude how well one can guard its device against threats such as adware.

Moreover, with this one example of malware that has still not been removed, we can only imagine the other threats that go **undetected on the Google Play Store** and continue to infect the devices of those who install them. 

1.  **Android app with 1b users fails to fix flaws; expose to malware**
2.  **Play Store Apps Caught Spreading Android Malware to Millions**
3.  **BRATA Android malware factory resets phones after stealing funds**
4.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
5.  **Scylla Ad Fraud Attack on iOS, Android Users Halted by Apple and Google**

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Google Fails To Remove “App Developer” Behind Malware Scam

Authentication idea advanced but not yet fulfilled

Authentication idea advanced but not yet fulfilled

ANALYSIS Advances in technology over the last decade have enabled academics to make progress in creating so-called one-time programs.

One-time programs (OTPs) – originally presented at the Crypto ‘08 conference – describe a type of cryptographically obfuscated computer program that can be run only once, a special property that makes them useful for several applications and use cases.

OTPs were first proposed by researchers Goldwasser, Kalai, and Rothblum.

The general idea is that ‘Alice’ can send ‘Bob’ a computer program that is encrypted in such a way that:

1.  Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs.
2.  Bob can learn nothing about the secret program by running it.

The run-only-once requirement runs into trouble because it would be trivial to install a run-once-only program on multiple virtual machines, trying each one with different inputs. This would violate the whole premise of the technology.

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob.

No such tokens were ever made, so the whole idea has lain dormant for more than a decade.

**OTP revived**

But now a team of computer scientists from Johns Hopkins University and NTT Research have laid the groundwork for how it might be possible to build one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services.

More specifically they have hacked ‘counter lockbox’ technology and applied its use to an unintended purpose. Counter lockboxes protect an encryption key under a user-specified password, enforcing a limited number of incorrect password guesses (typically 10) before the protected information is erased.

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to cheat the system – the focus of the research.

**Garbled circuits**

The researchers’ work shows how multiple counter lockboxes might be chained together to form so-called ‘garbled circuits’, a construction that might be used to build one-time programs.

A paper describing this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography conference (TCC 2022).

The clearest application for OTPs is preventing brute-force attacks, says one researcher

  
**Hardware-route discounted**

One alternative means of constructing one-time programs, considered by the paper, is using tamper-proof hardware. But tamper-proof hardware would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Matthew Green, a professor at Johns Hopkins University and one of the co-authors of the paper.

“This would be costly and worse, \[and\] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” Green explains.

RELATED Post-quantum cryptography hits standardization milestone

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome.

In practical terms, someone could realize this technology by creating multiple iCloud or Google accounts and then using Apple’s iCloud Key Vault \[pdf\] or Google’s Titan Backup service to store a ‘backup key’ for each of them. This is anything but elegant and the computer scientists at John Hopkins are inviting other researchers to progressing their research by coming up with neater schemes.

**A bastion against brute-force attacks**

Harry Eldridge from Johns Hopkins University, who is lead author of the paper, told The Daily Swig that one-time programs could have multiple uses.

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords,” Eldridge explained. “For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.

“However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords \[such as a four-digit PIN\] can actually be pretty secure,” Eldridge added.

More generally this could be applied to other forms of authentication – for example if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan.

**‘Autonomous’ ransomware risk**

One danger posed by the approach is that bad guys might use the technique to develop ‘autonomous’ ransomware.

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.”

Read more of the latest encryption security news

The feedback on the work so far has been “generally positive”, according to Eldridge.

“\[Most agree\] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.”

Professor Alan Woodward, a computer scientist at the University of Surrey, welcomed the research.

“It’s a nice paper and it doesn’t claim to be the ultimate answer: it gives a solution in the hope that others may find better ways of doing the same thing,” Prof. Woodward told The Daily Swig.

“If achievable it means one-time programs become viable, and that opens up an interesting array of applications where you want someone to be able to run your program but not to be able to undertake differential analysis to learn about how the program functions.”

RECOMMENDED Matrix address flaws that break message encryption assurances

Boffins rekindle one-time program cryptographic concept

With Microsoft’s announcement on Nov. 2 of its support for Azure AD Certificate-based authentication (CBA) for both iOS and Android devices, Yubico is excited to share that the YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile.

Yubico worked closely with Microsoft to ensure CBA on mobile became a reality.

Microsoft’s new support provides users with the same convenient smart card authentication method on mobile devices that they have on their desktops. CBA has been a staple of governments and high security environments for decades, long before the invention of FIDO U2F and FIDO2, mostly due to its reliability and effectiveness in physical environments. With Executive Order 14028 on Improving the Nation's Cybersecurity, the adoption of CBA and other phishing-resistant multi-factor authentication methods are mandated for civilian federal agencies in the US.

CBA is widely deployed across many industries, and remains a favorite amongst security experts. For some organizations, it is the logical choice from the available Azure offerings. With this announcement, customers can now use CBA on their mobile devices using native Azure AD CBA. When using native Azure AD CBA, organizations can reduce their existing infrastructure and move it into the cloud. Azure AD CBA capabilities can also be combined with Conditional Access policies so admins can enforce phishing-resistant sign-in methods.

CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt.

“Yubico has been a driving force in working with our teams to build this solution that allows Microsoft customers to securely log into their Microsoft accounts on their iPhone or Android mobile device. This is a big win for us, Yubico, and most importantly our federal government customers,” said Sue Bohn, Vice President of Product Management for Microsoft’s Identity and Network Access (IDNA) group.

Setting up CBA on Azure requires some basic configuration steps within Azure AD and installation of the Microsoft Authenticator app on Android or iOS/iPadOS. The Yubico Authenticator app is also needed on iOS/iPadOS. The PIV credential must be set up independently from the Azure solution. Your existing YubiKey PIV/smart card issuance process does not need to change.

Also, with the new Conditional Access authentication strength policies, you can enforce CBA as the required sign-in mechanism.

Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and committed to providing phishing-resistant authentication solutions based on FIDO2 and certificate-based authentication standards.

**Learn more**

Microsoft's mobile certificate-based solution coupled with the YubiKey is a simple, convenient, FIPS certified phishing-resistant MFA methods for organizations, and we’re excited to share additional details and best practices during our upcoming webinar, _New solutions to prevent phishing with Azure AD and YubiKeys_ on November 3rd at 9 am PT, register here to attend.

Certificate-Based Authentication With YubiKeys for Microsoft, Third-Party, and Web Applications Now Available on iOS and Android

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Whether you run IT for a massive organization or simply own a smartphone, you're intimately familiar with the unending stream of software updates that constantly need to be installed because of bugs and security vulnerabilities. People make mistakes, so code is inevitably going to contain mistakes—you get it. But a growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity.

There are fads in programming languages, and new ones come and go, often without lasting impact. Now 12 years old, Rust took time to mature from the side project of a Mozilla researcher into a robust ecosystem. Meanwhile, the predecessor language C, which is still widely used today, turned 50 this year. But because Rust produces more secure code and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support.

“It’s going viral as a language,” says Dave Kleidermacher, vice president of engineering for Android security and privacy. “We’ve been investing in Rust on Android and across Google, and so many engineers are like, ‘How do I start doing this? This is great.’ And Rust just landed for the first time as an officially recognized and accepted language in Linux. So this is not just Android; any system based on Linux now can start to incorporate Rust components.”

Rust is what's known as a “memory-safe” language because it's designed to make it impossible for a program to pull unintended data from a computer's memory accidentally. When programmers use stalwart languages that don't have this property, including C and C++, they have to carefully check the parameters of what data their program is going to be requesting and how—a task that even the most skilled and experienced developers will occasionally botch. By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.

A program's memory is a shared resource used by all of its features and libraries. Imagine a calendar program written in a language that isn't memory-safe. You open your calendar and then request entries for November 2, 2022, and the program fetches all information from the area of your computer's memory assigned to store that date’s data. All good. But if the program isn't designed with the right constraints, and you request entries for November 42, 2022, the software, instead of producing an error or other failure, may dutifully return information from a part of the memory that's housing different data—maybe the password you use to protect your calendar or the credit card number you keep on file for premium calendar features. And if you add a birthday party to your calendar on November 42, it may overwrite unrelated data in memory instead of telling you that it can't complete the task. These are known as “out-of-bounds” read and write bugs, and you can see how they could potentially be exploited to give an attacker improper access to data or even expanded system control.

Another common type of memory-safety bug, known as “use-after-free,” involves a situation where a program has given up its claim to a portion of memory (maybe you deleted all your calendar entries for October 2022) but mistakenly retains access. If you later request data from October 17, the program may be able to grab whatever data has ended up there. And the existence of memory-safety vulnerabilities in code also introduces the possibility that a hacker could craft, say, a malicious calendar invitation with a strategically chosen date or set of event details designed to manipulate the memory to grant the attacker remote access.

These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant.

“Memory-safety issues are responsible for a huge, huge percentage of all reported vulnerabilities, and this is in critical applications like operating systems, mobile phones, and infrastructure,” says Dan Lorenc, CEO of the software supply-chain security company Chainguard. “Over the decades that people have been writing code in memory-unsafe languages, we’ve tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work. So you need a new technology that just makes that entire class of vulnerabilities impossible, and that’s what Rust is finally bringing to the table.”

Rust is not without its skeptics and detractors. The effort over the last two years to implement Rust in Linux has been controversial, partly because adding support for any other language inherently increases complexity, and partly because of debates about how, specifically, to go about making it all work. But proponents emphasize that Rust has the necessary elements—it doesn't cause performance loss, and it interoperates well with software written in other languages—and that it is crucial simply because it meets a dire need.

“It’s less that it’s the right choice and more that it’s ready,” Lorenc, a longtime open-source contributor and researcher, says. “There are no real alternatives right now, other than not doing anything, and that’s just not an option anymore. Continuing to use memory-unsafe code for another decade would be a massive problem for the tech industry, for national security, for everything.”

One of the biggest challenges of the transition to Rust, though, is precisely all the decades that developers have already spent writing vital code in memory-unsafe languages. Writing new software in Rust doesn't address that massive backlog. The Linux kernel implementation, for example, is starting on the periphery by supporting Rust-based drivers, the programs that coordinate between an operating system and hardware like a printer.

“When you’re doing operating systems, speed and performance is always top-of-mind, and the parts that you’re running in C++ or C are usually the parts that you just can’t run in Java or other memory-safe languages, because of performance,” Google's Kleidermacher says. “So to be able to run Rust and have the same performance but get the memory safety is really cool. But it’s a journey. You can’t just go and rewrite 50 million lines of code overnight, so we’re carefully picking security-critical components, and over time we’ll retrofit other things.”

In Android, Kleidermacher says a lot of encryption-key-management features are now written in Rust, as is the private internet communication feature DNS over HTTPS, a new version of the ultra-wideband chip stack, and the new Android Virtualization Framework used in Google's custom Tensor G2 chips. He adds that the Android team is increasingly converting connectivity stacks like those for Bluetooth and Wi-Fi to Rust because they are based on complex industry standards and tend to contain a lot of vulnerabilities. In short, the strategy is to start getting incremental security benefits from converting the most exposed or vital software components to Rust first and then working inward from there. 

“Yes, it’s a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. “Problems that are merely a lot of work are great."

As Rust makes the transition to mainstream adoption, the case for some type of solution to memory-safety issues seems to get made again and again every day. Just this week, a high-criticality vulnerability in the ubiquitous secure communication library OpenSSL could have been prevented if the mechanism were written in a memory-safe language. And unlike the notorious 2014 OpenSSL vulnerability Heartbleed, which lurked unnoticed for two years and exposed websites across the internet to data interception attacks, this new bug had been introduced into OpenSSL in the past few months, in spite of efforts to reduce memory-safety vulnerabilities.

“How many people right now are living the identity-theft nightmare because of a memory-safety bug? Or on a national security level, if we’re worried about cyberattacks on the United States, how much of that threat is on the back of memory-safety vulnerabilities?” Aas says. “From my point of view, the whole game now is just convincing people to put in the effort. Do we understand the threat well enough, and do we have the will.”

Tag

#android