By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week.    The one big...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week.  

**The one big thing **

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. This actor and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.   

> **Why do I care? **
> 
> Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. 
> 
> **So now what? **It's more important now than ever to have a multi-layered security architecture to detect these types of attacks. The adversary is likely to manage to bypass one of the other cybersecurity measures, but it is much harder for them to bypass all of them. There’s also a ton of IOCs you can add to any block lists that we have listed on our blog, as well as previous Snort rules and ClamAV signatures to protect against this threat actor.   

**Other news of note**

The ongoing battle between the Conti ransomware gang and Costa Rica continued this week, with Costa Rica’s president saying his government is “at war” with Conti. Meanwhile, Conti seems to have dissolved and is now broken up between several sub-groups, though Conti actors continue to release statements on Costa Rica. This massive ransomware attack on a country’s government has other smaller states worried they could be the next ransomware target. Many services in Costa Rica have been inoperable for weeks after the Conti attack. (Tech Monitor, The Verge, TechCrunch) 

Several state-sponsored actors in Europe and the Middle East are buying the “Predator” spyware from commercial surveillance company Cytrox to spy on Android users. Researchers from Google say they’ve spotted these actors operating in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. The firm sold the spyware along with exploits for zero-day vulnerabilities in the Chrome web browser and Android operating system, which are now all patched. (Google Threat Analysis Group, Gizmodo) 

Zoom patched an XMPP vulnerability chain that could lead to remote code execution, along with several other security vulnerabilities in the virtual meeting client. A security researcher discovered an attack chain in which an attacker sends messages to the target over Zoom chat with the XMPP protocol — no user interaction is required. If successful, the attacker could then execute remote code on the targeted machine. Other vulnerabilities Zoom disclosed this week included an issue that could allow an adversary to send user session cookies to a non-Zoom domain, which could allow for spoofing. (Security Week, Google Project Zero) 

**Can’t get enough Talos? **

*   Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
*   CTA Board of Directors Spotlight: Matt Watchinski, Cisco Talos
*   People Behind CSR at Cisco: How JJ Cummings protects people in Ukraine from cyberthreats
*   Threat Roundup for May 13 - 20
*   Talos Takes Ep. #97: MustangPanda stays agnostic

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b    
**MD5:** f5d20b351d56605bbb51befee989fa6e  **Typical Filename:** lavasoft\_overlay\_new\_setup\_progress\_en.exe    
**Claimed Product:** PF001's Installer    
**Detection Name:** W32.8B439CC5BF-95.SBX.TG  

**SHA 256:** 818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3    
**MD5:** 9b1f8a838b5c195f9cf2f11017e38175  **Typical Filename:** document-launch-powershell.xls    
**Claimed Product:** N/A   **Detection Name:** Auto.818D2D.242455.in02 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   **MD5:** df11b3105df8d7c70e7b501e210e3cc3   **Typical Filename:** DOC001.exe   **Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Threat Source newsletter (May 26, 2022) — BlackByte adds itself to the grocery list of big game hunters

Lawmakers argue Android phone data could be “weaponized against women” if the US Supreme Court officially overturns abortion protections.

More than 40 Democratic members of Congress called on Google to stop collecting and retaining customer location data that prosecutors could use to identify women who obtain abortions.

“We are concerned that, in a world in which abortion could be made illegal, Google’s current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care. That’s because Google stores historical location information about hundreds of millions of smartphone users, which it routinely shares with government agencies,” Democrats wrote May 24 in a letter led by Senator Ron Wyden (D-Ore.) and Rep. Anna Eshoo (D-Calif.). The letter was sent to Google CEO Sundar Pichai.

Specifically, Google should stop collecting “unnecessary customer location data” or “any non-aggregate location data about individual customers, whether in identifiable or anonymized form. Google cannot allow its online advertising-focused digital infrastructure to be weaponized against women,” lawmakers wrote. They also told Google that people who use iPhones “have greater privacy from government surveillance of their movements than the tens of millions of Americans using Android devices.”

The draft Supreme Court ruling overturning _Roe v. Wade_ could be followed by strict limits or bans on abortion in many states, and Democrats wrote that “Republicans in Congress are already discussing passing a law criminalizing abortion in all 50 states, putting the government in control of women’s bodies.”

Location Data From Android Phones

In their letter, Democrats told Pichai:

_While Google deserves credit for being one of the first companies in America to insist on a warrant before disclosing location data to law enforcement, that is not enough. If abortion is made illegal by the far-right Supreme Court and Republican lawmakers, it is inevitable that right-wing prosecutors will obtain legal warrants to hunt down, prosecute, and jail women for obtaining critical reproductive health care. The only way to protect your customers’ location data from such outrageous government surveillance is to not keep it in the first place._

Google obtains detailed information “from Android smartphones, which collect and transmit location information to Google, regardless of whether the phone is being used or which app a user has open,” they wrote. While Android users have to opt into this data collection, “Google has designed its Android operating system so that consumers can only enable third party apps to access location data if they also allow Google to receive their location data too. In contrast, Google is only able to collect location data from users of iPhones when they are using the Google Maps app,” the lawmakers wrote.

We contacted Google about the letter yesterday and will update this article if we get a response.

Exactly how Google’s location privacy settings work has been a matter of confusion, even for some Google employees. As we wrote in August 2020, documents from a consumer fraud suit the state of Arizona filed against Google “show that company employees knew and discussed among themselves that the company’s location privacy settings were confusing and potentially misleading.”

Democrats Say iPhone Users Have More Privacy

Because many of the cheaper smartphones use Android, the lawmakers warned of a “digital divide” affecting the privacy of people with low incomes:

_No law requires Google to collect and keep records of its customers’ every movement. Apple has shown that it is not necessary for smartphone companies to retain invasive tracking databases of their customers’ locations. Google’s intentional choice to do so is creating a new digital divide, in which privacy and security are made a luxury. Americans who can afford an iPhone have greater privacy from government surveillance of their movements than the tens of millions of Americans using Android devices._

While Google uses location data to target online ads, the company often turns over the data to law enforcement officials who obtain court orders, the Democrats wrote. “This includes dragnet ‘geofence’ orders demanding data about everyone who was near a particular location at a given time,” they wrote, adding that “Google received 11,554 geofence warrants in 2020.”

iPhones also use location services, though the lawmakers seem to be satisfied with Apple’s privacy promises. Among other things, Apple says that if location services are turned on, geo-tagged locations of nearby Wi-Fi hotspots and cell towers are sent “in an anonymous and encrypted form to Apple” to augment a “crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

With the Find My feature that can locate lost devices, Apple says it “retains location information and makes it accessible to you for 24 hours, after which it is deleted” and that “device location services information is stored on each individual device and Apple cannot retrieve this information from any specific device.”

Post-_Roe_ State Abortion Laws

Assuming the Supreme Court overturns _Roe v. Wade_, there could be more state laws like the recently enacted Texas Heartbeat Act that bans abortions after it’s possible to detect a “fetal heartbeat.” The law defines that as “cardiac activity or the steady and repetitive rhythmic contraction of the fetal heart within the gestational sac.” This effectively bans abortions after six weeks, and the state law lets private citizens file lawsuits to obtain injunctions and damages of at least $10,000 per abortion.

These lawsuits could be filed against anyone who “performs or induces an abortion” that violates the Texas Heartbeat Act or anyone who “knowingly engages in conduct that aids or abets” an abortion after a fetal heartbeat is detected. Aiding or abetting includes “paying for or reimbursing the costs of an abortion through insurance or otherwise, if the abortion is performed or induced in violation of this subchapter.” Civil suits can also be filed against anyone who “intends to engage in the conduct” described in the law.

The Texas law doesn’t allow the exact scenario Democrats warned of in their letter, that prosecutors could jail women who obtain abortions. But states would have more leeway to enact stricter anti-abortion laws or bans after lifting _Roe v. Wade_.

The Guttmacher Institute, a pro-choice research group, says that “26 states are certain or likely to ban abortion without _Roe_.” Many of these states have laws that were enacted before the 1973 _Roe v. Wade_ decision and never removed, laws that were enacted after _Roe_ but currently blocked by court order, or “trigger” bans that would “take effect automatically or by quick state action if _Roe_ no longer applies.”

_This story originally appeared on_ _Ars Technica__._

Google Urged to Stop Tracking Location Data Ahead of Roe Reversal

Social media platform ends private program after paying $250,000 in rewards over eight years

Adam Bannister 26 May 2022 at 15:26 UTC

Social media platform ends private program after paying $250,000 in rewards over eight years

LinkedIn has launched a public bug bounty program to replace the invite-only program that has been running since 2014.

Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000, while high severity issues will command rewards of between $2,500 and $5,000, and medium severity flaws will net bug hunters between $250 and $2,500.

The program, which is hosted by HackerOne, invites hackers to probe the main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API plus Android and iOS mobile apps.

**Going public**

In scope on the Microsoft\-owned platform are “implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure” such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication, access control, and server-side code execution vulnerabilities.

“Our security team strives to provide a safe and secure experience for our 830 million members and customers by quickly addressing security vulnerabilities, constantly improving our defenses, and safeguarding our product development process,” said LinkedIn in a blog post announcing the news.

Read more of the latest bug bounty news

The private program had since its launch “awarded more than $250,000 across nearly 500 submissions covering the LinkedIn member platform and mobile applications,” it added.

“Because of the program’s success, we have decided to make the program public and expand participation to anyone wanting to report potential security vulnerabilities.”

LinkedIn, which connects business professionals with each other and job opportunities, was the source of two enormous data leaks in 2021, affected 500 million and 700 million users respectively, but these were attributed to scraping of public web pages rather than cyber-attacks.

However, the Silicon Valley company was apportioned blame, both by security experts and members of the US Congress, over a 2012 hack that it initially thought affected 6.4 million user passwords, but in 2016 transpired to comprise emails and passwords belonging to 117 million users.

RELATED Yik Yak fixes information disclosure bug that leaked users’ GPS location

LinkedIn bug bounty program goes public with rewards of up to $18k

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information.
"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information.

"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an advisory issued this week.

Tails, short for The Amnesic Incognito Live System, is a security-oriented Debian-based Linux distribution aimed at preserving privacy and anonymity by connecting to the internet through the Tor network.

The alert comes as Mozilla on May 20, 2022 rolled out fixes for two critical zero-day flaws in its Firefox browser, a modified version of which acts as the foundation of the Tor Browser.

Tracked as CVE-2022-1802 and CVE-2022-1529, the two vulnerabilities are what's referred to as prototype pollution that could be weaponized to gain JavaScript code execution on devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

"For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session," the Tails advisory reads.

The bugs were demonstrated by Manfred Paul at the 15th edition of the Pwn2Own hacking contest held at Vancouver last week, for which the researcher was awarded $100,000.

However, Tor Browsers that have the "Safest" security level enabled as well as the Thunderbird email client in the operating system are immune to the flaws as JavaScript is disabled in both cases.

Also, the weaknesses don't break the anonymity and encryption protections baked into Tor Browser, meaning that Tails users who don't handle sensitive information can continue to use the web browser.

"This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier," the developers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

By Waqas
The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in…
This is a post from HackRead.com Read the original post: DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in the company’s “private” web browser.

DuckDuckGo (DDG) has always promoted and marketed itself as a privacy-centric company that refrains from adding trackers to its products. The company boasted about launching a Private browser with default tracker blocking capabilities.

However, now, research revealed that the browser offers restricted tracking protection, and there are certain loopholes left to facilitate advertising data requests from Microsoft.

It is worth noting that Microsoft is a syndication partner of DuckDuckGo. Since the companies agree on syndicated search content, the DDG browser allows Microsoft trackers on 3rd party websites.

**Research Revealed Disturbing Facts**

According to researcher Zach Edwards, who shared his startling findings on the DuckDuckGo browser on Twitter, he discovered that DuckDuckGo’s mobile browsers didn’t block ad requests from Microsoft scripts as well as non-Microsoft web services.

When Edward examined the browser data flow on Workplace.com, he learned that although DDG informed its users about blocking Facebook and Google trackers, it allowed Microsoft trackers to receive data flows linked with the user’s browsing activities on a non-Microsoft site.

For your information, DuckDuckGo is a search engine that claims it never tracks user searches or behavior and never builds users’ profiles to display targeted ads, and only uses contextual ads from its partners, including Ads by Microsoft. Microsoft ads can track users’ IP addresses and other data after clicking on an ad link.

Researcher Zach Edwards on Twitter

**More DuckDuckGo and Search Engine News**

1.  What Are Dark Web Search Engines and How to Find Them?
2.  $4 billion lawsuit claims Google tracked iPhone users’ activities
3.  DuckDuckGo study claims Google Incognito searches are not private
4.  DuckDuckGo collecting user browsing data without consent (Updated)
5.  Camera privacy bug found in Firefox Android in 2019 hasn’t been fixed yet

DuckDuckGo’s privacy and no tracking policy

**DuckDuckGo CEO’s Response**

In response to Edwards’ tweets, DDG’s founder/CEO Gabe Weinberg tried to rubbish the findings by focusing more on the stuff their browser did block, including third-party cookies, even from Microsoft, tracker blocking, and HTTPS-always encryption service.

Moreover, Weinberg noted that the data flow issue was unrelated to DDG’s search engine. However, the DuckDuckGo browser has an exemption from blocking ad data transfers to subsidiaries of Microsoft like LinkedIn or Bing.

The data can be used to conduct cross-site tracking of users to display targeted advertisements. Weinberg, however, confirmed that their browser does allow Microsoft tracker 3rd party websites due to the agreement.

> “For non-search tracker blocking (e.g., in our browser), we block most third-party trackers. Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
> 
> Gabe Weinberg on Twitter

> “We have always been extremely careful to never promise anonymity when browsing because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.
> 
> What we’re talking about here is above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would be using Safari, Firefox, and other browsers. (…) Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.”
> 
> Weinberg to Bleeping Computer

Nevertheless, whatever may be the case, the issue seriously undermines the privacy claims made by DuckDuckGo for so long.

**More Privacy News**

1.  How data collected in gaming can be used to breach user privacy
2.  LinkedIn was copying every keystroke of users until iOS 14 exposed it
3.  Massive privacy risk as hacker sold 2 million MyFreeCams user records
4.  Israeli firm Kape Technologies buys ExpressVPN raising privacy concerns
5.  Hackers used macOS 0-days to bypass privacy features, take screenshots

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their client software to version 5.10.0.

The Google Project Zero security researcher Ivan Fratric noted in a report that an attacker can exploit a victim’s machine over a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity rating of 5.9.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Ivan explained.

So called zero-click attacks do not require users take any action and are especially potent given even the most tech-savvy of users can fall prey to them.

XMPP stands for Extensible Messaging Presence Protocol and is used to send XML elements called stanzas over a stream connection to exchange messages and presence information in real-time. This messaging protocol is used by Zoom for its chat functionality.

In a security bulletin published by Zoom, the CVE-2022-22786 (CVSS score 7.5) affects the Windows users, while the other CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, and Windows systems.

****Working of Bug**  **

The initial vulnerability described by Ivan as  “XMPP stanza smuggling” abuses the parsing inconsistencies between XML parser in Zoom client and server software to “smuggle” arbitrary XMPP stanzas to the victim machine.

An attacker sending a specially crafted control stanza can force the victim client to connect with a malicious server thus leading to a variety of attacks from spoofing messages to sending control messages.

Ivan noted that “the most impactful vector” in XMPP stanza smuggling vulnerability is an exploit of “ClusterSwitch task in the Zoom client, with an attacker-controlled “web domain” as a parameter”.

Zoom Patches ‘Zero-Click’ RCE Bug

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

  

Tails is warning users to stop using Tor Browser that comes bundled with the privacy-focused operating system (OS), after the discovery of a prototype pollution vulnerability.

Tor Browser is a modification of the open source Firefox web browser, which is where the critical vulnerability, tracked as CVE-2022-1802, was found.

The bug could enable an attacker to corrupt the methods of an Array object in JavaScript via prototype pollution, potentially achieving the execution of attacker-controlled JavaScript code in a privileged context.

A second bug, tracked as CVE-2022-1529, could allow an attacker to send a message to the parent process where the contents could be used to double-index into a JavaScript object, leading to prototype pollution and ultimately allowing attacker-controlled JavaScript executing in the privileged parent process.

**Knock-on impact**

The developers of Tails, a security-focused Debian-based Linux distribution used for security and anonymity, warned users not to fire up Tor Browser while handling any sensitive information as the vulnerability may break any protections it provides.

This is at least until version 5.1 of Tails, expected on May 31, is released.

A security advisory from Tails reads: “This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.”

DON’T MISS Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

The vulnerability does not break the anonymity and encryption of Tor connections, meaning that it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

Other applications in Tails are not vulnerable because JavaScript is disabled. The Safest security level of Tor Browser is also not affected because JavaScript is disabled at this security level.

**Fixes incoming**

Tails version 5.0 comes bundled with Tor Browser 11.0.11, which contains the prototype pollution bug.

As users await Tails 5.1, which will inherit the Tor Browser 11.0.13 security update, they could use the standalone, and fully updated, version of the browser on Mac, Windows, or Linux.

“This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier,” the Tails team said.

A Mozilla security advisory contains more information about the security issues, which were reported by researcher Manfred Paul.

It also contains details on fixes for Firefox, Firefox ESR, Firefox for Android, Thunderbird to protect against the vulnerabilities.

YOU MAY ALSO LIKE Malicious Python library CTX removed from PyPI repo

Tails users warned not to launch bundled Tor Browser until security fix is released

Researchers found a litany of security flaws that allow simple, quick, and cheap forgeries in Australia.

In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic driver's license” citizens had used for decades.

Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.

“To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence,” Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

A Better Mousetrap Hacked With Minimal Effort

“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone’s stolen driver's licence details,” he continued. As things have stood for the past 30 months, however, DDLs make it “possible for malicious users to generate \[a\] fraudulent Digital Driver's Licence with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.”

DDLs require an iOS or Android app that displays each person’s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic and current include:

*   Animated NSW Government logo.
*   Display of the last refreshed date and time.
*   A QR code expires and reloads.
*   A hologram that moves when the phone is tilted.
*   A watermark that matches the license photo.
*   Address details that don’t require scrolling.

Simple Technique

The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video showing the process on an iPhone.

Once a fraudster gets access to someone’s encrypted DDL license data—either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise—the brute force gives them the ability to read and modify any of the data stored on the file.

From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device. The precise steps on an iPhone are:

*   Use iTunes backup to copy the contents of the iPhone storing the credential the fraudster wants to modify
*   Extract the encrypted file from the backup stored on the computer
*   Use brute-force software to decrypt the file
*   Open the file in a text editor and modify the birth date, address, or other data they want to fake
*   Re-encrypt the file
*   Copy the re-encrypted file to the backup folder and
*   Restore the backup to the iPhone

With that, the ServiceNSW app will display the fake ID and present it as genuine.

The following video shows the entire process from start to finish.

Death by 1,000 Flaws

A variety of design flaws make this simple hack possible.

The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. Apple provides a function named SecRandomCopyBytes for producing random bytes that can be used to generate secure keys. “If this was used to encrypt the Digital Driver's Licence rather than the 4 digit PIN, it would make the task of brute-forcing much harder if not completely infeasible for attackers,” Farmer wrote.

The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what’s stored on the iPhone matches records maintained by the government department. With no means to natively validate the data, there’s no way to tell when information has been tampered with. As a result, attackers are able to display the falsified data on the Service NSW application without any means to prevent or detect the fraud.

The third shortcoming is that using the “pull-to-refresh” function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. Instead, it updates only the QR code. A better response would be for the pull-to-refresh function to download the latest copy of the DDL from the ServiceNSW database.

Fourth, the QR code transmits only the DDL holder’s name and status as either over or under the age of 18. The QR code is supposed to allow the person checking the ID to scan it with their own ServiceNSW app to validate that the data presented is authentic. To bypass the check, a fraudster only needs to obtain the driver's license details from a stolen or otherwise-obtained DDL and replace it locally on their phone.

“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone's stolen Driver's Licence details,” Farmer explained. Had the system returned the legitimate image data, the scanning party would easily see that the fraudster had forged the DDL, since the face returned by Service NSW wouldn’t match the face displayed on the app.

The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. While all files stored in the Documents and Library/Application Support/ folders are backed up by default, iOS allows developers to easily exclude certain files from backup by calling NSURL setResourceValue:forKey:error: with the NSURLIsExcludedFromBackupKey key.

With a reported 4 million NSW residents using the DDLs, the gaffe could have serious consequences for anyone who relies on DDLs to verify identities, ages, addresses, or other personal information. It's not clear how or even if Service NSW plans to respond. Given time differences between San Francisco and New South Wales, officials with the department weren't immediately available for comment.

Farmer noted this tweet, which called out a hotel bar for refusing service to someone who had only physical ID and instead accepting only DDLs. “I know 10 kids that you let in regularly with fake digital licenses because they are easy to make,” the person claimed.

While the veracity of that claim can’t be verified, it certainly sounds plausible, given the ease and effectiveness of the hack shown here.

_This story originally appeared on_ _Ars Technica__._

Tag

#android