Memes, messengers, and missiles: From Twitter to chat apps and weapons, security is ho-ho-hosed this Xmas
Just slightly better than coal in your stocking
Roundup We are now firmly into the holiday season, the Christmas parties are kicking off, and folks are swapping their Excel files for eggnog, or something cliched like that.
So, let's have a quick look around the world of security this week before everyone puts on the "out of office".
On the first day of Christmas my true love gave to me: a nuke that didn't have security
Quick, think of the one place your really don't want to see failing security.
Did you answer "intercontinental ballistic missiles"? Bad news…
A report from the US Department of Defense Inspector General's office has found that America's missile command is falling way behind when it comes to the security of its Ballistic Missile Defense System (BMDS). The summary of their findings is brief and to the point:
"We determined that officials did not consistently implement security controls and processes to protect BMDS technical information."
Among the failings spotted in the report was the failure to install multifactor authentication software, leaving server racks unlocked, not installing intrusion detection tools on one classified network, and failing to encrypt data before it was transmitted.
"In addition, facility security officers did not consistently implement physical security controls to limit unauthorized access to facilities that managed BMDS technical information," the December dossier noted.
The report recommends, not surprisingly, that the DoD look to first install these basic protections on the network and then get their act together as far as making sure access to both the data and the physical facilities housing it are locked off with access carefully logged and monitored.
Meanwhile... A mall-patrolling robot in Los Angeles has a strange hunger for shoppers' MAC addresses on their devices.
Also, it turns out it's possible to defeat facial-recognition in some Android phones and unlock one of those unfortunate devices using a 3D-printed head of the owner, provided you have 50 cameras, top-of-the-line equipment, and about 300 quid to spend on the caper.
US-based Cloudflare is under fire for providing anti-denial-of-service protection and other cybersecurity services to a bunch of foreign terror gangs. It's against the law in America to provide material support to groups officially labeled as terrorists. Cloudflare previously argued it isn't offering tangible support.
Next, Oracle's sponsored-content page on the Wall Street Journal's website was defaced by miscreants to promote YouTuber PewDiePie. The page was altered to also apologize to the web celeb for criticizing him last year.
And we're told GNU inetutils version 1.9.4 or lower has security vulnerabilities that basically means vulnerable telnet clients on embedded devices and some desktop and server systems can be attacked by malicious servers. If you're using an inetutils-based telnet client, then mind how you go, or get a patch for the flaws, if possible.
We three memes controlling your bots
Researchers at Trend Micro have uncovered a truly remarkable scheme that malware-infected PCs are using to communicate with their central command-and-control servers.
The software nasty, given the catchy name "TROJAN.MSIL.BERBOMTHUM.AA", instructs infected Windows machines to look for a specific (since disabled) Twitter account. The account itself wasn't remarkable, containing only a few meme images. Within those images, however, was hidden the code that controlled the infected PCs.
The malware would download and open the images, then look for instructions hidden within. In this case, the memes tell the bots to capture screencaps of their host machines and send the images to a server, though the malware can also be ordered to list running processes, copy clipboard contents, and list filenames from the infected PC.
"We found that once the malware has been executed on an infected machine, it will be able to download the malicious memes from the Twitter account to the victim’s machine. It will then extract the given command," Trend explained.
"In the case of the “print” command hidden in the memes, the malware takes a screenshot of the infected machine. It then obtains the control server information from Pastebin. Afterwards, the malware sends out the collected information or the command output to the attacker by uploading it to a specific URL address."
Fortunately, it looks like this specific operation has been broken up. The meme-spaffing Twitter account has been disabled.
Up in the Outback, Signal's pause; out with the Aussie backdoor clause
Secure chat company Signal is less than happy with the recently passed Australian law targeting encrypted communications. The new Oz rules allow Aussie snoops to demand surveillance backdoors in communications software and websites, allowing the government to read and monitor encrypted messages.
Signal dev Josh Lund said his project simply can't comply with any government demand to decrypt secure end-to-end chatter. No, really, Lund said, there is no physical way Signal could remotely decrypt the contents of conversations.
"By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars. The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us," Lund explained.
"In most cases now we don’t even have access to who is messaging whom."
This means that Signal faces the very real possibility of being banned in Australia for running afoul of the data access law. Even in that case, however, Lund cautioned the gov-a-roos that they probably wouldn't be able to rid their continent of Signal.
"Historically, this strategy hasn’t worked very well. Whenever services get blocked, users quickly adopt VPNs or other network obfuscation techniques to route around the restrictions," he explained. "If a country decided to apply pressure on Apple or Google to remove certain apps from their stores, switching to a different region is extremely trivial on both Android and iOS. Popular apps are widely mirrored across the internet."
In other words, the Australian government would be playing whack-a-mole with banned apps, all while the likes of Google, Microsoft, Apple, and other US tech giants, are thoroughly cheesed off with the incoming spy law.
Google CEO tells US Congress Chocolate Factory will unleash Dragonfly in ChinaREAD MORE
Simply having a fight over Dragonfly
Google's Dragonfly campaign just got Choc-blocked, allegedly.
A report from The Intercept today indicates that the controversial project to build a Chinese search engine that met Beijing's censorship requirements has been "effectively ended" following an employee revolt and probing by US Congress.
Dragonfly, for those not familiar, was Google's rumored partnership with the Chinese government to create a version of its web search engine that could automatically exclude any results that were banned by the government as well as provide officials with the ability to track people's search queries.
Concern over the privacy and human rights implications of such a project prompted staffers, including Google's precious engineer caste, to speak out in public, something rarely seen from the highly insular world of Google.
When asked for comment, a Google spokesperson referred El Reg to the comments CEO Sundar Pichai made last week to the Congress.
Jingle Bells, Twitter smells, surveillance by bad eggs
And because creepy government surveillance is all the rage these days, we have Twitter warning that one of its web applications was used to slurp up location data on some twits.
In its alert on Monday, Twitter warns one of its support forum APIs had an issue that would have allowed miscreants to look up things like fellow tweeters' telephone country codes, and whether an account was locked-out by Twitter. The bug was fixed on November 16.
This by itself isn't too much of a problem. However, Twitter also said that prior to the November fix, it spotted "a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia," and that it can't rule out that the collection of this location-based info wasn't the work of state-backed hackers or spies.
Interestingly enough, the bug was apparently reported to Twitter two years ago, but it was dismissed as not being a security concern – until it was exploited at scale earlier this year.
In short, Twitter had a flaw that would betray your area code, and two of the most oppressive regimes on the planet may have abused it to collect user information en masse. "Falalalala, la la la laaaa!" ®
Sponsored: Becoming a Pragmatic Security Leader