June 17, 2019
Yubico recalls FIPS Yubikey tokens after flaw found
By John E Dunn
Security token maker Yubico has issued an important advisory affecting high-end versions of its YubiKey authentication key, arguably the most significant vulnerability discovered in this class of product to date.
Yubico describes the bug in its FIPS series as being:
Where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness … for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.
In other words, for the first operation after power-up at least, the cryptographic material produced by the key isn’t as random as it should be for secure encryption, creating a hypothetical short-term weakness that is only ironed out when that data has been consumed.
This affects cryptographic algorithms to different extents. For RSA it’s a modest 80 bits out of a minimum of 2,048 while for ECDSA it’s more like 80 bits out of 256 which could:
Allow an attacker who gains access to several signatures to reconstruct the private key.
These differences mean that the weakness is worse in some products than in others, for example the PIV Smart Card and OpenPGP implementations (which use RSA) compared to the FIPS FIDO U2F keys (whose authentication depends on ECDSA).
FIPS with everything
The weakness exists only in the YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and YubiKey C Nano FIPS, that is products that have the ‘FIPS’ prefix printed on them. Consumer and most business YubiKeys are not affected.
Read more at https://nakedsecurity.sophos.com/2019/06/17/yubico-recalls-fips-yubikey-tokens-after-flaw-found/
Privacy foul for soccer league app that eavesdropped on users
By Danny Bradbury
A privacy violation case this month has illustrated the dangers of giving apps access to your smartphone sensors. Spain’s data protection agency is reportedly fining Spanish football league LaLiga €250,000 (around $280,000) for co-opting users’ smartphones as digital eavesdropping tools.
The organization’s app, available on both the iPhone and iOS platforms, provides users with soccer commentary, news, and data. Unbeknownst to those who didn’t read the fine print, it also used their GPS functions to determine where they were during football matches.
The app would then use their smartphones’ microphones to record ambient noise and see if it matched game noise. If the app found a match, and discovered that you were in a public place like a bar, it could deduce that the game was being broadcast illegally.
This approach is similar to the Shazam app’s technique of matching ambient noise with known songs to tell you what music your coffee shop is playing. The difference is that this is Shazam’s primary and publicized purpose. LaLiga’s app was doing its matching unobtrusively in the background while it provided users with another service.
Read more at https://nakedsecurity.sophos.com/2019/06/17/privacy-foul-for-soccer-league-app-that-eavesdropped-on-users/
I’d like to add you to my professional network of people to spy on
By Lisa Vaas
We’re sorry to inform you that if you were looking for some insight into Russian and Eurasian politics in the Washington political scene, or if you were sniffing around for a job with, say, the Brookings Institution, you won’t have 30-year-old Katie Jones to cozy up to anymore.
She’s disappeared off of LinkedIn. Actually, “she” – as in, a corporal being, as opposed to a deepfake created by artificial intelligence (AI) – was never there to begin with, according to an investigation by the Associated Press.
This is what her LinkedIn profile looked like before Katie Jones, an extremely well-connected redhead and purportedly a Russia and Eurasia Fellow at the top think-tank Center for Strategic and International Studies (CSIS), blinked out of existence.
AP reporter Raphael Satter says that the profile was removed from LinkedIn about 36 hours after he contacted the networking platform about it.
Most people, upon seeing a connection request from such a highly placed and accomplished young woman, would likely accept. After all, there’s a strong element of self-promotion with LinkedIn networking, as pointed out by many of the 40 or so people whom the Jones profile managed to connect with and whom Satter interviewed.
Read more at https://nakedsecurity.sophos.com/2019/06/17/id-like-to-add-you-to-my-professional-network-of-people-to-spy-on/
Widely used medical infusion pump can be remotely hijacked
By Lisa Vaas
Researchers have found two security vulnerabilities, one severe, in Becton Dickson (BD) infusion pumps: the devices used in hospitals for supplying power and network connectivity to multiple infusion and syringe pumps that deliver fluids, including intravenous fluids, painkillers and medications such as insulin.
Such pumps are often hooked up to a central monitoring station so that hospital staff can check on multiple patients at the same time.
The flaws, in BD’s Alaris Gateway Workstation (AGW), were discovered by the healthcare cybersecurity firm CyberMDX in September 2018. The firm’s researchers said on Thursday that one of the security flaws – the most critical, according to an advisory issued by the Department of Homeland Security (DHS), also on Thursday – could allow the devices to be remotely hijacked and controlled.
The researchers said that the exploit could be carried out by…
… anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files.
The vulnerable part of the pumps is the firmware in the onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, which is Microsoft’s operating system for embedded devices and devices with minimal memory. That operating system later came to be known as Windows Embedded Compact.
Read more at https://nakedsecurity.sophos.com/2019/06/17/widely-used-medical-infusion-pump-can-be-remotely-hijacked/
Android phones can now be security keys for iOS devices
By Danny Bradbury
Hey, iOS users. Got a spare Android phone lying around? Now, you can use it as a secure access key for online services.
In April, Google announced that it was making secure access keys available on its Android phones. These software-based keys are based on the FIDO2 standard, which is a community attempt by several industry players to make secure logins easier.
Instead of having to remember a password when logging into a website, you can use a digital key stored on a piece of suitable hardware. Google and other vendors offer small hardware dongles that connect either via a computer’s USB port, or via Bluetooth. Your browser reads the digital key from the device and sends it to the website to prove that you’re legit.
Letting users store this digital key in their Android phones turns it into a secure access device that requires you to be in physical control of your phone to authenticate to a site on your computer. By using the Bluetooth connection in their phones, they can authenticate themselves when logging into Google services.
These phone-based keys also stop phishers from mounting man-in-the-middle attacks. The phone stores the key against the URL of the website it’s trying to access so it isn’t available to the wrong (phishy) URL.
Read more at https://nakedsecurity.sophos.com/2019/06/14/android-phones-can-now-be-security-keys-for-ios-devices/
Facebook got 187,000 users’ data with snoopy VPN app
By Lisa Vaas
In January, Apple’s App Store gave the heave-ho to Facebook’s snoopy Research VPN (virtual private network) app.
Now we know how many users Facebook Research got personal and sensitive device data from: 187,000, according to a letter sent by Facebook to Senator Richard Blumenthal and obtained by TechCrunch. That’s 31,000 US users – 4,300 of whom are teenagers – and with the rest being from India.
The now-defunct Research app used its access to get what security researcher Will Strafach called “nearly limitless access.” That includes web browsing histories, encrypted messages and mobile app activity of not just the volunteer users but also, potentially, data from their friends.
It was kicked from the App Store for violating Apple’s Developer Enterprise Program License Agreement by installing a root certificate. Something that’s supposed to be limited to “for use by your employees”.
Facebook pushed back at the negative coverage it received following the eviction, pointing out that it wasn’t the snoopiness of the app that saw it discarded, and that users were well aware they were being snooped on:
…there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.
The data was used for competitive analysis. Facebook used an earlier version of VPN app, Onavo, to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published in December 2018 revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.
Read more at https://nakedsecurity.sophos.com/2019/06/14/facebook-got-187000-users-data-with-snoopy-vpn-app/
Facebook keeps deepfake of Mark Zuckerberg
By Lisa Vaas
After a fake video of House Speaker Nancy Pelosi depicting her drunkenly slurring her words went viral last month, Facebook said nope, we’re not taking it down.
We’ve flagged it as fake, Facebook said, we’ve de-prioritized it so doesn’t show up (all that much) in users’ feeds, and we slapped third-party fact-checker information next to it.
Facebook VP for Product Policy and Counterterrorism Monika Bickert, from a grilling by CNN’s Anderson Cooper:
We think it’s important for people to make their own, informed choice about what to believe. Our job is to make sure we are getting them accurate information. And that’s why we work with more than 50 fact-checking organizations around the world.
Oh, reeeeeally?
Well, Facebook’s bluff has been called. Facebook, meet your CEO’s evil deepfake twin, the Zucker-borg who implies that he’s in total control of billions of people’s stolen data and ready to control the future. To rub a bit of salt into the wound, it was distributed on Facebook’s own Instagram platform, and it was gussied up with official CBS trademarking so it looked like a bona fide interview.
Read more at https://nakedsecurity.sophos.com/2019/06/13/facebook-keeps-deepfake-of-mark-zuckerberg/
Critical Adobe Flash player bug and more in June’s Patch Tuesday
The June patch Tuesday is out, featuring 88 CVE-level fixes, including 21 rated critical. Adobe, meanwhile, fixes several critical vulnerabilities, including a flaw in Adobe Flash Player marked critical because it could be exploited remotely.
Adobe published a patch for a Flash Player bug (CVE-2019-7845), affecting versions 32.0.0.192 and earlier, that lets an attacker exploit the program through a malicious website or an ActiveX control. A successful attacker could run their own code remotely as the current user. The bug affects the Flash Player desktop runtime on Windows, macOS and Linux, along with the Google Chrome, Microsoft Edge, and IE 11 Flash Player plugins.
Also out from Adobe on Tuesday was a fix for critical vulnerabilities in its ColdFusion rapid web application development product. CVE-2019-7838 enables an attacker to bypass a file extension blacklist when uploading a file, while CVE-2019-7839 is an unspecified command injection vulnerability. The third, CVE-2019-7840, is a bug that allows for deserialization of untrusted data (deserialization means unpacking data from a format used to send it somewhere efficiently).
Finally, Adobe patched a critical vulnerability in its Campaign product for marketing professionals which could allow for remote code execution via a command injection flaw. It fixed this vulnerability (CVE-2019-7850) along with several other flaws rated either moderate or important.
Microsoft Edge
Microsoft’s other critical bug this month was in the scripting engine underpinning Microsoft Edge. This is the program that processes scripting languages like JavaScript. The engine doesn’t handle objects properly when running scripts in the Edge browser, meaning that a malicious website could cause it to spill its memory contents.
Read more at https://nakedsecurity.sophos.com/2019/06/12/june-patch-tuesday-sees-critical-adobe-flash-player-bug-fix/
