TechLetters #36: 0day use on the rise; some examples in use; tracking consent; padlocks
Éditorial
Security
China’s cybersecurity law. It applied to security research and vulnerability disclosure. “Tech experts in China who find a weakness in computer security would be required to tell the government and couldn’t sell that knowledge under rules further tightening the Communist Party’s control over information … The rules would ban private sector experts who find “zero day,” or previously unknown security weaknesses, and sell the information to police, spy agencies or companies ”. The new law is important because China is an influential place. “Those who provide data to foreign judicial or law enforcement agencies without the approval of the competent authorities may face a fine ranging from RMB 100,000 (US$15,460) to RMB 5 million (US$773,000). At the same time, the incompliant companies could be ordered by the competent authorities to suspend relevant businesses”
0day use on the rise.
“… Over the last decade, we believe there has been an increase in attackers using 0-day exploits. Attackers needing more 0-day exploits to maintain their capabilities is a good thing — and it reflects increased cost to the attackers from security measures that close known vulnerabilities. However, the increasing demand for these capabilities and the ecosystem that supplies them is more of a challenge. 0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use. In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities …”
“…After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP. … The exploit targeted iOS versions 12.4 through 13.7. This type of attacks … are mitigated in browsers with Site Isolation enabled such as Chrome or Firefox. …”. Let’s also say that under iOS/iPhone/iPad/iETC there is only one browser, WebKit/Safari. All the other “browsers” must use the WebKit engine.
The recent 0days used against Armenian victims (link).
0days in cyber “weapons”. "Private-sector offensive actors are private companies that manufacture and sell cyberweapons ... SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes … DevilsTongue has standard malware capabilities, including file collection, registry querying, running WMI commands, and querying SQLite databases. It’s capable of stealing victim credentials from both LSASS and from browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the Signal messaging app." (report).
Rewards for information. USA will pay up to $10 million “for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure”
Padlock icon means what? Do you know what is the meaning of the padlock icon? “only 11% of participants could correctly identify the meaning of the lock icon”, the survey found. HTTPS (padlock) is not a question of trust (anybody can get a certificate!), but an indication of a transport layer encryption. The certificate may also be inspected to see who ‘controls’ the site we are connecting to.
12.7% of all internet websites vulnerable. To supply chain hack due to how the popular cdnjs library worked.
Serious commercial hacking tools misused? Puzzling reports concerning NSO’s Pegasus hacking software being (mis)used to hack journalists, etc. Those hacked “include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers” (1, 2, 3)
Privacy
Private data maps for sale. Data allowing to identify people up for sale in mass quantities. This is a big privacy issue . Risk of deanonymization.
Tracking consent. What happens when you ask users for a permission to track them? Surprise! They say “no”. “permission to track their behavior just 25% of the time”
Technology Policy
Other
In case you feel it's worth it to forward this letter further, I leave this thingy below: