#AxisOfEasy 159: Microsoft Waited Two Years To Fix 0-Day It Knew Was Being Actively Exploited


Weekly Axis Of Easy #159


Last Week’s Quote was “The American people are free to do exactly what they are told.” …by Ward Churchill, winner was Andrew Chung

This Week’s Quote: “We hang the petty thieves and appoint the great ones to public office” by ….???

THE RULES: No searching up the answer, must be posted to the blog.  The place to post the answer is at the bottom of the post, in the comments section.

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.


We have launched AxisOfEasy.com!  Please help us get the word out and tell your friends and colleagues to check out the new website portal and subscribe to our various tendrils there.

 
 
In this issue:  
 
  • Microsoft waited two years to fix 0-day it knew was being actively exploited
  • Canada Revenue Agency shuts down online services after cyber attack
  • Facebook sued for conducting illegal biometrics via Instagram
  • WSJ finds Tik Tok gamed Android security to harvest data
  • Qualcomm chip defect puts over a billion Android devices at risk of data theft
  • ByteDance censored anti-China content in Indonesia until mid-2020
  • UK court finds fault with facial recognition camera use by police
  • A large chunk of Tor exit nodes have been hijacked by a mystery actor
  • Medical debt collection agency hit with ransomware attack
  • Uber threatens to quit California after labour decision 
  • Big Tech deplatforms documentary about private contractor data theft and surveillance
  • AxisOfEasy Salon #17: Cognitive Conquest and Thinking the Unthinkable

 

Microsoft waited two years to fix 0-day it knew was being actively exploited 

In last week’s “Patch Tuesday”, which is Microsoft’s weekly ritual of applying updates including fixes for security holes, often numbering in the hundreds, included a patch for a 0-day vulnerability that was reported to them in 2019. 

The vulnerability in question was CVE-2020-1464, dubbed “Glueball” which enabled attackers to circumvent the way Windows validates software package signatures, allowing them to have improperly signed hostile Java applets loaded by the system.

VirusTotal’s Bernardo Quintero blogged about this weakness back in Jan., 2019, and Microsoft validated his findings then.  A pair of security researchers, Tal Be’ery and Peleg Hadar, wrote a post this past weekend referencing a file reported on VirusTotal back in August 2018.

When asked to comment by Krebs on why the company didn’t fix a 0-day that was being actively exploited for two years and had been reported to them almost as long ago, Microsoft gave the same standard b/s non-answer that every other company in this week’s issue gave when asked about some other malfeasance they’ve foisted upon their own users.

Read: https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years/  


Canada’s COVID-19 contact tracing app available, and why I installed it

We reported on the development and architecture of the Canadian COVID-19 contact tracing app back in #AxisOfEasy 151.  In short the app anonymizes your data, it doesn’t leave the device, it doesn’t phone home – and the code is open source and posted to GitHub here.

The app became available to download over the July 31st long weekend and the approach outlined above gave me enough confidence to download it and install it on my mobile device. 

As I said last time, this approach is an example of contact tracing done correctly and I’m not the only privacy advocate to think so.  University of Ottawa Law professor, and notable privacy and citizens advocate Michael Geist, who has been cited in these pages frequently, wrote a piece on why he installed the app. 

“The Canadian COVID Alert app is ultimately as notable for what it doesn’t do as for what it does.  The voluntary app does not collect personal information nor provide the government (or anyone else) with location information.  The app merely runs in the background on an Apple or Android phone using bluetooth technology to identify other devices that come within 2 metres for a period of 15 minutes or more.  Obviously, the distance and timing are viewed as the minimum for a potential transmission risk.  If this occurs, a unique, random identifier is stored on each person’s device for a period of 14 days.  After the 14 day period, the identifier is deleted from the device.“

Read: https://www.michaelgeist.ca/2020/08/why-i-installed-the-covid-alert-app/ 


Canada Revenue Agency shuts down online services after cyber attack

The Canada Revenue Agency (CRA, which is Canada’s version of the IRS), has had to shut down its online web services after two separate cyber attacks.

At the time of the announcement, 5,500 accounts had been compromised.  Until services are restored,  citizens will be unable to apply for emergency COVID-19 benefits under the CERB program.

Earlier in the month more CRA accounts were compromised when hackers altered account information such as direct deposit details and then opened false CERB applications in their names.

Read: https://winnipeg.ctvnews.ca/cra-shuts-down-online-services-after-two-cyberattacks-compromise-thousands-of-accounts-1.5066070


Facebook sued for conducting illegal biometrics via Instagram

Facebook has been sued over allegations that it was illegally harvesting user biometric data via its Instagram subsidiary. 

They offered to settle a separate suit for $650M last month but a new suit alleging the same thing was filed last week. 

The lawsuits claim that Instagram’s face tagging functions were illegally creating “face templates”, and uses the data for facial recognition even outside of Instagram, across Facebook’s other business units.

Read: https://macdailynews.com/2020/08/12/facebook-hit-with-lawsuit-over-illegal-harvesting-of-biometrics-via-instagram/

And: https://www.bloomberg.com/news/articles/2020-08-12/facebook-s-instagram-targeted-in-new-lawsuit-over-biometrics


WSJ finds Tik Tok gamed Android security to harvest data 

Tik Tok looks like it had been circumventing a Google privacy restriction by collecting user MAC addresses as recently as November 2019, years after Google banned the practice.

MAC addresses are unmalleable and unique to every internet connected device (think ethernet addresses that aren’t just used in ethernet cards anymore).  They are considered Personally Identifiable Information by some regulators (including the EU) and are frequently used in adtech to build user profiles.

The WSJ article (who broke the story) is paywalled, and what the other two articles don’t mention, but the WSJ does, is that the vulnerability to obtain the MAC address even after Google restricted access to it, still existed and was reported to Google last year. 

The national security concerns around this include that MAC addresses could be used to monitor movements and habits of government personnel.

Google did not reply to WSJ’s questions about the vulnerability being previously reported, while Tik Tok for their part replied with some b/s about how seriously they take all user’s privacy, and even bigger b/s that they would not share data with the Chinese government even if asked to (perhaps they would if they were ordered to, however).

Read: https://www.wsj.com/articles/tiktok-tracked-user-data-using-tactic-banned-by-google-11597176738 (paywall)

Or: https://www.theverge.com/2020/8/11/21364017/tiktok-mac-address-collected-identifier-android-violation

Or: https://techcrunch.com/2020/08/12/tiktok-found-to-have-tracked-android-users-mac-addresses-until-late-last-year/


Qualcomm chip defect puts over a billion Android devices at risk of hacking

Also Android:

“A BILLION OR more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.”

The compromise can occur when users download specially crafted content, like videos, that are rendered by the chip, or by having malicious apps installed.

Qualcomm has released a fix but is withholding technical specifics about how the attacks work until said fixes can work their way out into the installed user base.

Read: https://www.wired.com/story/over-a-billion-android-devices-are-at-risk-of-data-theft/ 


ByteDance censored anti-China content in Indonesia until mid-2020

In Indonesia, ByteDance operates an app under the name Baca Berita (BaBe), which I assume is an Indonesian version of Tik Tok.  It looks like the BaBe app has been suppressing content critical of the Chinese government from 2018 through until mid-2020. 

BaBe denies the allegations and claims it moderates content in compliance with Indonesian law, but Reuters, who broke the story, has corroborated the claims via six separate sources.

ByteDance did not reply to the claim other than to issue a statement that it complies with all foreign laws.

Read: https://www.reuters.com/article/us-usa-tiktok-indonesia-exclusive-idUSKCN2591ML

 

UK court finds fault with facial recognition camera use by Welsh police

A British civil liberties group is calling their victory over the South Wales Police usage of AFR – Automated Facial Recognition – a world’s first. 

The SWP were running an AFP program since 2017, using it to target and track persons of interest, escapees, people with outstanding warrants, intelligence targets, but also people described as “vulnerable” or “at risk.”

The South Wales Police have decided not to appeal the ruling.

Read: https://techcrunch.com/2020/08/11/court-finds-some-fault-with-uk-police-forces-use-of-facial-recognition-tech/

And: https://www.libertyhumanrights.org.uk/issue/liberty-wins-ground-breaking-victory-against-facial-recognition-tech/

 

A large chunk of Tor exit nodes have been hijacked by a mystery actor

Since January of this year, an unknown group of attackers has been adding Tor exit nodes to the network that perform SSL Stripping attacks on traffic destined for crypto currency exchanges. 

The activity peaked in May when they were responsible for 25% of all Tor exit nodes, they are currently at 10% even now.  SSL Stripping attacks force the end-user browser to downgrade from using an https:// connection, which is encrypted, to http://, which traverses the network in the clear. 

The objective in this attack was to target bitcoin addresses destined for “mixers,” sites that break up BTC flows into numerous smaller chunks and then reassemble them into a new address (basically BTC laundering). These guys would strip out the BTC address once the request had been downgraded, and then insert their own, thus capturing all the bitcoin sent through such a transaction.

As I thought about this piece I wondered “Why wouldn’t all of these sites have HSTS enabled?”  Which, when enabled on your site, forces all browsers to connect to it over https.  But I guess all the nefariousness happens even before the connection even gets to the remote site, that’s the diabolic genius behind standing up poisonous exit nodes.

Read: https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/

 

Medical debt collection agency hit with ransomware attack

File under “It couldn’t have happened to a nice company”.  R1 RCM bills itself as a “technology driven revenue cycle management” company that caters to the medical sector. Krebs on Security calls them a “medical debt collection agency.”  What’s that I wonder?  My guess is it’s some real world analog of that near future dystopian flick with Forest Whitaker and Jude Law “Repo Men.”

Anyway, they’ve been hit with a ransomware attack and have had to take down their systems just prior to their Q2 earnings release (they are publicly traded under the ticker “RCM” on the Nasdaq).

It appears as though they fell prey to an atypically mass emailed spearphish sent to employees, such as one forged as from a hospital administrator with patient records attached.

The US DHS issued via CISA this bulletin describing the attack vector.

Read: https://krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/

And: https://us-cert.cisa.gov/ncas/alerts/aa20-227a

We are in the final stages of adding a Business Email Compromise (BEC) defense module to Domainsure, if your firm is interested in early access, please get on the invite list here.

 

Uber threatens to quit California after labour decision

As we reported last week in AxisOfEasy #158, Uber and Lyft were apprehensive of a California judge’s impending ruling on whether they had to treat their drivers as employees. Lyft said such a move would cause them “irreparable damage.”

The ruling has come down and the judge ruled as feared for the ride sharing Unicorns, now Uber is threatening to quit the state or at least “temporarily” shut down their app in California (presumably until they can buy off / lobby to have the ruling overturned).

I wrote a more in depth piece on this over at my OutOfTheCave blog (which you can and should join here), called “Even Unicorns Get The Blues”.

Read: https://ktla.com/news/california/uber-lyft-threaten-to-leave-california-if-court-upholds-ruling-forcing-them-to-treat-drivers-as-employees/

And: https://outofthecave.io/articles/even-unicorns-get-the-blues/

 

Big Tech deplatforms documentary about private contractor data theft and surveillance

On Friday, August 14th, former Infowars reporter Millie Weaver, who now operates as “Millennial Millie” released a documentary called ShadowGate, which alleges that a private contractor complex within the USA accessed and manipulated data, promulgated false narratives and waged psychological operations against individuals and groups both within the US and worldwide.

That same day she was also arrested on “multiple felony charges including robbery and obstructing justice” and was held without bail over the weekend pending a bail review hearing scheduled for yesterday (at press time we don’t know the outcome).

Youtube has been diligently removing copies of the video as “hate speech,” while Facebook removed it and Twitter is blocking any links to it.

I’ve watched the video in its entirety and written up my take on it on the website, where we’ve also linked to the full video hosted on an indie platform so you can make up your own mind for your own self.

Read: https://axisofeasy.com/aoe/youtube-deplatforms-shadowgate-documentary-as-hate-speech-director-arrested-on-release-date/ 

 

AxisOfEasy Salon #17: Cognitive Conquest and Thinking the Unthinkable

In this last week’s AxisOfEasy salon, Charles was back and we expanded more on Jesse’s concept of The Network State and how it looks to supplant the Nation States of yore.  We may be in the early innings of a new type of global conflict, being waged with weapons that the majority of the populace (and possibly many in their governments) do not even recognize as being weapons.

Watch/Listen: https://axisofeasy.com/podcast/salon-17-cognitive-conquest-and-thinking-the-unthinkable/

5 thoughts on “#AxisOfEasy 159: Microsoft Waited Two Years To Fix 0-Day It Knew Was Being Actively Exploited

  1. “the app anonymizes your data, it doesn’t leave the device, it doesn’t phone home – and the code is open source”. Correct, and the entire concept of computer viruses and malware is a hoax, too!

    Sorry, Mark, but you and Michael Geist have both been sold a bill of goods by none other than what will go down in history as Canada’s most incompetent, unethical and crooked Prime Minister – Justin Trudeau.

    1. You have quite a few unstated premises to unpack there. Basically, because portions of Trudeau’s government are (verifiably) corrupt, you further assert that a platform made by an entirely unrelated department is engaging in wanton data harvesting, unanonymised data, and dialing home even in spite of the tangible evidence that it does not? Then you throw in a strawman for good measure. I don’t think it’s Mark or Michael being sold a controversial viewpoint here. 😉

  2. Love this Aesop quote so much, as well as the following last verse from “Sweetheart Like You” from the one and only Bob Dylan:

    They say that patriotism is the last refuge
    To which a scoundrel clings
    Steal a little and they throw you in jail
    Steal a lot and they make you king

    There’s only one step down from here, baby
    It’s called the land of permanent bliss
    What’s a sweetheart like you doin’ in a dump like this?

  3. Quote sounds very similar to what the captured pirate told Alexander the Great upon being questioned. Mark Twain probably just adapted it to more modern times.

Leave a Reply

Your email address will not be published. Required fields are marked *